feat(authz): integrate SpiceDB permission checks into resolvers

ImTotem · claude · ImTotem · commit 90c8a79cf26d · 2026-03-30T16:41:08.000+09:00
- New authz/check.py: require_admin, require_fee_edit, require_member_view
- GqlContext: add authz client (nullable, skipped if SpiceDB unavailable)
- Permission enforcement:
  - createPeriod, updatePeriod, createForm, updateForm, setSetting → admin
  - applications list, application detail, confirmPayment, approve → fee_edit
  - submit, myApplications, cancel → authenticated user only
- Approval adds organization relation in SpiceDB (beginner/regular)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/bcsd_api/apply/resolvers.py b/src/bcsd_api/apply/resolvers.py
@@ -1,8 +1,8 @@
 import strawberry
 from strawberry.types import Info
 
+from bcsd_api.authz.check import require_fee_edit
 from bcsd_api.graphql.context import GqlContext, require_user
-from bcsd_api.graphql.convert import from_model
 
 from . import service
 from .schema import AnswerRequest
@@ -30,7 +30,8 @@ def resolve_submit(info: Info[GqlContext, None], input: SubmitInput) -> Applicat
 def resolve_applications(
     info: Info[GqlContext, None], form_id: str,
 ) -> list[ApplicationType]:
-    require_user(info.context)
+    user = require_user(info.context)
+    require_fee_edit(info.context.authz, user["sub"])
     ctx = info.context
     apps = service.list_applications(ctx.app_repo, ctx.ans_repo, form_id)
     return [_to_app_type(a) for a in apps]
@@ -39,7 +40,8 @@ def resolve_applications(
 def resolve_application(
     info: Info[GqlContext, None], id: strawberry.ID,
 ) -> ApplicationType:
-    require_user(info.context)
+    user = require_user(info.context)
+    require_fee_edit(info.context.authz, user["sub"])
     ctx = info.context
     app = service.get_application(ctx.app_repo, ctx.ans_repo, id)
     return _to_app_type(app)
@@ -56,6 +58,7 @@ def resolve_confirm_payment(
     info: Info[GqlContext, None], id: strawberry.ID,
 ) -> ApplicationType:
     user = require_user(info.context)
+    require_fee_edit(info.context.authz, user["sub"])
     app = service.confirm_payment(info.context.app_repo, id, user["sub"])
     return _to_app_type(app)
 
@@ -64,10 +67,11 @@ def resolve_approve(
     info: Info[GqlContext, None], ids: list[strawberry.ID],
 ) -> list[ApplicationType]:
     user = require_user(info.context)
+    require_fee_edit(info.context.authz, user["sub"])
     ctx = info.context
     apps = service.approve(
         ctx.app_repo, ctx.member_repo, ctx.form_repo,
-        ids, user["sub"],
+        ids, user["sub"], ctx.authz,
     )
     return [_to_app_type(a) for a in apps]
 
diff --git a/src/bcsd_api/apply/service.py b/src/bcsd_api/apply/service.py
@@ -127,6 +127,7 @@ def approve(
     form_repo: PgFormRepository,
     app_ids: Sequence[str],
     admin_id: str,
+    authz=None,
 ) -> list[ApplicationResponse]:
     now = _now()
     result = []
@@ -141,11 +142,24 @@ def approve(
             "approved_by": admin_id, "updated_at": now,
         })
         member_repo.update_status(row["member_id"], new_status)
+        _add_org_relation(authz, row["member_id"], new_status)
         row.update({"status": "승인", "approved_at": now, "approved_by": admin_id})
         result.append(ApplicationResponse(**row))
     return result
 
 
+_STATUS_RELATION = {"Beginner": "beginner", "Regular": "regular"}
+
+
+def _add_org_relation(authz, member_id: str, status: str) -> None:
+    if not authz:
+        return
+    relation = _STATUS_RELATION.get(status)
+    if not relation:
+        return
+    authz.add_relation("organization", "bcsdlab", relation, member_id)
+
+
 def cancel(
     app_repo: PgApplicationRepository, app_id: str, member_id: str,
 ) -> None:
diff --git a/src/bcsd_api/authz/check.py b/src/bcsd_api/authz/check.py
@@ -0,0 +1,23 @@
+from bcsd_api.exception import Forbidden
+
+ORG_ID = "bcsdlab"
+
+
+def require_permission(authz, permission: str, user_id: str) -> None:
+    if not authz:
+        return
+    if authz.check("organization", ORG_ID, permission, user_id):
+        return
+    raise Forbidden(f"{permission} permission required")
+
+
+def require_admin(authz, user_id: str) -> None:
+    require_permission(authz, "admin", user_id)
+
+
+def require_fee_edit(authz, user_id: str) -> None:
+    require_permission(authz, "fee_edit", user_id)
+
+
+def require_member_view(authz, user_id: str) -> None:
+    require_permission(authz, "member_view", user_id)
diff --git a/src/bcsd_api/form/resolvers.py b/src/bcsd_api/form/resolvers.py
@@ -1,6 +1,7 @@
 import strawberry
 from strawberry.types import Info
 
