b840047e19
ci: add GitHub Pages deployment workflow for docs site Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
50 lines
1.6 KiB
Python
50 lines
1.6 KiB
Python
"""Add super_admin bypass to devices, device_groups, device_tags RLS policies.
|
|
|
|
Previously these tables only matched tenant_id, so super_admin context
|
|
('super_admin') returned zero rows. Users/tenants tables already had
|
|
the bypass — this brings device tables in line.
|
|
|
|
Revision ID: 022
|
|
Revises: 021
|
|
Create Date: 2026-03-07
|
|
"""
|
|
|
|
import sqlalchemy as sa
|
|
from alembic import op
|
|
|
|
revision = "022"
|
|
down_revision = "021"
|
|
branch_labels = None
|
|
depends_on = None
|
|
|
|
# Tables that need super_admin bypass added to their RLS policy
|
|
_TABLES = ["devices", "device_groups", "device_tags"]
|
|
|
|
|
|
def upgrade() -> None:
|
|
conn = op.get_bind()
|
|
for table in _TABLES:
|
|
conn.execute(sa.text(f"DROP POLICY IF EXISTS tenant_isolation ON {table}"))
|
|
conn.execute(sa.text(f"""
|
|
CREATE POLICY tenant_isolation ON {table}
|
|
USING (
|
|
tenant_id::text = current_setting('app.current_tenant', true)
|
|
OR current_setting('app.current_tenant', true) = 'super_admin'
|
|
)
|
|
WITH CHECK (
|
|
tenant_id::text = current_setting('app.current_tenant', true)
|
|
OR current_setting('app.current_tenant', true) = 'super_admin'
|
|
)
|
|
"""))
|
|
|
|
|
|
def downgrade() -> None:
|
|
conn = op.get_bind()
|
|
for table in _TABLES:
|
|
conn.execute(sa.text(f"DROP POLICY IF EXISTS tenant_isolation ON {table}"))
|
|
conn.execute(sa.text(f"""
|
|
CREATE POLICY tenant_isolation ON {table}
|
|
USING (tenant_id::text = current_setting('app.current_tenant', true))
|
|
WITH CHECK (tenant_id::text = current_setting('app.current_tenant', true))
|
|
"""))
|