From c1da8a4dba5d0c993d3e15b2866bdcfa09de1752 Mon Sep 17 00:00:00 2001 From: Fringg Date: Wed, 25 Feb 2026 04:07:09 +0300 Subject: [PATCH] fix: RBAC audit log action filter and legacy admin level - Change audit log action filter from exact match to ILIKE substring search so admins can search by partial action names - Return level 1000 (not 999) for legacy config-based admins in /me/permissions so frontend correctly enables role management buttons --- app/database/crud/rbac.py | 2 +- app/services/permission_service.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/database/crud/rbac.py b/app/database/crud/rbac.py index d3a215ac..5204d535 100644 --- a/app/database/crud/rbac.py +++ b/app/database/crud/rbac.py @@ -467,7 +467,7 @@ class AuditLogCRUD: if user_id is not None: filters.append(AdminAuditLog.user_id == user_id) if action is not None: - filters.append(AdminAuditLog.action == action) + filters.append(AdminAuditLog.action.ilike(f'%{action}%')) if resource_type is not None: filters.append(AdminAuditLog.resource_type == resource_type) if status is not None: diff --git a/app/services/permission_service.py b/app/services/permission_service.py index 26f1affc..13b0a34f 100644 --- a/app/services/permission_service.py +++ b/app/services/permission_service.py @@ -300,10 +300,11 @@ class PermissionService: permissions, role_names, max_level = await UserRoleCRUD.get_user_permissions(db, user_id) # Legacy config-based admins get full superadmin permissions + # Level is SUPERADMIN_LEVEL + 1 so they can manage all roles including level-999 if user is not None and not permissions and _is_legacy_admin(user): permissions = ['*:*'] role_names = ['superadmin'] - max_level = SUPERADMIN_LEVEL + max_level = SUPERADMIN_LEVEL + 1 return { 'permissions': permissions,