1 files changed, 42 insertions, 0 deletions

diff --git a/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py b/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py
new file mode 100644
index 0000000..d22ad01
--- /dev/null
+++ b/migrations/auth/20250328_01_72EFk-add-admin-ui-privilege-to-system-administrator-role.py
@@ -0,0 +1,42 @@
+"""
+add admin ui privilege to system-administrator role
+"""
+import contextlib
+
+from yoyo import step
+
+__depends__ = {'20240924_01_thbvh-hooks-for-edu-domains'}
+
+def get_system_admin_id(cursor):
+    cursor.execute(
+        "SELECT role_id FROM roles WHERE role_name='system-administrator'")
+    return cursor.fetchone()[0]
+
+def add_admin_ui_privilege(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Create admin-ui privilege
+        cursor.execute(
+            "INSERT INTO privileges (privilege_id, privilege_description) "
+            "VALUES(?, ?)",
+            ("system:user:admin-ui", "View UI elements that should only be visible to system administrators"))
+
+        # Add UI privilege to system-administrator role
+        cursor.execute(
+            "INSERT INTO role_privileges (role_id, privilege_id) "
+            "VALUES(?, ?)",
+            (get_system_admin_id(cursor), "system:user:admin-ui")
+        )
+
+def remove_admin_ui_privilege(conn):
+    with contextlib.closing(conn.cursor()) as cursor:
+        # Remove UI privilege from system-administrator role
+        cursor.execute(
+            "DELETE FROM role_privileges WHERE privilege_id='system:user:admin-ui'")
+        
+        # Remove UI privilege from privileges table
+        cursor.execute(
+            "DELETE FROM privileges WHERE privilege_id='system:user:admin-ui'")
+
+steps = [
+    step(add_admin_ui_privilege, remove_admin_ui_privilege)
+]