feat(authz): Add custom role checks in authorization (#3719)

Co-authored-by: Apoorv Dixit <apoorv.dixit@juspay.in> Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-11-03 13:30:39 +08:00 · 2024-02-21 19:14:36 +05:30
parent 5952017260
commit ada6a32276
15 changed files with 669 additions and 148 deletions
--- a/crates/router/src/utils/user.rs
+++ b/crates/router/src/utils/user.rs
@ -9,7 +9,10 @@ use masking::{ExposeInterface, Secret};
 use crate::{
    core::errors::{StorageError, UserErrors, UserResult},
    routes::AppState,
-    services::authentication::{AuthToken, UserFromToken},
+    services::{
+        authentication::{AuthToken, UserFromToken},
+        authorization::roles::{self, RoleInfo},
+    },
    types::domain::{self, MerchantAccount, UserFromStorage},
 };

@ -19,7 +22,10 @@ pub mod password;
 pub mod sample_data;

 impl UserFromToken {
-    pub async fn get_merchant_account(&self, state: AppState) -> UserResult<MerchantAccount> {
+    pub async fn get_merchant_account_from_db(
+        &self,
+        state: AppState,
+    ) -> UserResult<MerchantAccount> {
        let key_store = state
            .store
            .get_merchant_key_store_by_merchant_id(
@ -56,6 +62,12 @@ impl UserFromToken {
            .change_context(UserErrors::InternalServerError)?;
        Ok(user.into())
    }
+
+    pub async fn get_role_info_from_db(&self, state: &AppState) -> UserResult<RoleInfo> {
+        roles::get_role_info_from_role_id(state, &self.role_id, &self.merchant_id, &self.org_id)
+            .await
+            .change_context(UserErrors::InternalServerError)
+    }
 }

 pub async fn generate_jwt_auth_token(
--- a/crates/router/src/utils/user_role.rs
+++ b/crates/router/src/utils/user_role.rs
@ -1,29 +1,6 @@
 use api_models::user_role as user_role_api;

-use crate::{
-    consts,
-    services::authorization::{permissions::Permission, predefined_permissions::RoleInfo},
-};
-
-pub fn is_internal_role(role_id: &str) -> bool {
-    role_id == consts::user_role::ROLE_ID_INTERNAL_ADMIN
-        || role_id == consts::user_role::ROLE_ID_INTERNAL_VIEW_ONLY_USER
-}
-
-pub fn get_role_name_and_permission_response(
-    role_info: &RoleInfo,
-) -> Option<(Vec<user_role_api::Permission>, &'static str)> {
-    role_info.get_name().map(|name| {
-        (
-            role_info
-                .get_permissions()
-                .iter()
-                .map(|&per| per.into())
-                .collect::<Vec<user_role_api::Permission>>(),
-            name,
-        )
-    })
-}
+use crate::services::authorization::permissions::Permission;

 impl From<Permission> for user_role_api::Permission {
    fn from(value: Permission) -> Self {