+from bcsd_api.authz.check import require_admin
 from bcsd_api.graphql.context import GqlContext, require_user
 from bcsd_api.graphql.convert import from_model
 
@@ -46,6 +47,7 @@ def resolve_create_form(
     info: Info[GqlContext, None], input: CreateFormInput,
 ) -> FormType:
     user = require_user(info.context)
+    require_admin(info.context.authz, user["sub"])
     ctx = info.context
     req = CreateFormRequest(
         title=input.title, description=input.description,
@@ -59,7 +61,8 @@ def resolve_create_form(
 def resolve_update_form(
     info: Info[GqlContext, None], id: strawberry.ID, input: UpdateFormInput,
 ) -> FormType:
-    require_user(info.context)
+    user = require_user(info.context)
+    require_admin(info.context.authz, user["sub"])
     ctx = info.context
     questions = None
     if input.questions is not None:
diff --git a/src/bcsd_api/graphql/context.py b/src/bcsd_api/graphql/context.py
@@ -1,12 +1,16 @@
+import logging
+
 from fastapi import Depends, Request
 from sqlalchemy import Connection
 from strawberry.fastapi import BaseContext
 
 from bcsd_api.auth import token as jwt_token
+from bcsd_api.authz.client import AuthzClient
 from bcsd_api.config import Settings
 from bcsd_api.dependencies import (
     get_ans_repo,
     get_app_repo,
+    get_authz,
     get_conn,
     get_form_repo,
     get_link_repo,
@@ -24,12 +28,14 @@
 from bcsd_api.setting.pg_repository import PgSettingRepository
 from bcsd_api.shorten.pg_repository import PgLinkRepository
 
+logger = logging.getLogger(__name__)
+
 
 class GqlContext(BaseContext):
     def __init__(
         self, conn, member_repo, link_repo,
         setting_repo, recruit_repo, form_repo, question_repo,
-        app_repo, ans_repo, user,
+        app_repo, ans_repo, authz, user,
     ):
         self.conn = conn
         self.member_repo = member_repo
@@ -40,6 +46,7 @@ def __init__(
         self.question_repo = question_repo
         self.app_repo = app_repo
         self.ans_repo = ans_repo
+        self.authz = authz
         self.user = user
 
 
@@ -50,6 +57,14 @@ def _try_auth(request: Request, settings: Settings) -> dict | None:
     return jwt_token.decode_or_none(raw, settings.jwt_secret, settings.jwt_algorithm)
 
 
+def _try_authz(settings: Settings) -> AuthzClient | None:
+    try:
+        return get_authz(settings)
+    except Exception:
+        logger.warning("SpiceDB unavailable, skipping authz")
+        return None
+
+
 def require_user(ctx: GqlContext) -> dict:
     if not ctx.user:
         raise Unauthorized("authentication required")
@@ -70,6 +85,7 @@ async def context_getter(
     ans_repo: PgAnswerRepository = Depends(get_ans_repo),
 ) -> GqlContext:
     user = _try_auth(request, settings)
+    authz = _try_authz(settings)
     return GqlContext(
         conn=conn,
         member_repo=member_repo,
@@ -80,5 +96,6 @@ async def context_getter(
         question_repo=question_repo,
         app_repo=app_repo,
         ans_repo=ans_repo,
+        authz=authz,
         user=user,
     )
diff --git a/src/bcsd_api/recruit/resolvers.py b/src/bcsd_api/recruit/resolvers.py
@@ -1,6 +1,7 @@
 import strawberry
 from strawberry.types import Info
 
+from bcsd_api.authz.check import require_admin
 from bcsd_api.graphql.context import GqlContext, require_user
 from bcsd_api.graphql.convert import from_model
 
@@ -35,6 +36,7 @@ def resolve_create_period(
     info: Info[GqlContext, None], input: CreatePeriodInput,
 ) -> PeriodType:
     user = require_user(info.context)
+    require_admin(info.context.authz, user["sub"])
     req = CreatePeriodRequest(
         title=input.title, type=input.type,
         start_date=input.start_date, end_date=input.end_date,
@@ -46,7 +48,8 @@ def resolve_create_period(
 def resolve_update_period(
     info: Info[GqlContext, None], id: strawberry.ID, input: UpdatePeriodInput,
 ) -> PeriodType:
-    require_user(info.context)
+    user = require_user(info.context)
+    require_admin(info.context.authz, user["sub"])
     req = UpdatePeriodRequest(
         title=input.title, start_date=input.start_date,
         end_date=input.end_date, is_active=input.is_active,
diff --git a/src/bcsd_api/setting/resolvers.py b/src/bcsd_api/setting/resolvers.py
@@ -1,5 +1,6 @@
 from strawberry.types import Info
 
+from bcsd_api.authz.check import require_admin
 from bcsd_api.graphql.context import GqlContext, require_user
 
 from . import service
@@ -12,5 +13,6 @@ def resolve_setting(info: Info[GqlContext, None], key: str) -> str | None:
 
 def resolve_set_setting(info: Info[GqlContext, None], key: str, value: str) -> bool:
     user = require_user(info.context)
+    require_admin(info.context.authz, user["sub"])
     service.set_setting(info.context.setting_repo, key, value, user["sub"])
     return True
