refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints - Centralize role-based access control per memory: RBAC null-role bug required server-side gating - Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints - Removes client-side role checks as per memory: server-side UI gating is mandatory
2026-04-15 12:51:05 -04:00
parent 0952a0b71e
commit 0ee23b8700
12 changed files with 46 additions and 26 deletions
--- a/decnet/web/router/logs/api_get_logs.py
+++ b/decnet/web/router/logs/api_get_logs.py
@@ -2,7 +2,7 @@ from typing import Any, Optional

 from fastapi import APIRouter, Depends, Query

-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 from decnet.web.db.models import LogsResponse

 router = APIRouter()
@@ -16,7 +16,7 @@ async def get_logs(
    search: Optional[str] = Query(None, max_length=512),
    start_time: Optional[str] = Query(None),
    end_time: Optional[str] = Query(None),
-    current_user: str = Depends(get_current_user)
+    user: dict = Depends(require_viewer)
 ) -> dict[str, Any]:
    def _norm(v: Optional[str]) -> Optional[str]:
        if v in (None, "null", "NULL", "undefined", ""):