1- -- Org membership is now associated with a specific role within the org, this simplifies things,
1+ -- Org membership is now associated with a specific role within the org, this simplifies things,
22-- makes the data more consistent, no need to rely on triggers, and makes it much easier to display in the UI.
33
44-- Update the role permissions, some roles had an incorrect 'org:create_project' rather than 'project:create' permission
@@ -22,7 +22,7 @@ ALTER TABLE org_members
2222 ADD COLUMN role_id UUID REFERENCES roles(id) NULL ;
2323
2424-- set all existing org members to be maintiners
25- UPDATE org_members
25+ UPDATE org_members
2626 SET role_id = (SELECT id FROM roles WHERE ref = ' org_maintainer' LIMIT 1 );
2727
2828-- Elevate the current org owners to have the org_owner role
@@ -59,7 +59,7 @@ $$ LANGUAGE plpgsql;
5959
6060CREATE TRIGGER check_org_owners_trigger
6161 AFTER UPDATE OR DELETE ON org_members
62- FOR EACH ROW
62+ FOR EACH ROW
6363 EXECUTE FUNCTION check_orgs_have_an_owner();
6464
6565-- Split out view containing all the direct subject<->resource permissions.
@@ -88,7 +88,7 @@ CREATE OR REPLACE VIEW direct_resource_permissions(subject_id, resource_id, perm
8888
8989-- This view builds on top of direct_resource_permissions to include inherited permissions
9090CREATE OR REPLACE VIEW subject_resource_permissions (subject_id, resource_id, permission) AS (
91- SELECT drp .subject_id , drp .resource_id , drp .permission
91+ SELECT drp .subject_id , drp .resource_id , drp .permission
9292 FROM direct_resource_permissions drp
9393 UNION
9494 -- Inherit permissions from parent resources
@@ -98,4 +98,8 @@ CREATE OR REPLACE VIEW subject_resource_permissions(subject_id, resource_id, per
9898);
9999
100100
101- -- TODO: delete now redundant roles from role_memberships
101+ DELETE FROM role_memberships rm
102+ USING roles r
103+ WHERE
104+ rm .role_id = r .id
105+ AND r .ref ::text IN (' org_viewer' ' org_maintainer' ' org_contributor' ' org_admin' ' org_owner' ' org_default'
0 commit comments