From 673d68366008c582a74820ae66ade57998148cfb Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Mon, 14 Nov 2022 13:50:00 +0300 Subject: Migrations: Add `user_editable` field to roles table Some roles will not be user editable to prevent inconsistencies, and possible privilege escalation. * migrations/auth/20221110_05_BaNtL-create-roles-table.py: Add `user_editable` column to table * migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py: Set `group-leader` role as not user editable --- migrations/auth/20221110_05_BaNtL-create-roles-table.py | 3 ++- migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/migrations/auth/20221110_05_BaNtL-create-roles-table.py b/migrations/auth/20221110_05_BaNtL-create-roles-table.py index edf3ea4..18499a6 100644 --- a/migrations/auth/20221110_05_BaNtL-create-roles-table.py +++ b/migrations/auth/20221110_05_BaNtL-create-roles-table.py @@ -11,7 +11,8 @@ steps = [ """ CREATE TABLE IF NOT EXISTS roles( role_id TEXT NOT NULL PRIMARY KEY, - role_name TEXT NOT NULL + role_name TEXT NOT NULL, + user_editable INTEGER NOT NULL DEFAULT 1 CHECK (user_editable=0 or user_editable=1) ) WITHOUT ROWID """, "DROP TABLE IF EXISTS roles") diff --git a/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py b/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py index 08d0202..c4887cd 100644 --- a/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py +++ b/migrations/auth/20221114_04_tLUzB-initialise-basic-roles.py @@ -9,8 +9,8 @@ __depends__ = {'20221114_03_PtWjc-create-group-roles-table'} steps = [ step( """ - INSERT INTO roles(role_id, role_name) VALUES - ('a0e67630-d502-4b9f-b23f-6805d0f30e30', 'group-leader') + INSERT INTO roles(role_id, role_name, user_editable) VALUES + ('a0e67630-d502-4b9f-b23f-6805d0f30e30', 'group-leader', '0') """, "DELETE FROM roles"), step( -- cgit v1.2.3