284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
123 lines
4.0 KiB
JavaScript
123 lines
4.0 KiB
JavaScript
/**
|
|
* Add service and storage permissions to existing tenants
|
|
* @param { import("knex").Knex } knex
|
|
* @returns { Promise<void> }
|
|
*/
|
|
exports.up = async function(knex) {
|
|
// Get all tenants
|
|
const tenants = await knex('tenants').select('tenant');
|
|
if (!tenants.length) return;
|
|
|
|
// Define the permissions to add
|
|
const newPermissions = [
|
|
// Service permissions
|
|
{ resource: 'service', action: 'create', msp: true, client: false, description: 'Create services' },
|
|
{ resource: 'service', action: 'read', msp: true, client: false, description: 'View services' },
|
|
{ resource: 'service', action: 'update', msp: true, client: false, description: 'Update services' },
|
|
{ resource: 'service', action: 'delete', msp: true, client: false, description: 'Delete services' },
|
|
|
|
// Storage permissions
|
|
{ resource: 'storage', action: 'read', msp: true, client: false, description: 'Read storage' },
|
|
{ resource: 'storage', action: 'write', msp: true, client: false, description: 'Write storage' },
|
|
];
|
|
|
|
// For each tenant, add the permissions
|
|
for (const { tenant } of tenants) {
|
|
// Get existing permissions to avoid duplicates
|
|
const existingPerms = await knex('permissions')
|
|
.where({ tenant })
|
|
.select('resource', 'action');
|
|
|
|
const existingMap = new Set(existingPerms.map(p => `${p.resource}:${p.action}`));
|
|
|
|
const permissionsToAdd = newPermissions
|
|
.filter(p => !existingMap.has(`${p.resource}:${p.action}`))
|
|
.map(p => ({
|
|
tenant,
|
|
permission_id: knex.raw('gen_random_uuid()'),
|
|
...p,
|
|
created_at: new Date()
|
|
}));
|
|
|
|
if (permissionsToAdd.length > 0) {
|
|
await knex('permissions').insert(permissionsToAdd);
|
|
console.log(`Added ${permissionsToAdd.length} new permissions for tenant ${tenant}`);
|
|
}
|
|
|
|
// Get MSP Admin role for this tenant (msp=true, client=false, case-insensitive)
|
|
// Service and storage are MSP-only features
|
|
const adminRole = await knex('roles')
|
|
.where({
|
|
tenant,
|
|
msp: true,
|
|
client: false
|
|
})
|
|
.whereRaw("LOWER(role_name) = 'admin'")
|
|
.first();
|
|
|
|
if (adminRole) {
|
|
// Get all service and storage permissions for this tenant (MSP only)
|
|
const serviceAndStoragePerms = await knex('permissions')
|
|
.where({
|
|
tenant,
|
|
msp: true // Only MSP permissions
|
|
})
|
|
.whereIn('resource', ['service', 'storage'])
|
|
.select('permission_id');
|
|
|
|
// Get existing role permissions for admin
|
|
const existingRolePerms = await knex('role_permissions')
|
|
.where({
|
|
tenant,
|
|
role_id: adminRole.role_id
|
|
})
|
|
.select('permission_id');
|
|
|
|
const existingRolePermIds = new Set(existingRolePerms.map(rp => rp.permission_id));
|
|
|
|
// Add missing permissions to admin role
|
|
const rolePermissionsToAdd = serviceAndStoragePerms
|
|
.filter(p => !existingRolePermIds.has(p.permission_id))
|
|
.map(p => ({
|
|
tenant,
|
|
role_id: adminRole.role_id,
|
|
permission_id: p.permission_id
|
|
}));
|
|
|
|
if (rolePermissionsToAdd.length > 0) {
|
|
await knex('role_permissions').insert(rolePermissionsToAdd);
|
|
console.log(`Added ${rolePermissionsToAdd.length} role permissions to Admin role for tenant ${tenant}`);
|
|
}
|
|
}
|
|
}
|
|
};
|
|
|
|
/**
|
|
* @param { import("knex").Knex } knex
|
|
* @returns { Promise<void> }
|
|
*/
|
|
exports.down = async function(knex) {
|
|
// Get all tenants
|
|
const tenants = await knex('tenants').select('tenant');
|
|
if (!tenants.length) return;
|
|
|
|
for (const { tenant } of tenants) {
|
|
// Remove role permissions first (foreign key constraint)
|
|
await knex('role_permissions')
|
|
.where('tenant', tenant)
|
|
.whereIn('permission_id', function() {
|
|
this.select('permission_id')
|
|
.from('permissions')
|
|
.where('tenant', tenant)
|
|
.whereIn('resource', ['service', 'storage']);
|
|
})
|
|
.delete();
|
|
|
|
// Remove permissions
|
|
await knex('permissions')
|
|
.where('tenant', tenant)
|
|
.whereIn('resource', ['service', 'storage'])
|
|
.delete();
|
|
}
|
|
};
|