feat(payouts): Add user roles for payouts (#4167)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-30 09:38:33 +08:00 · 2024-03-22 16:21:18 +05:30
parent 5afd2c2a67
commit 13fe58450b
9 changed files with 119 additions and 68 deletions
--- a/crates/api_models/src/user_role.rs
+++ b/crates/api_models/src/user_role.rs
@ -32,6 +32,8 @@ pub enum Permission {
    UsersWrite,
    MerchantAccountCreate,
    WebhookEventRead,
+    PayoutWrite,
+    PayoutRead,
 }

 #[derive(Debug, serde::Serialize)]
@ -48,6 +50,7 @@ pub enum PermissionModule {
    ThreeDsDecisionManager,
    SurchargeDecisionManager,
    AccountCreate,
+    Payouts,
 }

 #[derive(Debug, serde::Serialize)]
--- a/crates/router/src/routes/payouts.rs
+++ b/crates/router/src/routes/payouts.rs
@ -9,7 +9,7 @@ use super::app::AppState;
 use crate::types::api::payments as payment_types;
 use crate::{
    core::{api_locking, payouts::*},
-    services::{api, authentication as auth},
+    services::{api, authentication as auth, authorization::permissions::Permission},
    types::api::payouts as payout_types,
 };

@ -77,7 +77,11 @@ pub async fn payouts_retrieve(
        &req,
        payout_retrieve_request,
        |state, auth, req| payouts_retrieve_core(state, auth.merchant_account, auth.key_store, req),
+        auth::auth_type(
            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::PayoutRead),
+            req.headers(),
+        ),
        api_locking::LockAction::NotApplicable,
    ))
    .await
@ -225,7 +229,11 @@ pub async fn payouts_list(
        &req,
        payload,
        |state, auth, req| payouts_list_core(state, auth.merchant_account, req),
+        auth::auth_type(
            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::PayoutRead),
+            req.headers(),
+        ),
        api_locking::LockAction::NotApplicable,
    ))
    .await
@ -259,7 +267,11 @@ pub async fn payouts_list_by_filter(
        &req,
        payload,
        |state, auth, req| payouts_filtered_list_core(state, auth.merchant_account, req),
+        auth::auth_type(
            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::PayoutRead),
+            req.headers(),
+        ),
        api_locking::LockAction::NotApplicable,
    ))
    .await
@ -293,7 +305,11 @@ pub async fn payouts_list_available_filters(
        &req,
        payload,
        |state, auth, req| payouts_list_available_filters_core(state, auth.merchant_account, req),
+        auth::auth_type(
            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::PayoutRead),
+            req.headers(),
+        ),
        api_locking::LockAction::NotApplicable,
    ))
    .await
--- a/crates/router/src/services/authorization/info.rs
+++ b/crates/router/src/services/authorization/info.rs
@ -41,6 +41,7 @@ pub enum PermissionModule {
    ThreeDsDecisionManager,
    SurchargeDecisionManager,
    AccountCreate,
+    Payouts,
 }

 impl PermissionModule {
@ -57,7 +58,8 @@ impl PermissionModule {
            Self::Disputes => "Everything related to disputes - like creating and viewing dispute related information are within this module",
            Self::ThreeDsDecisionManager => "View and configure 3DS decision rules configured for a merchant",
            Self::SurchargeDecisionManager =>"View and configure surcharge decision rules configured for a merchant",
-            Self::AccountCreate => "Create new account within your organization"
+            Self::AccountCreate => "Create new account within your organization",
+            Self::Payouts => "Everything related to payouts - like creating and viewing payout related information are within this module"
        }
    }
 }
@ -168,6 +170,14 @@ impl ModuleInfo {
                    Permission::MerchantAccountCreate,
                ]),
            },
+            PermissionModule::Payouts => Self {
+                module: module_name,
+                description,
+                permissions: get_permission_info_from_permissions(&[
+                    Permission::PayoutRead,
+                    Permission::PayoutWrite,
+                ]),
+            },
        }
    }
 }
@ -184,10 +194,10 @@ fn get_group_info_from_permission_group(group: PermissionGroup) -> GroupInfo {
 fn get_group_description(group: PermissionGroup) -> &'static str {
    match group {
        PermissionGroup::OperationsView => {
-            "View Payments, Refunds, Mandates, Disputes and Customers"
+            "View Payments, Refunds, Payouts, Mandates, Disputes and Customers"
        }
        PermissionGroup::OperationsManage => {
-            "Create, modify and delete Payments, Refunds, Mandates, Disputes and Customers"
+            "Create, modify and delete Payments, Refunds, Payouts, Mandates, Disputes and Customers"
        }
        PermissionGroup::ConnectorsView => {
            "View connected Payment Processors, Payout Processors and Fraud & Risk Manager details"
--- a/crates/router/src/services/authorization/permission_groups.rs
+++ b/crates/router/src/services/authorization/permission_groups.rs
@ -19,22 +19,24 @@ pub fn get_permissions_vec(permission_group: &PermissionGroup) -> &[Permission]
    }
 }

