0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-06 20:40:08 -05:00
logto/packages/schemas/alterations/1.14.0-1708916601-remove-management-api-scopes-assigned-to-user-role.ts
2024-03-16 19:04:55 +08:00

47 lines
1.6 KiB
TypeScript

import { sql } from '@silverhand/slonik';
import type { AlterationScript } from '../lib/types/alteration.js';
enum RoleType {
User = 'User',
}
const getManagementApiResourceIndicator = (tenantId: string) => `https://${tenantId}.logto.app/api`;
// Remove management API scopes assigned to user roles, in case they were assigned by management API and bypassed the constraints in admin console.
const alteration: AlterationScript = {
up: async (pool) => {
const { rows } = await pool.query<{
rolesScopesId: string;
indicator: string;
tenantId: string;
}>(sql`
select
roles_scopes.id as "rolesScopesId",
roles_scopes.tenant_id as "tenantId",
resources.indicator as indicator from roles_scopes
join roles
on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
join scopes on
roles_scopes.scope_id = scopes.id and roles_scopes.tenant_id = scopes.tenant_id
join resources on
scopes.resource_id = resources.id and scopes.tenant_id = resources.tenant_id
where roles.type = ${RoleType.User};
`);
const rolesScopesIdsToRemove = rows
.filter(
({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)
)
.map(({ rolesScopesId }) => rolesScopesId);
if (rolesScopesIdsToRemove.length > 0) {
await pool.query(sql`
delete from roles_scopes where id in (${sql.join(rolesScopesIdsToRemove, sql`, `)});
`);
}
},
down: async (pool) => {
// It cannot be reverted automatically.
},
};
export default alteration;