mkt.ose.tw/backend/app/domain/permissions.py

from __future__ import annotations

from app.domain.auth import PermissionContext


def build_permission_context(
    role_name: str | None,
    domain_permissions: list[str],
) -> PermissionContext:
    """Translate Directus role/group permissions into product capabilities.

    We keep the first version intentionally explicit instead of clever:
    reviewers can see exactly which strings unlock which capabilities.
    """

    normalized = {permission.strip().lower() for permission in domain_permissions if permission}
    role_normalized = (role_name or "").strip().lower()
    is_admin = role_normalized in {"administrator", "admin"}

    def has_any(*values: str) -> bool:
        return is_admin or any(value in normalized for value in values)

    return PermissionContext(
        is_admin=is_admin,
        can_manage_sites=has_any("sites.manage", "sites.write"),
        can_manage_experiments=has_any("experiments.manage", "experiments.write"),
        can_manage_variants=has_any("variants.manage", "variants.write"),
        can_manage_releases=has_any("releases.manage", "releases.write"),
        can_manage_goals=has_any("goals.manage", "goals.write"),
        can_manage_sdk_configs=has_any("sdk_configs.manage", "sdk_configs.write"),
        can_use_editor=has_any("editor.manage", "editor.use"),
        can_read_runtime=has_any("runtime.read", "runtime.manage"),
        raw_permissions=sorted(normalized),
    )