feat: add more restrictions

njncalub · njncalub · commit df331eae3a59 · 2025-07-17T23:39:41.000+08:00
diff --git a/migrations/tenants/003_20250711_213213_create_permissions.down.surql b/migrations/tenants/003_20250711_213213_create_permissions.down.surql
@@ -9,6 +9,7 @@ REMOVE FUNCTION IF EXISTS fn::has_permission;
 REMOVE EVENT IF EXISTS prevent_deletion_of_main_realm ON TABLE realm;
 REMOVE EVENT IF EXISTS prevent_deletion_of_internal_definitions ON TABLE definition;
 REMOVE EVENT IF EXISTS parent_definition_must_be_internal ON TABLE definition;
+REMOVE EVENT IF EXISTS prevent_deletion_of_definitions_in_use ON TABLE definition;
 REMOVE TABLE IF EXISTS realm;
 REMOVE TABLE IF EXISTS definition;
 REMOVE TABLE IF EXISTS role;
diff --git a/migrations/tenants/003_20250711_213213_create_permissions.surql b/migrations/tenants/003_20250711_213213_create_permissions.surql
@@ -42,6 +42,7 @@ DEFINE FIELD _internal ON definition TYPE bool DEFAULT false;
 DEFINE FIELD title ON definition TYPE string;
 DEFINE FIELD description ON definition TYPE option<string>;
 DEFINE FIELD versions ON definition TYPE array<object> DEFAULT [];
+DEFINE FIELD show_in_ui ON definition TYPE bool DEFAULT true;
 DEFINE FIELD updated_at ON definition TYPE datetime VALUE time::now();
 DEFINE FIELD created_at ON definition TYPE datetime VALUE time::now() READONLY;
 
@@ -72,6 +73,17 @@ WHEN $event = "CREATE" THEN {
   } END;
 };
 
+DEFINE EVENT prevent_deletion_of_definitions_in_use ON TABLE definition
+WHEN $event = "DELETE" THEN {
+  LET $relevant_tables = ["group"];
+  FOR $table_name IN $relevant_tables {
+    LET $records = SELECT VALUE count() FROM ONLY type::table($table_name) WHERE _definition = record::id($value.id);
+    IF $records > 0 THEN {
+      THROW "Definition is still in use";
+    } END;
+  };
+};
+
 --------------------------------------------------------------------------------
 
 DEFINE TABLE role SCHEMALESS;
diff --git a/migrations/tenants/004_20250714_175230_create_groups.down.surql b/migrations/tenants/004_20250714_175230_create_groups.down.surql
@@ -7,6 +7,7 @@ BEGIN TRANSACTION;
 REMOVE TABLE IF EXISTS group;
 REMOVE TABLE IF EXISTS in_realm;
 REMOVE TABLE IF EXISTS member_of;
+REMOVE EVENT IF EXISTS group_definition_must_exist ON TABLE group;
 
 --------------------------------------------------------------------------------
 
diff --git a/migrations/tenants/004_20250714_175230_create_groups.surql b/migrations/tenants/004_20250714_175230_create_groups.surql
@@ -12,6 +12,13 @@ DEFINE FIELD description ON group TYPE option<string>;
 DEFINE FIELD updated_at ON group TYPE datetime VALUE time::now();
 DEFINE FIELD created_at ON group TYPE datetime VALUE time::now() READONLY;
 
+DEFINE EVENT group_definition_must_exist ON TABLE group WHEN $event = "CREATE" THEN {
+  LET $definition = type::thing("definition", $value._definition);
+  IF not(record::exists($definition)) THEN {
+    THROW "Group definition does not exist";
+  } END;
+};
+
 --------------------------------------------------------------------------------
 
 DEFINE TABLE member_of TYPE RELATION FROM person TO group ENFORCED;
