fix: RBAC audit log action filter and legacy admin level

- Change audit log action filter from exact match to ILIKE substring search so admins can search by partial action names - Return level 1000 (not 999) for legacy config-based admins in /me/permissions so frontend correctly enables role management buttons
2026-03-01 15:52:30 +00:00 · 2026-02-25 04:07:09 +03:00
parent af6686ccfa
commit c1da8a4dba
2 changed files with 3 additions and 2 deletions
--- a/app/database/crud/rbac.py
+++ b/app/database/crud/rbac.py
@@ -467,7 +467,7 @@ class AuditLogCRUD:
        if user_id is not None:
            filters.append(AdminAuditLog.user_id == user_id)
        if action is not None:
-            filters.append(AdminAuditLog.action == action)
+            filters.append(AdminAuditLog.action.ilike(f'%{action}%'))
        if resource_type is not None:
            filters.append(AdminAuditLog.resource_type == resource_type)
        if status is not None:
--- a/app/services/permission_service.py
+++ b/app/services/permission_service.py
@@ -300,10 +300,11 @@ class PermissionService:
        permissions, role_names, max_level = await UserRoleCRUD.get_user_permissions(db, user_id)

        # Legacy config-based admins get full superadmin permissions
+        # Level is SUPERADMIN_LEVEL + 1 so they can manage all roles including level-999
        if user is not None and not permissions and _is_legacy_admin(user):
            permissions = ['*:*']
            role_names = ['superadmin']
-            max_level = SUPERADMIN_LEVEL
+            max_level = SUPERADMIN_LEVEL + 1

        return {
            'permissions': permissions,