Resources: make-public: Assign new privilege to data curator role.
HEAD main1 files changed, 30 insertions, 1 deletions
diff --git a/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py b/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py
index 94b7bde..bdf8a56 100644
--- a/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py
+++ b/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py
@@ -1,11 +1,38 @@
"""
Restrict access to resources' 'Make Public' feature.
"""
+import contextlib
from yoyo import step
__depends__ = {'20260311_02_v3EFQ-assign-systemwide-docs-editor-role-to-sysadmins'}
+
+def fetch_systemwide_data_curator_role_id(cursor):
+ "Fetch the role's ID."
+ cursor.execute("SELECT role_id FROM roles "
+ "WHERE role_name='systemwide-data-curator'")
+ return cursor.fetchone()[0]
+
+
+def assign_make_public_to_systemwide_data_curator(conn):
+ """Assign privilege to 'systemwide-data-curator' role."""
+ with contextlib.closing(conn.cursor()) as cursor:
+ cursor.execute(
+ "INSERT INTO role_privileges(role_id, privilege_id) "
+ "VALUES(?, 'system:resource:make-public')",
+ (fetch_systemwide_data_curator_role_id(cursor),))
+
+
+def revoke_make_public_from_systemwide_data_curator(conn):
+ """Revoke privilege from 'systemwide-data-curator' role."""
+ with contextlib.closing(conn.cursor()) as cursor:
+ cursor.execute(
+ "DELETE FROM role_privileges "
+ "WHERE role_id=? AND privilege_id='system:resource:make-public'",
+ (fetch_systemwide_data_curator_role_id(cursor),))
+
+
steps = [
step(
"""
@@ -16,5 +43,7 @@ steps = [
""",
"""
DELETE FROM privileges WHERE privilege_id='system:resource:make-public'
- """)
+ """),
+ step(assign_make_public_to_systemwide_data_curator,
+ revoke_make_public_from_systemwide_data_curator),
]
|
