refactor(rbac): remove role-dropping changes from scope-seeding branch

Author: jordan-umusu

frontend/src/app/invitations/accept/page.tsx

@@ -201,13 +201,13 @@ function AcceptInvitationContent() {
               <>
                 <strong>{invitation.inviter_name}</strong> has invited you to
                 join <strong>{invitation.organization_name}</strong> as a{" "}
-                <strong>{invitation.role_name}</strong>.
+                <strong>{invitation.role}</strong>.
               </>
             ) : (
               <>
                 You&apos;ve been invited to join{" "}
                 <strong>{invitation.organization_name}</strong> as a{" "}
-                <strong>{invitation.role_name}</strong>.
+                <strong>{invitation.role}</strong>.
               </>
             )}
           </CardDescription>
@@ -224,7 +224,7 @@ function AcceptInvitationContent() {
               <div className="flex justify-between">
                 <span className="text-muted-foreground">Role</span>
                 <span className="font-medium capitalize">
-                  {invitation.role_name}
+                  {invitation.role}
                 </span>
               </div>
               {invitation.inviter_email && (
@@ -320,12 +320,12 @@ function AcceptInvitationContent() {
           {invitation.inviter_name ? (
             <>
               <strong>{invitation.inviter_name}</strong> has invited you to join
-              this organization as a <strong>{invitation.role_name}</strong>.
+              this organization as a <strong>{invitation.role}</strong>.
             </>
           ) : (
             <>
               You&apos;ve been invited to join this organization as a{" "}
-              <strong>{invitation.role_name}</strong>.
+              <strong>{invitation.role}</strong>.
             </>
           )}
         </CardDescription>
@@ -341,9 +341,7 @@ function AcceptInvitationContent() {
             </div>
             <div className="flex justify-between">
               <span className="text-muted-foreground">Role</span>
-              <span className="font-medium capitalize">
-                {invitation.role_name}
-              </span>
+              <span className="font-medium capitalize">{invitation.role}</span>
             </div>
             {invitation.inviter_email && (
               <div className="flex justify-between">

frontend/src/client/schemas.gen.ts

@@ -9974,37 +9974,15 @@ export const $OrgInvitationCreate = {
       format: "email",
       title: "Email",
     },
-    role_id: {
-      anyOf: [
-        {
-          type: "string",
-          format: "uuid",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Id",
-    },
-    role_slug: {
-      anyOf: [
-        {
-          type: "string",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Slug",
+    role: {
+      $ref: "#/components/schemas/OrgRole",
+      default: "member",
     },
   },
   type: "object",
   required: ["email"],
   title: "OrgInvitationCreate",
-  description: `Request body for creating an organization invitation.
-
-Either role_id or role_slug must be provided to specify the role to grant.
-If both are provided, role_id takes precedence.`,
+  description: "Request body for creating an organization invitation.",
 } as const
 