-pub static OPERATIONS_VIEW: [Permission; 6] = [
+pub static OPERATIONS_VIEW: [Permission; 7] = [
    Permission::PaymentRead,
    Permission::RefundRead,
    Permission::MandateRead,
    Permission::DisputeRead,
    Permission::CustomerRead,
    Permission::MerchantAccountRead,
+    Permission::PayoutRead,
 ];

-pub static OPERATIONS_MANAGE: [Permission; 6] = [
+pub static OPERATIONS_MANAGE: [Permission; 7] = [
    Permission::PaymentWrite,
    Permission::RefundWrite,
    Permission::MandateWrite,
    Permission::DisputeWrite,
    Permission::CustomerWrite,
    Permission::MerchantAccountRead,
+    Permission::PayoutWrite,
 ];

 pub static CONNECTORS_VIEW: [Permission; 2] = [
--- a/crates/router/src/services/authorization/permissions.rs
+++ b/crates/router/src/services/authorization/permissions.rs
@ -31,6 +31,8 @@ pub enum Permission {
    UsersWrite,
    MerchantAccountCreate,
    WebhookEventRead,
+    PayoutRead,
+    PayoutWrite,
 }

 impl Permission {
@ -69,6 +71,8 @@ impl Permission {
            Self::UsersWrite => "Invite users, assign and update roles",
            Self::MerchantAccountCreate => "Create merchant account",
            Self::WebhookEventRead => "View webhook events",
+            Self::PayoutRead => "View all payouts",
+            Self::PayoutWrite => "Create payout, download payout data",
        }
    }
 }
--- a/crates/router/src/services/authorization/predefined_permissions.rs
+++ b/crates/router/src/services/authorization/predefined_permissions.rs
@ -64,6 +64,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::UsersRead,
                Permission::UsersWrite,
                Permission::MerchantAccountCreate,
+                Permission::PayoutRead,
+                Permission::PayoutWrite,
            ],
            name: None,
            is_invitable: false,
@ -88,6 +90,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::MandateRead,
                Permission::CustomerRead,
                Permission::UsersRead,
+                Permission::PayoutRead,
            ],
            name: None,
            is_invitable: false,
@ -126,6 +129,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::UsersRead,
                Permission::UsersWrite,
                Permission::MerchantAccountCreate,
+                Permission::PayoutRead,
+                Permission::PayoutWrite,
            ],
            name: Some("Organization Admin"),
            is_invitable: false,
@ -164,6 +169,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::Analytics,
                Permission::UsersRead,
                Permission::UsersWrite,
+                Permission::PayoutRead,
+                Permission::PayoutWrite,
            ],
            name: Some("Admin"),
            is_invitable: true,
@ -188,6 +195,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::CustomerRead,
                Permission::Analytics,
                Permission::UsersRead,
+                Permission::PayoutRead,
            ],
            name: Some("View Only"),
            is_invitable: true,
@ -213,6 +221,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::Analytics,
                Permission::UsersRead,
                Permission::UsersWrite,
+                Permission::PayoutRead,
            ],
            name: Some("IAM"),
            is_invitable: true,
@ -238,6 +247,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::CustomerRead,
                Permission::Analytics,
                Permission::UsersRead,
+                Permission::PayoutRead,
            ],
            name: Some("Developer"),
            is_invitable: true,
@ -268,6 +278,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::CustomerRead,
                Permission::Analytics,
                Permission::UsersRead,
+                Permission::PayoutRead,
+                Permission::PayoutWrite,
            ],
            name: Some("Operator"),
            is_invitable: true,
