alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 13 Packages Projects Releases Wiki Activity
PSA/server/migrations/20251022000002_fix_admin_service_storage_permissions.cjs
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

118 lines
3.5 KiB
JavaScript
Raw Permalink Blame History

/**
* Fix: Ensure ALL MSP Admin roles have service and storage permissions
*
* The previous migration (20251022000000) had a bug where it used .find()
* to get "Admin" role without specifying msp=true. This caused it to
* randomly assign permissions to either MSP Admin or Client Admin.
*
* Since service and storage are MSP-only features, they should be assigned
* to MSP Admin roles (msp=true, client=false).
*
* @param { import("knex").Knex } knex
* @returns { Promise<void> }
*/
exports.up = async function(knex) {
// Get all tenants
const tenants = await knex('tenants').select('tenant');
if (!tenants.length) return;
let totalPermissionsAdded = 0;
for (const { tenant } of tenants) {
// Get MSP Admin role for this tenant (msp=true, client=false)
const mspAdminRole = await knex('roles')
.where({
tenant,
msp: true,
client: false
})
.whereRaw("LOWER(role_name) = 'admin'")
.first();
if (!mspAdminRole) {
console.log(`No MSP Admin role found for tenant ${tenant}, skipping`);
continue;
}
// Get all service and storage permissions for this tenant
const serviceAndStoragePerms = await knex('permissions')
.where({
tenant,
msp: true // Only MSP permissions
})
.whereIn('resource', ['service', 'storage'])
.select('permission_id');
if (serviceAndStoragePerms.length === 0) {
console.log(`No service/storage permissions found for tenant ${tenant}, skipping`);
continue;
}
// Get existing role permissions for MSP Admin
const existingRolePerms = await knex('role_permissions')
.where({
tenant,
role_id: mspAdminRole.role_id
})
.select('permission_id');
const existingRolePermIds = new Set(existingRolePerms.map(rp => rp.permission_id));
// Add missing permissions to MSP Admin role
const rolePermissionsToAdd = serviceAndStoragePerms
.filter(p => !existingRolePermIds.has(p.permission_id))
.map(p => ({
tenant,
role_id: mspAdminRole.role_id,
permission_id: p.permission_id
}));
if (rolePermissionsToAdd.length > 0) {
await knex('role_permissions').insert(rolePermissionsToAdd);
totalPermissionsAdded += rolePermissionsToAdd.length;
console.log(`Added ${rolePermissionsToAdd.length} service/storage permissions to MSP Admin role for tenant ${tenant}`);
}
}
console.log(`Migration complete: Added ${totalPermissionsAdded} total permission assignments across all tenants`);
};
/**
* Rollback: Remove service and storage permissions from MSP Admin roles
* @param { import("knex").Knex } knex
* @returns { Promise<void> }
*/
exports.down = async function(knex) {
// Get all tenants
const tenants = await knex('tenants').select('tenant');
if (!tenants.length) return;
for (const { tenant } of tenants) {
// Get MSP Admin role
const mspAdminRole = await knex('roles')
.where({
tenant,
msp: true,
client: false
})
.whereRaw("LOWER(role_name) = 'admin'")
.first();
if (!mspAdminRole) continue;
// Remove service and storage permissions from MSP Admin
await knex('role_permissions')
.where({
tenant,
role_id: mspAdminRole.role_id
})
.whereIn('permission_id', function() {
this.select('permission_id')
.from('permissions')
.where({ tenant })
.whereIn('resource', ['service', 'storage']);
})
.delete();
}
};
Reference in New Issue View Git Blame Copy Permalink