 export const $OrgInvitationRead = {
@@ -10024,25 +10002,8 @@ export const $OrgInvitationRead = {
       format: "email",
       title: "Email",
     },
-    role_id: {
-      type: "string",
-      format: "uuid",
-      title: "Role Id",
-    },
-    role_slug: {
-      anyOf: [
-        {
-          type: "string",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Slug",
-    },
-    role_name: {
-      type: "string",
-      title: "Role Name",
+    role: {
+      $ref: "#/components/schemas/OrgRole",
     },
     status: {
       $ref: "#/components/schemas/InvitationStatus",
@@ -10087,9 +10048,7 @@ export const $OrgInvitationRead = {
     "id",
     "organization_id",
     "email",
-    "role_id",
-    "role_slug",
-    "role_name",
+    "role",
     "status",
     "invited_by",
     "expires_at",
@@ -10133,20 +10092,8 @@ export const $OrgInvitationReadMinimal = {
       ],
       title: "Inviter Email",
     },
-    role_slug: {
-      anyOf: [
-        {
-          type: "string",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Slug",
-    },
-    role_name: {
-      type: "string",
-      title: "Role Name",
+    role: {
+      $ref: "#/components/schemas/OrgRole",
     },
     status: {
       $ref: "#/components/schemas/InvitationStatus",
@@ -10174,8 +10121,7 @@ export const $OrgInvitationReadMinimal = {
     "organization_name",
     "inviter_name",
     "inviter_email",
-    "role_slug",
-    "role_name",
+    "role",
     "status",
     "expires_at",
   ],
@@ -10220,28 +10166,8 @@ export const $OrgMemberRead = {
       format: "email",
       title: "Email",
     },
-    role_id: {
-      anyOf: [
-        {
-          type: "string",
-          format: "uuid",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Id",
-    },
-    role_slug: {
-      anyOf: [
-        {
-          type: "string",
-        },
-        {
-          type: "null",
-        },
-      ],
-      title: "Role Slug",
+    role: {
+      $ref: "#/components/schemas/OrgRole",
     },
     is_active: {
       type: "boolean",
@@ -10274,8 +10200,7 @@ export const $OrgMemberRead = {
     "first_name",
     "last_name",
     "email",
-    "role_id",
-    "role_slug",
+    "role",
     "is_active",
     "is_superuser",
     "is_verified",

frontend/src/client/types.gen.ts

@@ -3221,14 +3221,10 @@ export type OrgInvitationAccept = {
 
 /**
  * Request body for creating an organization invitation.
- *
- * Either role_id or role_slug must be provided to specify the role to grant.
- * If both are provided, role_id takes precedence.
  */
 export type OrgInvitationCreate = {
   email: string
-  role_id?: string | null
-  role_slug?: string | null
+  role?: OrgRole
 }
 
 /**
@@ -3238,9 +3234,7 @@ export type OrgInvitationRead = {
   id: string
   organization_id: string
   email: string
-  role_id: string
-  role_slug: string | null
-  role_name: string
+  role: OrgRole
   status: InvitationStatus
   invited_by: string | null
   expires_at: string
@@ -3259,8 +3253,7 @@ export type OrgInvitationReadMinimal = {
   organization_name: string
   inviter_name: string | null
   inviter_email: string | null
-  role_slug: string | null
-  role_name: string
+  role: OrgRole
   status: InvitationStatus
   expires_at: string
   email_matches?: boolean | null
@@ -3271,8 +3264,7 @@ export type OrgMemberRead = {
   first_name: string | null
   last_name: string | null
   email: string
-  role_id: string | null
-  role_slug: string | null
+  role: OrgRole
   is_active: boolean
   is_superuser: boolean
   is_verified: boolean

frontend/src/components/organization/org-invitations-table.tsx

@@ -7,6 +7,7 @@ import { useForm } from "react-hook-form"
 import { z } from "zod"
 import {
   type OrgInvitationRead,
+  type OrgRole,
   organizationGetInvitationToken,
 } from "@/client"
 import {
@@ -67,7 +68,7 @@ import { useOrgInvitations } from "@/lib/hooks"
 
 const invitationFormSchema = z.object({
   email: z.string().email("Invalid email address"),
-  role_slug: z.enum(["member", "admin", "owner"]),
+  role: z.enum(["member", "admin", "owner"]),
 })
 
 type InvitationFormValues = z.infer<typeof invitationFormSchema>
@@ -84,15 +85,15 @@ export function OrgInvitationsTable() {
     resolver: zodResolver(invitationFormSchema),
     defaultValues: {
       email: "",
-      role_slug: "member",
+      role: "member",
     },
   })
 
