diff options
| author | Frederick Muriuki Muriithi | 2025-07-29 10:37:30 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2025-07-29 10:38:19 -0500 |
| commit | 10fe4b01afeffa524ee06c1d5e07396269c8b7ea (patch) | |
| tree | d3bd5623c8b7a5132d66aadf5ffeee0abecd385d | |
| parent | 5c0b9077320d62ac26685dc37291c18d3670fb98 (diff) | |
| download | gn-auth-10fe4b01afeffa524ee06c1d5e07396269c8b7ea.tar.gz | |
Assign now system-wide resource-access privileges to sysadmins.
| -rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 1 | ||||
| -rw-r--r-- | migrations/auth/20250729_02_7ycSm-assign-initial-system-wide-resources-access-privileges-to-sys-admins.py | 53 |
2 files changed, 53 insertions, 1 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index b52e972..ed118cd 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -684,7 +684,6 @@ def delete_resource() -> Response: form = request_json() try: resource_id = UUID(form.get("resource_id")) - # TODO Add migrations to grant privileges (system:resource:*) to admin users # TODO Update resource creation to grant privileges (system:resource:*) to admin users # TODO Update user-levels promotion/demotion to grant/revoke (system:resource:*) to/from admin users if not authorised_for_spec( diff --git a/migrations/auth/20250729_02_7ycSm-assign-initial-system-wide-resources-access-privileges-to-sys-admins.py b/migrations/auth/20250729_02_7ycSm-assign-initial-system-wide-resources-access-privileges-to-sys-admins.py new file mode 100644 index 0000000..e79ab1c --- /dev/null +++ b/migrations/auth/20250729_02_7ycSm-assign-initial-system-wide-resources-access-privileges-to-sys-admins.py @@ -0,0 +1,53 @@ +""" +Assign initial system-wide resources-access privileges to sys-admins. +""" +import contextlib + +from yoyo import step + +def system_administrator_role_id(cursor): + """Fetch ID for role 'system-administrator'.""" + cursor.execute( + "SELECT role_id FROM roles WHERE role_name='system-administrator'") + return cursor.fetchone()[0] + + +def assign_system_wide_resource_access_to_sysadmin(conn): + """ + Assign initial system-wide resources-access privileges to + `system-administrator` role. + """ + with contextlib.closing(conn.cursor()) as cursor: + sysadmin_role_id = system_administrator_role_id(cursor) + cursor.executemany( + "INSERT INTO role_privileges(role_id, privilege_id) " + "VALUES(?, ?)", + ((sysadmin_role_id, "system:resource:view"), + (sysadmin_role_id, "system:resource:edit"), + (sysadmin_role_id, "system:resource:delete"), + (sysadmin_role_id, "system:resource:reassign-group"), + (sysadmin_role_id, "system:resource:assign-owner"))) + + +def revoke_system_wide_resource_access_from_sysadmin(conn): + """ + Revoke initial system-wide resources-access privileges from + `system-administrator` role. + """ + with contextlib.closing(conn.cursor()) as cursor: + sysadmin_role_id = system_administrator_role_id(cursor) + cursor.executemany( + "DELETE FROM role_privileges " + "WHERE role_id=? AND privilege_id=?", + ((sysadmin_role_id, "system:resource:view"), + (sysadmin_role_id, "system:resource:edit"), + (sysadmin_role_id, "system:resource:delete"), + (sysadmin_role_id, "system:resource:reassign-group"), + (sysadmin_role_id, "system:resource:assign-owner"))) + +__depends__ = {'20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges'} + +steps = [ + step(assign_system_wide_resource_access_to_sysadmin, + revoke_system_wide_resource_access_from_sysadmin) +] |