Conservazionee

2026-06-16 12:45:42 +02:00 · 2026-03-27 16:54:49 +01:00
parent e390d344ff
commit 047990811f
12 changed files with 466 additions and 118 deletions
@@ -100,6 +100,22 @@ class PermissionService:
        perm = await self._get_permission(user.id, mailbox_id)
        return perm is not None and perm.can_manage

+    async def check_can_conserve(
+        self, user: User, mailbox_id: uuid.UUID
+    ) -> bool:
+        """Verifica se l'utente puo' spostare messaggi nella cartella Conservazione.
+
+        Admin/super_admin: accesso implicito sempre.
+        Supervisor: richiede permesso esplicito can_conserve=True.
+        Operator/readonly: non autorizzati (richiedono permesso esplicito).
+        """
+        if user.role in ("super_admin", "admin"):
+            return await self._mailbox_belongs_to_tenant(mailbox_id, user.tenant_id)
+
+        # Supervisor, operator e readonly richiedono record esplicito
+        perm = await self._get_permission(user.id, mailbox_id)
+        return perm is not None and perm.can_conserve
+
    async def require_can_read(self, user: User, mailbox_id: uuid.UUID) -> None:
        """Solleva 403 se l'utente non può leggere."""
        if not await self.check_can_read(user, mailbox_id):
@@ -109,6 +125,11 @@ class PermissionService:
        if not await self.check_can_send(user, mailbox_id):
            raise PermissionDeniedError("casella (invio)")

+    async def require_can_conserve(self, user: User, mailbox_id: uuid.UUID) -> None:
+        """Solleva 403 se l'utente non puo' spostare messaggi in Conservazione."""
+        if not await self.check_can_conserve(user, mailbox_id):
+            raise PermissionDeniedError("casella (conservazione)")
+
    # ─── CRUD permessi ────────────────────────────────────────────────────────

    async def grant_permission(
@@ -145,6 +166,7 @@ class PermissionService:
            existing.can_read = data.can_read
            existing.can_send = data.can_send
            existing.can_manage = data.can_manage
+            existing.can_conserve = data.can_conserve
            existing.granted_by = granted_by.id
            return existing

@@ -155,6 +177,7 @@ class PermissionService:
            can_read=data.can_read,
            can_send=data.can_send,
            can_manage=data.can_manage,
+            can_conserve=data.can_conserve,
            granted_by=granted_by.id,
        )
        self.db.add(perm)
@@ -201,6 +224,7 @@ class PermissionService:
                "can_read": perm.can_read,
                "can_send": perm.can_send,
                "can_manage": perm.can_manage,
+                "can_conserve": perm.can_conserve,
                "granted_at": perm.granted_at,
            }
            for perm, user in rows
@@ -228,6 +252,7 @@ class PermissionService:
                "can_read": perm.can_read,
                "can_send": perm.can_send,
                "can_manage": perm.can_manage,
+                "can_conserve": perm.can_conserve,
            }
            for perm, mailbox in rows
        ]