feature/rbac permisos y roles implementados

api/rbac/admin.py

@@ -0,0 +1,99 @@
+from django.contrib import admin
+
+from .models import OrganizationRole, RolePermission, UserPermission, UserRole
+
+
+@admin.register(RolePermission)
+class RolePermissionAdmin(admin.ModelAdmin):
+    list_display = ('codename', 'modulo', 'descripcion')
+    list_filter = ('modulo',)
+    search_fields = ('codename', 'descripcion')
+    ordering = ('modulo', 'codename')
+
+    def get_readonly_fields(self, request, obj=None):
+        # Al editar un permiso existente los campos son readonly para evitar inconsistencias
+        if obj:
+            return ('codename', 'modulo', 'descripcion')
+        return ()
+
+    def has_add_permission(self, request):
+        return request.user.is_superuser
+
+    def has_change_permission(self, request, obj=None):
+        return request.user.is_superuser
+
+    def has_delete_permission(self, request, obj=None):
+        return request.user.is_superuser
+
+
+class UserRoleInline(admin.TabularInline):
+    model = UserRole
+    extra = 0
+    autocomplete_fields = ('user',)
+    readonly_fields = ('created_at',)
+
+
+@admin.register(OrganizationRole)
+class OrganizationRoleAdmin(admin.ModelAdmin):
+    list_display = ('nombre', 'organizacion', 'is_admin_role', 'permisos_count', 'usuarios_count')
+    list_filter = ('organizacion', 'is_admin_role')
+    search_fields = ('nombre', 'organizacion__nombre')
+    filter_horizontal = ('permissions',)
+    inlines = (UserRoleInline,)
+    readonly_fields = ('created_at', 'updated_at')
+
+    def permisos_count(self, obj):
+        return obj.permissions.count()
+    permisos_count.short_description = 'Permisos'
+
+    def usuarios_count(self, obj):
+        return obj.user_roles.count()
+    usuarios_count.short_description = 'Usuarios'
+
+    def has_add_permission(self, request):
+        return request.user.is_superuser
+
+    def has_delete_permission(self, request, obj=None):
+        if obj and obj.is_admin_role:
+            return False
+        return request.user.is_superuser
+
+
+@admin.register(UserRole)
+class UserRoleAdmin(admin.ModelAdmin):
+    list_display = ('user', 'role', 'organizacion', 'created_at')
+    list_filter = ('role__organizacion', 'role__nombre')
+    search_fields = ('user__username', 'user__email', 'role__nombre')
+    autocomplete_fields = ('user',)
+    readonly_fields = ('created_at',)
+
+    def organizacion(self, obj):
+        return obj.role.organizacion
+    organizacion.short_description = 'Organización'
+
+    def save_model(self, request, obj, form, change):
+        # Bloquear remoción del rol admin_role al owner de la org
+        if change and obj.role.is_admin_role:
+            org = obj.role.organizacion
+            if hasattr(org, 'owner') and org.owner == obj.user:
+                from django.contrib import messages
+                self.message_user(
+                    request,
+                    'No se puede remover el rol de administrador maestro al owner de la organización.',
+                    level=messages.ERROR,
+                )
+                return
+        super().save_model(request, obj, form, change)
+
+
+@admin.register(UserPermission)
+class UserPermissionAdmin(admin.ModelAdmin):
+    list_display = ('user', 'permission', 'granted', 'organizacion', 'created_at')
+    list_filter = ('granted', 'permission__modulo')
+    search_fields = ('user__username', 'user__email', 'permission__codename')
+    autocomplete_fields = ('user',)
+    readonly_fields = ('created_at',)
+
+    def organizacion(self, obj):
+        return getattr(obj.user, 'organizacion', '—')
+    organizacion.short_description = 'Organización'