✨(entitlements) add Entitlements backend with Deploy Center support (#31)

This checks if the user has access to the app and can create calendars.
2026-03-06 02:47:03 +01:00
parent 5e0506d64b
commit cd2b15b3b5
26 changed files with 1312 additions and 120 deletions
--- a/src/backend/core/signals.py
+++ b/src/backend/core/signals.py
@@ -9,6 +9,7 @@ from django.contrib.auth import get_user_model
 from django.db.models.signals import post_save
 from django.dispatch import receiver

+from core.entitlements import EntitlementsUnavailableError, get_user_entitlements
 from core.services.caldav_service import CalendarService

 logger = logging.getLogger(__name__)
@@ -27,6 +28,23 @@ def provision_default_calendar(sender, instance, created, **kwargs):  # pylint:
    if not settings.CALDAV_URL:
        return

+    # Check entitlements before creating calendar — fail-closed:
+    # never create a calendar if we can't confirm access.
+    try:
+        entitlements = get_user_entitlements(instance.sub, instance.email)
+        if not entitlements.get("can_access", True):
+            logger.info(
+                "Skipped calendar creation for %s (not entitled)",
+                instance.email,
+            )
+            return
+    except EntitlementsUnavailableError:
+        logger.warning(
+            "Entitlements unavailable for %s, skipping calendar creation",
+            instance.email,
+        )
+        return
+
    try:
        service = CalendarService()
        service.create_default_calendar(instance)