mirror of
https://github.com/logto-io/logto.git
synced 2024-12-23 20:33:16 -05:00
63 lines
1.9 KiB
TypeScript
63 lines
1.9 KiB
TypeScript
|
import { sql } from 'slonik';
|
||
|
|
||
|
import type { AlterationScript } from '../lib/types/alteration.js';
|
||
|
|
||
|
const alteration: AlterationScript = {
|
||
|
up: async (pool) => {
|
||
|
await pool.query(sql`
|
||
|
update roles
|
||
|
set name = '#internal:admin', description = 'Internal admin role for Logto tenant ' || tenant_id || '.'
|
||
|
where name = 'admin'
|
||
|
and tenant_id != 'admin';
|
||
|
|
||
|
update roles
|
||
|
set description = 'Admin tenant admin role for Logto tenant ' || substring(name from 0 for strpos(name, ':admin')) || '.'
|
||
|
where name like '%:admin'
|
||
|
and tenant_id = 'admin';
|
||
|
|
||
|
-- Restrict direct role modification
|
||
|
create policy roles_select on roles
|
||
|
for select using (true);
|
||
|
|
||
|
drop policy roles_modification on roles;
|
||
|
create policy roles_modification on roles
|
||
|
using (not starts_with(name, '#internal:'));
|
||
|
|
||
|
-- Restrict role - scope modification
|
||
|
create policy roles_scopes_select on roles_scopes
|
||
|
for select using (true);
|
||
|
|
||
|
drop policy roles_scopes_modification on roles_scopes;
|
||
|
create policy roles_scopes_modification on roles_scopes
|
||
|
using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
|
||
|
`);
|
||
|
},
|
||
|
down: async (pool) => {
|
||
|
await pool.query(sql`
|
||
|
update roles
|
||
|
set name = 'admin', description = 'Admin role for Logto.'
|
||
|
where name = '#internal:admin'
|
||
|
and tenant_id != 'admin';
|
||
|
|
||
|
update roles
|
||
|
set description = 'Admin role for Logto.'
|
||
|
where name like '%:admin'
|
||
|
and tenant_id = 'admin';
|
||
|
|
||
|
drop policy roles_select on roles;
|
||
|
drop policy roles_modification on roles;
|
||
|
|
||
|
create policy roles_modification on roles
|
||
|
using (true);
|
||
|
|
||
|
drop policy roles_scopes_select on roles_scopes;
|
||
|
drop policy roles_scopes_modification on roles_scopes;
|
||
|
|
||
|
create policy roles_scopes_modification on roles_scopes
|
||
|
using (true);
|
||
|
`);
|
||
|
},
|
||
|
};
|
||
|
|
||
|
export default alteration;
|