mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
c5da152ddc
introduce internal roles which name starts with #internal: with RLS policies to make them read-only.
62 lines
1.9 KiB
TypeScript
62 lines
1.9 KiB
TypeScript
import { sql } from 'slonik';
|
|
|
|
import type { AlterationScript } from '../lib/types/alteration.js';
|
|
|
|
const alteration: AlterationScript = {
|
|
up: async (pool) => {
|
|
await pool.query(sql`
|
|
update roles
|
|
set name = '#internal:admin', description = 'Internal admin role for Logto tenant ' || tenant_id || '.'
|
|
where name = 'admin'
|
|
and tenant_id != 'admin';
|
|
|
|
update roles
|
|
set description = 'Admin tenant admin role for Logto tenant ' || substring(name from 0 for strpos(name, ':admin')) || '.'
|
|
where name like '%:admin'
|
|
and tenant_id = 'admin';
|
|
|
|
-- Restrict direct role modification
|
|
create policy roles_select on roles
|
|
for select using (true);
|
|
|
|
drop policy roles_modification on roles;
|
|
create policy roles_modification on roles
|
|
using (not starts_with(name, '#internal:'));
|
|
|
|
-- Restrict role - scope modification
|
|
create policy roles_scopes_select on roles_scopes
|
|
for select using (true);
|
|
|
|
drop policy roles_scopes_modification on roles_scopes;
|
|
create policy roles_scopes_modification on roles_scopes
|
|
using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
|
|
`);
|
|
},
|
|
down: async (pool) => {
|
|
await pool.query(sql`
|
|
update roles
|
|
set name = 'admin', description = 'Admin role for Logto.'
|
|
where name = '#internal:admin'
|
|
and tenant_id != 'admin';
|
|
|
|
update roles
|
|
set description = 'Admin role for Logto.'
|
|
where name like '%:admin'
|
|
and tenant_id = 'admin';
|
|
|
|
drop policy roles_select on roles;
|
|
drop policy roles_modification on roles;
|
|
|
|
create policy roles_modification on roles
|
|
using (true);
|
|
|
|
drop policy roles_scopes_select on roles_scopes;
|
|
drop policy roles_scopes_modification on roles_scopes;
|
|
|
|
create policy roles_scopes_modification on roles_scopes
|
|
using (true);
|
|
`);
|
|
},
|
|
};
|
|
|
|
export default alteration;
|