fix(invitations): create user role assignment on invite

Author: jordan-umusu

tests/unit/test_authz_seeding.py

@@ -25,7 +25,7 @@ async def test_seed_system_scopes(session):
     # Verify scopes exist in database
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.SYSTEM,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )
@@ -52,7 +52,7 @@ async def test_seed_system_scopes_idempotent(session):
     # Verify count is still the same
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.SYSTEM,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )
@@ -72,7 +72,7 @@ async def test_seed_registry_scope(session):
     assert scope.name == f"action:{action_key}:execute"
     assert scope.resource == "action"
     assert scope.action == "execute"
-    assert scope.source == ScopeSource.REGISTRY
+    assert scope.source == ScopeSource.PLATFORM
     assert scope.source_ref == action_key
     assert scope.organization_id is None
 
@@ -112,7 +112,7 @@ async def test_seed_registry_scopes_bulk(session):
     # Verify scopes exist
     result = await session.execute(
         select(Scope).where(
-            Scope.source == ScopeSource.REGISTRY,
+            Scope.source == ScopeSource.PLATFORM,
             Scope.organization_id.is_(None),
         )
     )

tracecat/authz/controls.py

@@ -1,11 +1,12 @@
 import asyncio
 import functools
 import re
+import warnings
 from collections.abc import Callable, Coroutine
 from fnmatch import fnmatch
 from typing import Any, Protocol, TypeVar, cast, runtime_checkable
 
-from tracecat.auth.types import Role
+from tracecat.auth.types import AccessLevel, Role
 from tracecat.authz.enums import OrgRole, WorkspaceRole
 from tracecat.contexts import ctx_role
 from tracecat.exceptions import ScopeDeniedError, TracecatAuthorizationError
@@ -122,6 +123,54 @@ class HasRole(Protocol):
     role: Role
 
 
+def require_access_level(level: AccessLevel) -> Callable[[T], T]:
+    """Decorator that protects a `Service` method with a minimum access level requirement.
+
+    If the caller does not have at least the required access level, a TracecatAuthorizationError is raised.
+
+    .. deprecated::
+        Use `@require_scope` instead. This decorator will be removed in a future version.
+    """
+    warnings.warn(
+        "require_access_level is deprecated, use require_scope instead",
+        DeprecationWarning,
+        stacklevel=2,
+    )
+
+    def check(self: HasRole):
+        if not hasattr(self, "role"):
+            raise AttributeError("Service must have a 'role' attribute")
+
+        if not isinstance(self.role, Role):
+            raise ValueError("Invalid role type")
+
+        user_role = self.role
+        if user_role.access_level < level:
+            raise TracecatAuthorizationError(
+                f"User does not have required access level: {level.name}"
+            )
+
+    def decorator(fn: T) -> T:
+        if asyncio.iscoroutinefunction(fn):
+
+            @functools.wraps(fn)
+            async def async_wrapper(self: HasRole, *args, **kwargs):
+                check(self)
+                return await fn(self, *args, **kwargs)
+
+            return cast(T, async_wrapper)
+        else:
+
+            @functools.wraps(fn)
+            def sync_wrapper(self: HasRole, *args, **kwargs):
+                check(self)
+                return fn(self, *args, **kwargs)
+
+            return cast(T, sync_wrapper)
+
+    return decorator
+
+
 def require_org_role(*roles: OrgRole) -> Callable[[T], T]:
     """Decorator that protects a Service method with an org role requirement.
 

tracecat/authz/seeding.py

@@ -210,7 +210,7 @@ async def seed_system_scopes(session: AsyncSession) -> int:
             "resource": resource,
             "action": action,
             "description": description,
-            "source": ScopeSource.SYSTEM,
+            "source": ScopeSource.PLATFORM,
             "source_ref": None,
             "organization_id": None,
         }
@@ -244,42 +244,48 @@ async def seed_registry_scope(
 
     Creates a scope for `action:{action_key}:execute` if it doesn't exist.
     Registry scopes have organization_id=NULL and source='registry'.
+    Uses upsert (ON CONFLICT DO NOTHING) for concurrency safety.
 
