Migrations: Add `user_editable` field to roles table

Some roles will not be user editable to prevent inconsistencies, and possible
privilege escalation.

* migrations/auth/20221110_05_BaNtL-create-roles-table.py: Add `user_editable`
  column to table
* migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py: Set
  `group-leader` role as not user editable

2 files changed, 4 insertions, 3 deletions

diff --git a/migrations/auth/20221110_05_BaNtL-create-roles-table.py b/migrations/auth/20221110_05_BaNtL-create-roles-table.py
index edf3ea4..18499a6 100644
--- a/migrations/auth/20221110_05_BaNtL-create-roles-table.py
+++ b/migrations/auth/20221110_05_BaNtL-create-roles-table.py
@@ -11,7 +11,8 @@ steps = [
         """
         CREATE TABLE IF NOT EXISTS roles(
             role_id TEXT NOT NULL PRIMARY KEY,
-            role_name TEXT NOT NULL
+            role_name TEXT NOT NULL,
+            user_editable INTEGER NOT NULL DEFAULT 1 CHECK (user_editable=0 or user_editable=1)
         ) WITHOUT ROWID
         """,
         "DROP TABLE IF EXISTS roles")
diff --git a/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py b/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py
index 08d0202..c4887cd 100644
--- a/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py
+++ b/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py
@@ -9,8 +9,8 @@ __depends__ = {'20221114_03_PtWjc-create-group-roles-table'}
 steps = [
     step(
         """
-        INSERT INTO roles(role_id, role_name) VALUES
-            ('a0e67630-d502-4b9f-b23f-6805d0f30e30', 'group-leader')
+        INSERT INTO roles(role_id, role_name, user_editable) VALUES
+            ('a0e67630-d502-4b9f-b23f-6805d0f30e30', 'group-leader', '0')
         """,
         "DELETE FROM roles"),
     step(