feat: Implement Role-Based Access Control (RBAC) for search space resources.

-Introduce granular permissions for documents, chats, podcasts, and logs. - Update routes to enforce permission checks for creating, reading, updating, and deleting resources. - Refactor user and search space interactions to align with RBAC model, removing ownership checks in favor of permission validation.
2026-04-27 17:56:25 +02:00 · 2025-11-27 22:45:04 -08:00 · 2025-11-27 22:45:04 -08:00 · e9d32c3516
commit e9d32c3516
parent 1ed0cb3dfe
38 changed files with 5916 additions and 657 deletions
--- a/surfsense_backend/app/schemas/init.py
+++ b/surfsense_backend/app/schemas/init.py
@ -27,6 +27,23 @@ from .podcasts import (
    PodcastRead,
    PodcastUpdate,
 )
+from .rbac_schemas import (
+    InviteAcceptRequest,
+    InviteAcceptResponse,
+    InviteCreate,
+    InviteInfoResponse,
+    InviteRead,
+    InviteUpdate,
+    MembershipRead,
+    MembershipReadWithUser,
+    MembershipUpdate,
+    PermissionInfo,
+    PermissionsListResponse,
+    RoleCreate,
+    RoleRead,
+    RoleUpdate,
+    UserSearchSpaceAccess,
+)
 from .search_source_connector import (
    SearchSourceConnectorBase,
    SearchSourceConnectorCreate,
@ -38,6 +55,7 @@ from .search_space import (
    SearchSpaceCreate,
    SearchSpaceRead,
    SearchSpaceUpdate,
+    SearchSpaceWithStats,
 )
 from .users import UserCreate, UserRead, UserUpdate

@ -60,6 +78,13 @@ __all__ = [
    "ExtensionDocumentContent",
    "ExtensionDocumentMetadata",
    "IDModel",
+    # RBAC schemas
+    "InviteAcceptRequest",
+    "InviteAcceptResponse",
+    "InviteCreate",
+    "InviteInfoResponse",
+    "InviteRead",
+    "InviteUpdate",
    "LLMConfigBase",
    "LLMConfigCreate",
    "LLMConfigRead",
@ -69,12 +94,20 @@ __all__ = [
    "LogFilter",
    "LogRead",
    "LogUpdate",
+    "MembershipRead",
+    "MembershipReadWithUser",
+    "MembershipUpdate",
    "PaginatedResponse",
+    "PermissionInfo",
+    "PermissionsListResponse",
    "PodcastBase",
    "PodcastCreate",
    "PodcastGenerateRequest",
    "PodcastRead",
    "PodcastUpdate",
+    "RoleCreate",
+    "RoleRead",
+    "RoleUpdate",
    "SearchSourceConnectorBase",
    "SearchSourceConnectorCreate",
    "SearchSourceConnectorRead",
@ -83,8 +116,10 @@ __all__ = [
    "SearchSpaceCreate",
    "SearchSpaceRead",
    "SearchSpaceUpdate",
+    "SearchSpaceWithStats",
    "TimestampModel",
    "UserCreate",
    "UserRead",
+    "UserSearchSpaceAccess",
    "UserUpdate",
 ]