     Args:
         session: Database session
         action_key: The action key (e.g., "tools.okta.list_users")
         description: Optional description for the scope
 
     Returns:
-        The created or existing Scope, or None if upsert had no effect
+        The created or existing Scope
     """
     scope_name = f"action:{action_key}:execute"
+    scope_id = uuid4()
 
-    # Check if scope already exists
-    stmt = select(Scope).where(
-        Scope.name == scope_name, Scope.organization_id.is_(None)
-    )
-    result = await session.execute(stmt)
-    existing = result.scalar_one_or_none()
-
-    if existing:
-        return existing
-
-    # Create new scope
-    scope = Scope(
-        id=uuid4(),
+    # Use upsert for concurrency safety
+    stmt = pg_insert(Scope).values(
+        id=scope_id,
         name=scope_name,
         resource="action",
         action="execute",
         description=description or f"Execute {action_key} action",
-        source=ScopeSource.REGISTRY,
+        source=ScopeSource.PLATFORM,
         source_ref=action_key,
         organization_id=None,
     )
-    session.add(scope)
+    stmt = stmt.on_conflict_do_nothing(
+        index_elements=["name"], index_where=Scope.organization_id.is_(None)
+    )
+    result = await session.execute(stmt)
     await session.flush()
 
-    logger.debug("Registry scope created", scope_name=scope_name, action_key=action_key)
+    # Re-query to get the scope (whether newly inserted or already existing)
+    select_stmt = select(Scope).where(
+        Scope.name == scope_name, Scope.organization_id.is_(None)
+    )
+    select_result = await session.execute(select_stmt)
+    scope = select_result.scalar_one_or_none()
+
+    if result.rowcount and result.rowcount > 0:  # pyright: ignore[reportAttributeAccessIssue]
+        logger.debug(
+            "Registry scope created", scope_name=scope_name, action_key=action_key
+        )
+
     return scope
 
 
@@ -311,7 +317,7 @@ async def seed_registry_scopes_bulk(
             "resource": "action",
             "action": "execute",
             "description": f"Execute {key} action",
-            "source": ScopeSource.REGISTRY,
+            "source": ScopeSource.PLATFORM,
             "source_ref": key,
             "organization_id": None,
         }
@@ -343,8 +349,9 @@ async def seed_system_roles_for_org(
 ) -> int:
     """Seed system roles (Admin, Editor, Viewer) for an organization.
 
-    Creates the three system roles with their associated scopes if they don't exist.
+    Creates the system roles with their associated scopes if they don't exist.
     System roles are identified by their well-known slugs.
+    Uses upsert (ON CONFLICT DO NOTHING) for concurrency safety.
 
     Args:
         session: Database session
@@ -366,36 +373,52 @@ async def seed_system_roles_for_org(
 
     roles_created = 0
 
-    for slug, name, description, scope_names in PRESET_ROLE_DEFINITIONS:
-        # Check if role already exists
-        existing_stmt = select(Role.id).where(
-            Role.organization_id == organization_id,
-            Role.slug == slug,
+    # Prepare role values with pre-generated IDs
+    role_values = []
+    role_id_by_slug: dict[str, UUID] = {}
+    for slug, name, description, _ in PRESET_ROLE_DEFINITIONS:
+        role_id = uuid4()
+        role_id_by_slug[slug] = role_id
+        role_values.append(
+            {
+                "id": role_id,
+                "name": name,
+                "slug": slug,
+                "description": description,
+                "organization_id": organization_id,
+                "created_by": None,  # System-created
+            }
         )
-        existing_result = await session.execute(existing_stmt)
-        existing_role_id = existing_result.scalar_one_or_none()
 
-        if existing_role_id is not None:
-            logger.debug(
-                "System role already exists",
+    # Bulk upsert roles - concurrency safe
+    role_stmt = pg_insert(Role).values(role_values)
+    role_stmt = role_stmt.on_conflict_do_nothing(
+        index_elements=["organization_id", "slug"]
+    )
+    result = await session.execute(role_stmt)
+    roles_created = result.rowcount if result.rowcount else 0  # pyright: ignore[reportAttributeAccessIssue]
+
+    # Re-query to get actual role IDs (may differ if roles already existed)
+    existing_roles_stmt = select(Role.id, Role.slug).where(
+        Role.organization_id == organization_id,
+        Role.slug.in_([slug for slug, _, _, _ in PRESET_ROLE_DEFINITIONS]),
+    )
+    existing_roles_result = await session.execute(existing_roles_stmt)
+    actual_role_id_by_slug: dict[str | None, UUID] = {
+        slug: role_id for role_id, slug in existing_roles_result.tuples().all()
+    }
+
+    # Link scopes to roles
+    for slug, _, _, scope_names in PRESET_ROLE_DEFINITIONS:
+        role_id = actual_role_id_by_slug.get(slug)
+        if role_id is None:
+            logger.warning(
+                "Role not found after upsert",
                 slug=slug,
                 organization_id=organization_id,
             )
             continue
 
