From 5c0b9077320d62ac26685dc37291c18d3670fb98 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 29 Jul 2025 09:43:33 -0500
Subject: Add system-wide resource-access privileges for system administrators

System administrators need to access, and modify the resources in the
system, and to do that, we need to grant them specific privileges to
check against.

These privileges act on the wrapper resource objects, not necessarily
the data attached to the resource object.
---
 ...tial-system-wide-resources-access-privileges.py | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py

(limited to 'migrations/auth')

diff --git a/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py b/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py
new file mode 100644
index 0000000..be0d022
--- /dev/null
+++ b/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py
@@ -0,0 +1,31 @@
+"""
+Create initial system-wide resources access privileges
+"""
+
+from yoyo import step
+
+__depends__ = {'20250722_02_M8TXv-add-system-user-edit-privilege-to-system-admin-role'}
+
+steps = [
+    step(
+        """
+        INSERT INTO privileges(privilege_id, privilege_description)
+        VALUES
+          ("system:resource:view",
+           "View the wrapper resource object (not attached data). This is mostly for administration purposes."),
+          ("system:resource:edit",
+           "Edit/update the wrapper resource object (not attached data). This is mostly for administration purposes."),
+          ("system:resource:delete",
+           "Delete the wrapper resource object (not attached data). This is mostly for administration purposes."),
+          ("system:resource:reassign-group",
+           "Reassign the resource, and its data, to a different user group."),
+          ("system:resource:assign-owner",
+           "Assign ownership of any resource to any user.")
+        """,
+        """
+        DELETE FROM privileges WHERE privilege_id IN
+          ("system:resource:view", "system:resource:edit",
+           "system:resource:delete", "system:resource:reassign-group",
+           "system:resource:assign-owner")
+        """)
+]
-- 
cgit 1.4.1