api: properly compute authorization based on ccchh role

2026-05-14 16:41:16 +02:00 · 2026-05-14 16:41:16 +02:00 · bf0c085739
commit bf0c085739
parent 188002b3f3
3 changed files with 10 additions and 8 deletions
--- a/api/src/dooris_api/models.py
+++ b/api/src/dooris_api/models.py
@ -33,17 +33,18 @@ class CurrentUser(BaseModel):

    @property
    def ccchh_roles(self) -> List[str]:
-        return []
+        return getattr(self.id_token, "ccchh-roles", [])

    @property
    def may_operate_locks(self) -> bool:
-        return True
+        return "intern@" in self.ccchh_roles


 class UserStatus(BaseModel):
    is_authorized: bool
-    guaranteed_session_until: Optional[datetime]
-    username: Optional[str]
+    guaranteed_session_until: datetime
+    username: str
+    ccchh_roles: List[str]


 class LockStatus(BaseModel):