diff --git a/backend/alembic/versions/86c7b1d6a710_add_is_admin_column_to_roles_table.py b/backend/alembic/versions/86c7b1d6a710_add_is_admin_column_to_roles_table.py index dc3c7449..e3257f59 100644 --- a/backend/alembic/versions/86c7b1d6a710_add_is_admin_column_to_roles_table.py +++ b/backend/alembic/versions/86c7b1d6a710_add_is_admin_column_to_roles_table.py @@ -19,8 +19,9 @@ depends_on: Union[str, Sequence[str], None] = None def upgrade() -> None: - """Add is_admin column to roles table.""" + """Add is_admin column to roles table, set True for existing Admin roles.""" op.add_column("roles", sa.Column("is_admin", sa.Boolean(), nullable=False, server_default=sa.text("false"))) + op.execute("UPDATE roles SET is_admin = true WHERE name = 'Admin'") def downgrade() -> None: diff --git a/backend/src/dependencies.py b/backend/src/dependencies.py index da824d23..2ef0ae98 100755 --- a/backend/src/dependencies.py +++ b/backend/src/dependencies.py @@ -550,8 +550,12 @@ def has_permission(resource: str, action: str): if perm.resource == resource and perm.action == action: return current_user - # Special case for Admin role (full access) — uses is_admin flag, not name string - if any(getattr(role, "is_admin", False) for role in current_user.roles): + # Special case for Admin role (full access) — uses is_admin flag, not name string. + # Fallback to role.name == "Admin" for roles created before is_admin migration. + if any( + getattr(role, "is_admin", False) or role.name == "Admin" + for role in current_user.roles + ): return current_user from .core.auth.logger import log_security_event