fix(invitations): create user role assignment on invite

Author: jordan-umusu

alembic/versions/4bb7e59026f3_drop_role_from_membership_and_.py

@@ -111,18 +111,31 @@ def upgrade() -> None:
 
 def downgrade() -> None:
     # ### commands auto generated by Alembic - please adjust! ###
+    #
+    # This downgrade restores the original enum-based role columns by:
+    # 1. Creating the enum types
+    # 2. Adding role columns as nullable
+    # 3. Populating role values from role_id via the role table
+    # 4. Making the columns NOT NULL
+    # 5. Dropping the role_id columns and constraints
+    #
+    # Note: The original schema did NOT have server_default on invitation/org_invitation
+    # role columns, but membership/org_membership did have defaults.
+
+    # Step 1: Create enum types
     sa.Enum("VIEWER", "EDITOR", "ADMIN", name="workspacerole").create(op.get_bind())
     sa.Enum("MEMBER", "ADMIN", "OWNER", name="orgrole").create(op.get_bind())
+
+    # Step 2: Add role columns as nullable
     op.add_column(
         "organization_membership",
         sa.Column(
             "role",
             postgresql.ENUM(
                 "MEMBER", "ADMIN", "OWNER", name="orgrole", create_type=False
             ),
-            server_default=sa.text("'MEMBER'::orgrole"),
             autoincrement=False,
-            nullable=False,
+            nullable=True,
         ),
     )
     op.add_column(
@@ -133,28 +146,18 @@ def downgrade() -> None:
                 "MEMBER", "ADMIN", "OWNER", name="orgrole", create_type=False
             ),
             autoincrement=False,
-            nullable=False,
+            nullable=True,
         ),
     )
-    op.drop_constraint(
-        op.f("fk_organization_invitation_role_id_role"),
-        "organization_invitation",
-        type_="foreignkey",
-    )
-    op.drop_index(
-        op.f("ix_organization_invitation_role_id"), table_name="organization_invitation"
-    )
-    op.drop_column("organization_invitation", "role_id")
     op.add_column(
         "membership",
         sa.Column(
             "role",
             postgresql.ENUM(
                 "VIEWER", "EDITOR", "ADMIN", name="workspacerole", create_type=False
             ),
-            server_default=sa.text("'EDITOR'::workspacerole"),
             autoincrement=False,
-            nullable=False,
+            nullable=True,
         ),
     )
     op.add_column(
@@ -165,9 +168,77 @@ def downgrade() -> None:
                 "VIEWER", "EDITOR", "ADMIN", name="workspacerole", create_type=False
             ),
             autoincrement=False,
-            nullable=False,
+            nullable=True,
         ),
     )
+
+    # Step 3: Populate role values from role_id via the role table
+    # Organization membership: role_id -> role.slug -> uppercase enum
+    op.execute(
+        """
+        UPDATE organization_membership om
+        SET role = UPPER(r.slug)::orgrole
+        FROM role r
+        WHERE om.role_id = r.id
+        """
+    )
+
+    # Organization invitation: role_id -> role.slug -> uppercase enum
+    op.execute(
+        """
+        UPDATE organization_invitation oi
+        SET role = UPPER(r.slug)::orgrole
+        FROM role r
+        WHERE oi.role_id = r.id
+        """
+    )
+
+    # Workspace membership: role_id -> role.slug -> uppercase enum
+    op.execute(
+        """
+        UPDATE membership m
+        SET role = UPPER(r.slug)::workspacerole
+        FROM role r
+        WHERE m.role_id = r.id
+        """
+    )
+
+    # Workspace invitation: role_id -> role.slug -> uppercase enum
+    op.execute(
+        """
+        UPDATE invitation i
+        SET role = UPPER(r.slug)::workspacerole
+        FROM role r
+        WHERE i.role_id = r.id
+        """
+    )
+
+    # Step 4: Make columns NOT NULL and add server_default where original schema had it
+    op.alter_column("organization_membership", "role", nullable=False)
+    op.alter_column(
+        "organization_membership",
+        "role",
+        server_default=sa.text("'MEMBER'::orgrole"),
+    )
+    op.alter_column("organization_invitation", "role", nullable=False)
+    op.alter_column("membership", "role", nullable=False)
+    op.alter_column(
+        "membership",
+        "role",
+        server_default=sa.text("'EDITOR'::workspacerole"),
+    )
+    op.alter_column("invitation", "role", nullable=False)
+
+    # Step 5: Drop role_id columns and constraints
+    op.drop_constraint(
+        op.f("fk_organization_invitation_role_id_role"),
+        "organization_invitation",
+        type_="foreignkey",
+    )
+    op.drop_index(
+        op.f("ix_organization_invitation_role_id"), table_name="organization_invitation"
+    )
+    op.drop_column("organization_invitation", "role_id")
     op.drop_constraint(
         op.f("fk_invitation_role_id_role"), "invitation", type_="foreignkey"
     )