   const handleCreateInvitation = async (values: InvitationFormValues) => {
     try {
       await createInvitation({
         email: values.email,
-        role_slug: values.role_slug,
+        role: values.role as OrgRole,
       })
       form.reset()
       setIsCreateDialogOpen(false)
@@ -175,7 +176,7 @@ export function OrgInvitationsTable() {
                   />
                   <FormField
                     control={form.control}
-                    name="role_slug"
+                    name="role"
                     render={({ field }) => (
                       <FormItem>
                         <FormLabel>Role</FormLabel>
@@ -248,7 +249,7 @@ export function OrgInvitationsTable() {
               enableHiding: false,
             },
             {
-              accessorKey: "role_name",
+              accessorKey: "role",
               header: ({ column }) => (
                 <DataTableColumnHeader
                   className="text-xs"
@@ -258,7 +259,7 @@ export function OrgInvitationsTable() {
               ),
               cell: ({ row }) => (
                 <div className="text-xs capitalize">
-                  {row.getValue<OrgInvitationRead["role_name"]>("role_name")}
+                  {row.getValue<OrgInvitationRead["role"]>("role")}
                 </div>
               ),
               enableSorting: true,

frontend/src/components/organization/org-members-table.tsx

@@ -59,7 +59,7 @@ export function OrgMembersTable() {
   const handleChangeRole = async (role: UserRole) => {
     try {
       if (selectedMember) {
-        if (selectedMember.role_slug === role) {
+        if (selectedMember.role === role) {
           toast({
             title: "Update skipped",
             description: `User ${selectedMember.email} is already a ${role} member`,
@@ -161,7 +161,7 @@ export function OrgMembersTable() {
               enableHiding: false,
             },
             {
-              accessorKey: "role_slug",
+              accessorKey: "role",
               header: ({ column }) => (
                 <DataTableColumnHeader
                   className="text-xs"
@@ -171,7 +171,7 @@ export function OrgMembersTable() {
               ),
               cell: ({ row }) => (
                 <div className="text-xs capitalize">
-                  {row.getValue<OrgMemberRead["role_slug"]>("role_slug") || "-"}
+                  {row.getValue<OrgMemberRead["role"]>("role")}
                 </div>
               ),
               enableSorting: true,

frontend/src/hooks/use-org-membership.ts

@@ -26,7 +26,7 @@ export function useOrgMembership() {
 
   // Check if user has org-level admin/owner role (not platform admin)
   const hasOrgAdminRole =
-    membership?.role_slug === "admin" || membership?.role_slug === "owner"
+    membership?.role === "admin" || membership?.role === "owner"
 
   // Check if user can administer the org (platform admin OR org admin/owner)
   const canAdministerOrg = user?.isPlatformAdmin() || hasOrgAdminRole

packages/tracecat-ee/tracecat_ee/admin/organizations/service.py

@@ -11,7 +11,6 @@
 from sqlalchemy.orm import selectinload
 
 from tracecat.auth.types import AccessLevel, Role
-from tracecat.authz.seeding import seed_system_roles_for_org
 from tracecat.db.models import (
     Organization,
     RegistryRepository,
@@ -48,7 +47,6 @@ async def create_organization(self, params: OrgCreate) -> OrgRead:
             name=params.name,
             slug=params.slug,
         )
-        await seed_system_roles_for_org(self.session, org.id)
         return OrgRead.model_validate(org)
 
     async def get_organization(self, org_id: uuid.UUID) -> OrgRead:

tests/unit/api/test_api_workspaces.py

@@ -10,6 +10,7 @@
 from sqlalchemy.exc import IntegrityError
 
 from tracecat.auth.types import Role
+from tracecat.authz.enums import WorkspaceRole
 from tracecat.authz.service import MembershipWithOrg
 from tracecat.db.models import Workspace
 from tracecat.logger import logger
@@ -174,6 +175,7 @@ async def test_get_workspace_success(
         mock_membership = AsyncMock()
         mock_membership.user_id = test_admin_role.user_id
         mock_membership.workspace_id = mock_workspace_data.id
+        mock_membership.role = WorkspaceRole.ADMIN
         mock_membership_svc.get_membership.return_value = MembershipWithOrg(
             membership=mock_membership, org_id=mock_workspace_data.organization_id
         )