npm - snipe-auth-rbac - Versions diffs - 0.6.0 → 0.6.1 - Mend

snipe-auth-rbac 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/sql/0001_initial.sql +22 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "snipe-auth-rbac",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Two-layer RBAC (system + company) for React, Next.js, and any modern TS app — paired with the Python sibling.",
   "license": "MIT",
   "type": "module",

package/sql/0001_initial.sql CHANGED Viewed

@@ -957,6 +957,15 @@ DO $$ BEGIN
     IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
         EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.is_super_admin() TO authenticated';
         EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA rbac TO authenticated';
+        -- 0.6.1+: ALTER DEFAULT PRIVILEGES so any future tables
+        -- added to the rbac schema (by adopters or by a later
+        -- version of this package) automatically get the same
+        -- authenticated CRUD grant. Prevents the
+        -- "rbac.role_permission_overrides missing UPDATE → upsert
+        -- silently rejected" class of bug that hit adopters who
+        -- ran 0001 on an existing DB before role_permission_overrides
+        -- existed.
+        EXECUTE 'ALTER DEFAULT PRIVILEGES IN SCHEMA rbac GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO authenticated';
     END IF;
     IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN
         EXECUTE 'GRANT ALL ON ALL TABLES IN SCHEMA rbac TO service_role';
@@ -965,6 +974,19 @@ DO $$ BEGIN
     END IF;
 END $$;
+-- 0.6.1+: explicit per-table re-grant for the two 0.4.0+ tables.
+-- Belt-and-braces for adopters whose DB has the tables but whose
+-- earlier 0001 run pre-dated the tables (so the schema-wide GRANT
+-- above didn't cover them, and ALTER DEFAULT PRIVILEGES only
+-- applies to tables created AFTER it). Idempotent — re-granting
+-- existing privileges is a no-op.
+DO $$ BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
+        EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON rbac.resource_dependencies     TO authenticated';
+        EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON rbac.role_permission_overrides TO authenticated';
+    END IF;
+END $$;
 ALTER TABLE rbac.companies                 ENABLE ROW LEVEL SECURITY;
 ALTER TABLE rbac.resources                 ENABLE ROW LEVEL SECURITY;
 ALTER TABLE rbac.roles                     ENABLE ROW LEVEL SECURITY;