diff options
| -rw-r--r-- | migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py b/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py index 94b7bde..bdf8a56 100644 --- a/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py +++ b/migrations/auth/20260311_03_vxBCX-restrict-access-to-resources-make-public-feature.py @@ -1,11 +1,38 @@ """ Restrict access to resources' 'Make Public' feature. """ +import contextlib from yoyo import step __depends__ = {'20260311_02_v3EFQ-assign-systemwide-docs-editor-role-to-sysadmins'} + +def fetch_systemwide_data_curator_role_id(cursor): + "Fetch the role's ID." + cursor.execute("SELECT role_id FROM roles " + "WHERE role_name='systemwide-data-curator'") + return cursor.fetchone()[0] + + +def assign_make_public_to_systemwide_data_curator(conn): + """Assign privilege to 'systemwide-data-curator' role.""" + with contextlib.closing(conn.cursor()) as cursor: + cursor.execute( + "INSERT INTO role_privileges(role_id, privilege_id) " + "VALUES(?, 'system:resource:make-public')", + (fetch_systemwide_data_curator_role_id(cursor),)) + + +def revoke_make_public_from_systemwide_data_curator(conn): + """Revoke privilege from 'systemwide-data-curator' role.""" + with contextlib.closing(conn.cursor()) as cursor: + cursor.execute( + "DELETE FROM role_privileges " + "WHERE role_id=? AND privilege_id='system:resource:make-public'", + (fetch_systemwide_data_curator_role_id(cursor),)) + + steps = [ step( """ @@ -16,5 +43,7 @@ steps = [ """, """ DELETE FROM privileges WHERE privilege_id='system:resource:make-public' - """) + """), + step(assign_make_public_to_systemwide_data_curator, + revoke_make_public_from_systemwide_data_curator), ] |