-
Notifications
You must be signed in to change notification settings - Fork 1
Ft/user central rbac #185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Ft/user central rbac #185
Changes from all commits
84c3183
8ddd31c
f3ad943
739847d
99ef62b
53c98cb
e05b9b9
7538074
e7f1f72
10df565
3330273
27719f5
0ed7be3
5781254
1e6e9ac
2a290f3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| CREATE TABLE "user_roles" ( | ||
| "id" serial PRIMARY KEY NOT NULL, | ||
| "user_id" integer NOT NULL, | ||
| "org_id" integer, | ||
| "project_id" integer, | ||
| "role_id" integer NOT NULL, | ||
| "created_by" integer, | ||
| "created_at" timestamp DEFAULT now(), | ||
| "updated_at" timestamp DEFAULT now() | ||
| ); | ||
| --> statement-breakpoint | ||
| ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint | ||
| ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_org_id_organizations_id_fk" FOREIGN KEY ("org_id") REFERENCES "public"."organizations"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint | ||
| ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_project_id_projects_id_fk" FOREIGN KEY ("project_id") REFERENCES "public"."projects"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint | ||
| ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_role_id_roles_id_fk" FOREIGN KEY ("role_id") REFERENCES "public"."roles"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint | ||
| ALTER TABLE "user_roles" ADD CONSTRAINT "user_roles_created_by_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint | ||
| CREATE UNIQUE INDEX "uq_user_role_grant" ON "user_roles" USING btree ("user_id","org_id","project_id","role_id");--> statement-breakpoint | ||
| CREATE INDEX "idx_user_roles_user" ON "user_roles" USING btree ("user_id");--> statement-breakpoint | ||
| CREATE INDEX "idx_user_roles_org" ON "user_roles" USING btree ("org_id");--> statement-breakpoint | ||
| CREATE INDEX "idx_user_roles_project" ON "user_roles" USING btree ("project_id"); | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| ALTER TABLE "project_users" DISABLE ROW LEVEL SECURITY;--> statement-breakpoint | ||
| DROP TABLE "project_users" CASCADE;--> statement-breakpoint | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Destructive RBAC drops run without a safety gate. Lines 2, 8, and 9 remove legacy authorization data with no in-migration precondition/backfill guard, so running this migration early can permanently lose role assignments. Suggested safety guard before DROP statements+DO $$
+BEGIN
+ IF EXISTS (
+ SELECT 1
+ FROM "users"
+ WHERE "role" IS NOT NULL OR "organization" IS NOT NULL
+ )
+ AND NOT EXISTS (SELECT 1 FROM "user_roles")
+ THEN
+ RAISE EXCEPTION 'Refusing to drop legacy RBAC columns: user_roles backfill not detected';
+ END IF;
+END $$;
+
ALTER TABLE "project_users" DISABLE ROW LEVEL SECURITY;--> statement-breakpoint
DROP TABLE "project_users" CASCADE;--> statement-breakpoint
...Also applies to: 8-9 🤖 Prompt for AI Agents |
||
| ALTER TABLE "users" DROP CONSTRAINT "users_role_roles_id_fk"; | ||
| --> statement-breakpoint | ||
| ALTER TABLE "users" DROP CONSTRAINT "users_organization_organizations_id_fk"; | ||
| --> statement-breakpoint | ||
| DROP INDEX "idx_role_permissions_role";--> statement-breakpoint | ||
| ALTER TABLE "users" DROP COLUMN "role";--> statement-breakpoint | ||
| ALTER TABLE "users" DROP COLUMN "organization"; | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| DROP INDEX "uq_user_role_grant";--> statement-breakpoint | ||
| CREATE UNIQUE INDEX "uq_user_role_grant" ON "user_roles" USING btree ("user_id",COALESCE("org_id", -1),COALESCE("project_id", -1),"role_id"); |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| ALTER TABLE "auth_session" ADD COLUMN "active_org_id" integer;--> statement-breakpoint | ||
| ALTER TABLE "users" ADD COLUMN "last_active_org_id" integer;--> statement-breakpoint | ||
| ALTER TABLE "auth_session" ADD CONSTRAINT "auth_session_active_org_id_organizations_id_fk" FOREIGN KEY ("active_org_id") REFERENCES "public"."organizations"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint | ||
| ALTER TABLE "users" ADD CONSTRAINT "users_last_active_org_id_organizations_id_fk" FOREIGN KEY ("last_active_org_id") REFERENCES "public"."organizations"("id") ON DELETE no action ON UPDATE no action; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This unique index does not actually de-duplicate NULL-scoped grants.
In PostgreSQL,
NULLvalues are distinct for ordinary unique indexes, so duplicate global/org grants like(user_id, org_id = NULL, project_id = NULL, role_id)or(user_id, org_id = 7, project_id = NULL, role_id)can still be inserted multiple times. That breaks the one-grant-per-scope contract this table is meant to enforce.Use partial unique indexes per scope, or
NULLS NOT DISTINCTif that matches the database target.🤖 Prompt for AI Agents