Add migrations for admin UI and batch edit privileges/roles

2 files changed, 91 insertions, 0 deletions

diff --git a/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py b/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py
new file mode 100644
index 0000000..d22ad01
--- /dev/null
+++ b/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py
@@ -0,0 +1,42 @@
+"""
+add admin ui privilege to system-administrator role
+"""
+import contextlib
+
+from yoyo import step
+
+__depends__ = {'20240924_01_thbvh-hooks-for-edu-domains'}
+
+def get_system_admin_id(cursor):
+    cursor.execute(
+        "SELECT role_id FROM roles WHERE role_name='system-administrator'")
+    return cursor.fetchone()[0]
+
+def add_admin_ui_privilege(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Create admin-ui privilege
+        cursor.execute(
+            "INSERT INTO privileges (privilege_id, privilege_description) "
+            "VALUES(?, ?)",
+            ("system:user:admin-ui", "View UI elements that should only be visible to system administrators"))
+
+        # Add UI privilege to system-administrator role
+        cursor.execute(
+            "INSERT INTO role_privileges (role_id, privilege_id) "
+            "VALUES(?, ?)",
+            (get_system_admin_id(cursor), "system:user:admin-ui")
+        )
+
+def remove_admin_ui_privilege(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Remove UI privilege from system-administrator role
+        cursor.execute(
+            "DELETE FROM role_privileges WHERE privilege_id='system:user:admin-ui'")
+        
+        # Remove UI privilege from privileges table
+        cursor.execute(
+            "DELETE FROM privileges WHERE privilege_id='system:user:admin-ui'")
+
+steps = [
+    step(add_admin_ui_privilege, remove_admin_ui_privilege)
+]
diff --git a/migrations/auth/20250609_01_LB60X-add-batch-edit-privileges.py b/migrations/auth/20250609_01_LB60X-add-batch-edit-privileges.py
new file mode 100644
index 0000000..73a4880
--- /dev/null
+++ b/migrations/auth/20250609_01_LB60X-add-batch-edit-privileges.py
@@ -0,0 +1,49 @@
+"""
+Add Batch Edit privileges
+"""
+
+import contextlib
+
+from yoyo import step
+
+__depends__ = {'20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role'}
+
+def add_batch_edit_privilege_and_role(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Create batch edit privilege
+        cursor.execute(
+            "INSERT INTO privileges (privilege_id, privilege_description) "
+            "VALUES(?, ?)",
+            ("system:data:batch-edit", "Batch Edit"))
+
+        # Create batch editor role
+        cursor.execute(
+            "INSERT INTO roles (role_id, role_name, user_editable) "
+            "VALUES(?, ?, ?)",
+            ("0f391910-5225-476a-bb8d-9c0adc9d81cc", "Batch Editors", 0))
+
+        # Link role/privilege
+        cursor.execute(
+            "INSERT INTO role_privileges (role_id, privilege_id) "
+            "VALUES(?, ?)",
+            ("0f391910-5225-476a-bb8d-9c0adc9d81cc", "system:data:batch-edit")
+        )
+
+def remove_batch_edit_privilege_and_role(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Remove batch edit role/privilege link
+        cursor.execute(
+            "DELETE FROM role_privileges WHERE privilege_id='system:data:batch-edit'")
+        
+        # Remove Batch Editor role
+        cursor.execute(
+            "DELETE FROM roles WHERE role_id='0f391910-5225-476a-bb8d-9c0adc9d81cc'")
+
+        # Remove Batch Edit privilege
+        cursor.execute(
+            "DELETE FROM privileges WHERE privilege_id='system:data:batch-edit'")
+
+
+steps = [
+    step(add_batch_edit_privilege_and_role, remove_batch_edit_privilege_and_role)
+]