|
| 1 | +"""convert global-scoped permissions to domain-scoped |
| 2 | +
|
| 3 | +Revision ID: 5a4e677aea42 |
| 4 | +Revises: 0e0723286a7a |
| 5 | +Create Date: 2026-03-20 00:00:00.000000 |
| 6 | +
|
| 7 | +""" |
| 8 | + |
| 9 | +import sqlalchemy as sa |
| 10 | +from alembic import op |
| 11 | + |
| 12 | +# revision identifiers, used by Alembic. |
| 13 | +revision = "5a4e677aea42" |
| 14 | +down_revision = "0e0723286a7a" |
| 15 | +branch_labels = None |
| 16 | +depends_on = None |
| 17 | + |
| 18 | + |
| 19 | +def upgrade() -> None: |
| 20 | + conn = op.get_bind() |
| 21 | + |
| 22 | + # Convert global-scoped permissions to domain-scoped by creating one row |
| 23 | + # per active domain for each global permission row. |
| 24 | + # ON CONFLICT DO NOTHING handles the unique constraint |
| 25 | + # (role_id, scope_type, scope_id, entity_type, operation). |
| 26 | + conn.execute( |
| 27 | + sa.text( |
| 28 | + "INSERT INTO permissions (id, role_id, scope_type, scope_id, entity_type, operation)" |
| 29 | + " SELECT uuid_generate_v4(), p.role_id, 'domain', d.name, p.entity_type, p.operation" |
| 30 | + " FROM permissions AS p" |
| 31 | + " CROSS JOIN domains AS d" |
| 32 | + " WHERE p.scope_type = 'global' AND d.is_active IS TRUE" |
| 33 | + " ON CONFLICT ON CONSTRAINT uq_permissions_role_scope_entity_op DO NOTHING" |
| 34 | + ) |
| 35 | + ) |
| 36 | + |
| 37 | + # Delete all global-scoped permission rows now that they are converted |
| 38 | + conn.execute(sa.text("DELETE FROM permissions WHERE scope_type = 'global'")) |
| 39 | + |
| 40 | + |
| 41 | +def downgrade() -> None: |
| 42 | + # Global scope is deprecated and has no corresponding RBACElementType. |
| 43 | + # The conversion to domain-scoped permissions is not reversible because |
| 44 | + # we cannot determine which domain-scoped rows were originally global. |
| 45 | + pass |
0 commit comments