fix: is_admin fallback for legacy Admin roles + migration data fix
Migration now sets is_admin=true for existing Admin roles. has_permission falls back to role.name == 'Admin' check if is_admin flag is missing (backward compat for pre-migration roles).
This commit is contained in:
@@ -19,8 +19,9 @@ depends_on: Union[str, Sequence[str], None] = None
|
||||
|
||||
|
||||
def upgrade() -> None:
|
||||
"""Add is_admin column to roles table."""
|
||||
"""Add is_admin column to roles table, set True for existing Admin roles."""
|
||||
op.add_column("roles", sa.Column("is_admin", sa.Boolean(), nullable=False, server_default=sa.text("false")))
|
||||
op.execute("UPDATE roles SET is_admin = true WHERE name = 'Admin'")
|
||||
|
||||
|
||||
def downgrade() -> None:
|
||||
|
||||
@@ -550,8 +550,12 @@ def has_permission(resource: str, action: str):
|
||||
if perm.resource == resource and perm.action == action:
|
||||
return current_user
|
||||
|
||||
# Special case for Admin role (full access) — uses is_admin flag, not name string
|
||||
if any(getattr(role, "is_admin", False) for role in current_user.roles):
|
||||
# Special case for Admin role (full access) — uses is_admin flag, not name string.
|
||||
# Fallback to role.name == "Admin" for roles created before is_admin migration.
|
||||
if any(
|
||||
getattr(role, "is_admin", False) or role.name == "Admin"
|
||||
for role in current_user.roles
|
||||
):
|
||||
return current_user
|
||||
|
||||
from .core.auth.logger import log_security_event
|
||||
|
||||
Reference in New Issue
Block a user