fix: is_admin fallback for legacy Admin roles + migration data fix

Migration now sets is_admin=true for existing Admin roles.
has_permission falls back to role.name == 'Admin' check if
is_admin flag is missing (backward compat for pre-migration roles).
This commit is contained in:
2026-05-26 15:29:14 +03:00
parent 6b960b0eb3
commit 2fa8edfa03
2 changed files with 8 additions and 3 deletions

View File

@@ -19,8 +19,9 @@ depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
"""Add is_admin column to roles table."""
"""Add is_admin column to roles table, set True for existing Admin roles."""
op.add_column("roles", sa.Column("is_admin", sa.Boolean(), nullable=False, server_default=sa.text("false")))
op.execute("UPDATE roles SET is_admin = true WHERE name = 'Admin'")
def downgrade() -> None:

View File

@@ -550,8 +550,12 @@ def has_permission(resource: str, action: str):
if perm.resource == resource and perm.action == action:
return current_user
# Special case for Admin role (full access) — uses is_admin flag, not name string
if any(getattr(role, "is_admin", False) for role in current_user.roles):
# Special case for Admin role (full access) — uses is_admin flag, not name string.
# Fallback to role.name == "Admin" for roles created before is_admin migration.
if any(
getattr(role, "is_admin", False) or role.name == "Admin"
for role in current_user.roles
):
return current_user
from .core.auth.logger import log_security_event