@ -289,6 +301,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy<HashMap<&'static str, RoleInfo>> = Lazy:
                Permission::MandateRead,
                Permission::CustomerRead,
                Permission::Analytics,
+                Permission::PayoutRead,
            ],
            name: Some("Customer Support"),
            is_invitable: true,
--- a/crates/router/src/types/domain/user.rs
+++ b/crates/router/src/types/domain/user.rs
@ -808,6 +808,7 @@ impl From<info::PermissionModule> for user_role_api::PermissionModule {
            info::PermissionModule::ThreeDsDecisionManager => Self::ThreeDsDecisionManager,
            info::PermissionModule::SurchargeDecisionManager => Self::SurchargeDecisionManager,
            info::PermissionModule::AccountCreate => Self::AccountCreate,
+            info::PermissionModule::Payouts => Self::Payouts,
        }
    }
 }
--- a/crates/router/src/utils/user_role.rs
+++ b/crates/router/src/utils/user_role.rs
@ -44,6 +44,8 @@ impl From<Permission> for user_role_api::Permission {
            Permission::UsersWrite => Self::UsersWrite,
            Permission::MerchantAccountCreate => Self::MerchantAccountCreate,
            Permission::WebhookEventRead => Self::WebhookEventRead,
+            Permission::PayoutRead => Self::PayoutRead,
+            Permission::PayoutWrite => Self::PayoutWrite,
        }
    }
 }
--- a/openapi/openapi_spec.json
+++ b/openapi/openapi_spec.json
@ -3866,64 +3866,6 @@
        ]
      }
    },
-    "/payouts/list": {
-      "get": {
-        "tags": [
-          "Payouts"
-        ],
-        "summary": "Payouts - List",
-        "description": "Payouts - List",
-        "operationId": "List payouts",
-        "responses": {
-          "200": {
-            "description": "Payouts listed",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/PayoutListResponse"
-                }
-              }
-            }
-          },
-          "404": {
-            "description": "Payout not found"
-          }
-        },
-        "security": [
-          {
-            "api_key": []
-          }
-        ]
-      },
-      "post": {
-        "tags": [
-          "Payouts"
-        ],
-        "summary": "Payouts - Filter",
-        "description": "Payouts - Filter",
-        "operationId": "Filter payouts",
-        "responses": {
-          "200": {
-            "description": "Payouts filtered",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/PayoutListResponse"
-                }
-              }
-            }
-          },
-          "404": {
-            "description": "Payout not found"
-          }
-        },
-        "security": [
-          {
-            "api_key": []
-          }
-        ]
-      }
-    },
    "/payouts/{payout_id}": {
      "get": {
        "tags": [
@ -4116,6 +4058,64 @@
        ]
      }
    },
+    "/payouts/list": {
+      "get": {
+        "tags": [
+          "Payouts"
+        ],
+        "summary": "Payouts - List",
+        "description": "Payouts - List",
+        "operationId": "List payouts",
+        "responses": {
+          "200": {
+            "description": "Payouts listed",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PayoutListResponse"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Payout not found"
+          }
+        },
+        "security": [
+          {
+            "api_key": []
+          }
+        ]
+      },
+      "post": {
+        "tags": [
+          "Payouts"
+        ],
+        "summary": "Payouts - Filter",
+        "description": "Payouts - Filter",
+        "operationId": "Filter payouts",
+        "responses": {
+          "200": {
+            "description": "Payouts filtered",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PayoutListResponse"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Payout not found"
+          }
+        },
+        "security": [
+          {
+            "api_key": []
+          }
+        ]
+      }
+    },
    "/api_keys/{merchant_id)": {
      "post": {
        "tags": [