feat: refactored billing plan endpoints to include restrictions to authorized users (super-admin, billing and org_owner)

api/utils/dependencies.py

@@ -6,8 +6,12 @@
 from datetime import datetime, timedelta
 from api.v1.models.user import User
 from api.v1.schemas.token import TokenData
+from api.v1.schemas.user import ProfileData
 from api.db.database import get_db
 from .config import SECRET_KEY, ALGORITHM
+from api.v1.services.user import user_service
+from api.v1.services.profile import profile_service
+from api.v1.services.organisation import organisation_service
 
 import logging
 
@@ -56,3 +60,31 @@ def get_super_admin(db: Session = Depends(get_db), token: str = Depends(oauth2_s
         )
     logger.debug("User is super admin")
     return user
+
+
+def get_authorized_user(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(user_service.get_current_user),
+) -> User:
+    """
+    Dependency to get the current user and check if they are a super admin,
+    in the billing department, or an owner.
+    """
+    if current_user.is_superadmin:
+        return current_user
+
+    profile = profile_service.fetch_by_user_id(db, current_user.id)
+    current_user_profile = ProfileData.model_validate(profile, from_attributes=True)
+    if current_user_profile.department == "billing":
+        return current_user
+
+
+    organisation = organisation_service.retrieve_user_organizations(current_user, db)
+    # Check if the user is an owner
+    if "owner" in organisation[0].user_role:
+        return current_user
+
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="You do not have the necessary permissions to access this resource."
+    )

api/v1/routes/billing_plan.py

@@ -13,6 +13,7 @@
 from api.v1.schemas.plans import (
     CreateBillingPlanSchema, CreateBillingPlanResponse, GetBillingPlanListResponse
 )
+from api.utils.dependencies import get_authorized_user
 
 
 bill_plan = APIRouter(prefix="/organisations", tags=["Billing-Plan"])
@@ -40,7 +41,7 @@ async def retrieve_all_billing_plans(
 @bill_plan.post("/billing-plans", response_model=CreateBillingPlanResponse)
 async def create_new_billing_plan(
     request: CreateBillingPlanSchema,
-    _: User = Depends(user_service.get_current_super_admin),
+    _: User = Depends(get_authorized_user),
     db: Session = Depends(get_db),
 ):
     """
@@ -60,7 +61,8 @@ async def create_new_billing_plan(
 async def update_a_billing_plan(
     billing_plan_id: str,
     request: CreateBillingPlanSchema,
-    _: User = Depends(user_service.get_current_super_admin),
+    _: User = Depends(get_authorized_user),
+    # _: User = Depends(user_service.get_current_super_admin),
     db: Session = Depends(get_db),
 ):
     """
@@ -79,7 +81,7 @@ async def update_a_billing_plan(
 @bill_plan.delete("/billing-plans/{billing_plan_id}", response_model=success_response)
 async def delete_a_billing_plan(
     billing_plan_id: str,
-    _: User = Depends(user_service.get_current_super_admin),
+    _: User = Depends(get_authorized_user),
     db: Session = Depends(get_db),
 ):
     """