-        # Create the role
-        role = Role(
-            id=uuid4(),
-            name=name,
-            slug=slug,
-            description=description,
-            organization_id=organization_id,
-            created_by=None,  # System-created
-        )
-        session.add(role)
-        await session.flush()  # Get the role ID
-
-        # Link scopes to the role
         role_scope_values = []
         for scope_name in scope_names:
             scope_id = scope_name_to_id.get(scope_name)
@@ -406,21 +429,13 @@ async def seed_system_roles_for_org(
                     role_slug=slug,
                 )
                 continue
-            role_scope_values.append({"role_id": role.id, "scope_id": scope_id})
+            role_scope_values.append({"role_id": role_id, "scope_id": scope_id})
 
         if role_scope_values:
             role_scope_stmt = pg_insert(RoleScope).values(role_scope_values)
             role_scope_stmt = role_scope_stmt.on_conflict_do_nothing()
             await session.execute(role_scope_stmt)
 
-        roles_created += 1
-        logger.debug(
-            "System role created",
-            slug=slug,
-            organization_id=organization_id,
-            num_scopes=len(role_scope_values),
-        )
-
     await session.commit()
     logger.info(
         "System roles seeded for organization",

tracecat/authz/service.py

@@ -70,6 +70,12 @@ async def list_workspace_members(
 
         Roles are looked up from UserRoleAssignment table.
         """
+        # Get workspace to determine organization_id
+        workspace = await self.session.get(Workspace, workspace_id)
+        if workspace is None:
+            return []
+        organization_id = workspace.organization_id
+
         # Get all members of the workspace
         members_stmt = (
             select(User)
@@ -84,6 +90,7 @@ async def list_workspace_members(
 
         # Get role assignments for these users in this workspace
         # Include both workspace-specific assignments and org-wide assignments (workspace_id IS NULL)
+        # Filter by organization_id to ensure we only get roles from this org
         user_ids = [u.id for u in users]
         role_stmt = (
             select(
@@ -94,6 +101,7 @@ async def list_workspace_members(
             .join(RoleModel, UserRoleAssignment.role_id == RoleModel.id)
             .where(
                 UserRoleAssignment.user_id.in_(user_ids),
+                UserRoleAssignment.organization_id == organization_id,
                 or_(
                     UserRoleAssignment.workspace_id == workspace_id,
                     UserRoleAssignment.workspace_id.is_(None),

tracecat/organization/service.py

@@ -22,7 +22,7 @@
     get_user_db_context,
     get_user_manager_context,
 )
-from tracecat.authz.controls import require_access_level
+from tracecat.authz.controls import require_access_level, require_org_role
 from tracecat.authz.enums import OrgRole  # Still used for privilege escalation check
 from tracecat.db.models import (
     AccessToken,
@@ -142,14 +142,22 @@ async def accept_invitation_for_user(
             # Shouldn't reach here, but handle gracefully
             raise TracecatAuthorizationError("Invitation is no longer valid")
 
-        # Create membership
+        # Create membership (role is now tracked via UserRoleAssignment)
         membership = OrganizationMembership(
             user_id=user_id,
             organization_id=invitation.organization_id,
-            role=invitation.role,
         )
         session.add(membership)
 
+        # Create role assignment from invitation
+        role_assignment = UserRoleAssignment(
+            organization_id=invitation.organization_id,
+            user_id=user_id,
+            workspace_id=None,  # NULL = org-level assignment
+            role_id=invitation.role_id,
+        )
+        session.add(role_assignment)
+
         await session.commit()
         await session.refresh(membership)
     except TracecatAuthorizationError:
@@ -176,6 +184,8 @@ async def accept_invitation_for_user(
         )
 
     return membership
+
+
 @dataclass(frozen=True)
 class MemberRoleInfo:
     """Role information for an organization member."""