tests/unit/test_authz_seeding.py

@@ -25,7 +25,7 @@ async def test_seed_system_scopes(session):
     # Verify scopes exist in database
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.SYSTEM,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )
@@ -52,7 +52,7 @@ async def test_seed_system_scopes_idempotent(session):
     # Verify count is still the same
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.SYSTEM,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )
@@ -72,7 +72,7 @@ async def test_seed_registry_scope(session):
     assert scope.name == f"action:{action_key}:execute"
     assert scope.resource == "action"
     assert scope.action == "execute"
-    assert scope.source == ScopeSource.REGISTRY
+    assert scope.source == ScopeSource.PLATFORM
     assert scope.source_ref == action_key
     assert scope.organization_id is None
 
@@ -112,7 +112,7 @@ async def test_seed_registry_scopes_bulk(session):
     # Verify scopes exist
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.REGISTRY,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )

tracecat/authz/controls.py

@@ -1,11 +1,12 @@
 import asyncio
 import functools
 import re
+import warnings
 from collections.abc import Callable, Coroutine
 from fnmatch import fnmatch
 from typing import Any, Protocol, TypeVar, cast, runtime_checkable
 
-from tracecat.auth.types import Role
+from tracecat.auth.types import AccessLevel, Role
 from tracecat.authz.enums import OrgRole, WorkspaceRole
 from tracecat.contexts import ctx_role
 from tracecat.exceptions import ScopeDeniedError, TracecatAuthorizationError
@@ -122,6 +123,54 @@ class HasRole(Protocol):
     role: Role
 
 
+def require_access_level(level: AccessLevel) -> Callable[[T], T]:
+    """Decorator that protects a `Service` method with a minimum access level requirement.
+
+    If the caller does not have at least the required access level, a TracecatAuthorizationError is raised.
+
+    .. deprecated::
+        Use `@require_scope` instead. This decorator will be removed in a future version.
+    """
+    warnings.warn(
+        "require_access_level is deprecated, use require_scope instead",
+        DeprecationWarning,
+        stacklevel=2,
+    )
+
+    def check(self: HasRole):
+        if not hasattr(self, "role"):
+            raise AttributeError("Service must have a 'role' attribute")
+
+        if not isinstance(self.role, Role):
+            raise ValueError("Invalid role type")
+
+        user_role = self.role
+        if user_role.access_level < level:
+            raise TracecatAuthorizationError(
+                f"User does not have required access level: {level.name}"
+            )
+
+    def decorator(fn: T) -> T:
+        if asyncio.iscoroutinefunction(fn):
+
+            @functools.wraps(fn)
+            async def async_wrapper(self: HasRole, *args, **kwargs):
+                check(self)
+                return await fn(self, *args, **kwargs)
+
+            return cast(T, async_wrapper)
+        else:
+
+            @functools.wraps(fn)
+            def sync_wrapper(self: HasRole, *args, **kwargs):
+                check(self)
+                return fn(self, *args, **kwargs)
+
+            return cast(T, sync_wrapper)
+
+    return decorator
+
+
 def require_org_role(*roles: OrgRole) -> Callable[[T], T]:
     """Decorator that protects a Service method with an org role requirement.