sciagent code + Gitea Actions CI/CD
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
-- Policy-sourced admin rows: safe to drop when email leaves AUTH_ADMIN_EMAILS (app reconciliation).
|
||||
-- Apply on existing DBs: docker exec -i initiative-postgres psql -U initiative -d initiatives < be0/migrations/007_user_roles_email_policy_admin.sql
|
||||
-- Fresh docker-compose init: add this file as docker-entrypoint-initdb.d/07_*.sql
|
||||
|
||||
ALTER TABLE user_roles ADD COLUMN IF NOT EXISTS admin_from_email_policy BOOLEAN NOT NULL DEFAULT FALSE;
|
||||
|
||||
COMMENT ON COLUMN user_roles.admin_from_email_policy IS
|
||||
'TRUE when admin was granted by email allow-list (AUTH_ADMIN_EMAILS). Reconciliation may DELETE this row if the user email is no longer in the list. FALSE preserves manually granted admin (future / exceptional).';
|
||||
|
||||
-- One-time cleanup: remove admin for addresses not in the default institutional allow-list
|
||||
-- (must match default in auth_api._DEFAULT_POLICY_ADMIN_EMAILS when AUTH_ADMIN_EMAILS is unset).
|
||||
DELETE FROM user_roles ur
|
||||
USING users u
|
||||
WHERE ur.user_id = u.id
|
||||
AND ur.role::text = 'admin'
|
||||
AND lower(u.email::text) NOT IN (
|
||||
'thaontt@ump.edu.vn',
|
||||
'nltanh@ump.edu.vn',
|
||||
'ldbaochau@ump.edu.vn',
|
||||
'htchuong@ump.edu.vn'
|
||||
);
|
||||
|
||||
UPDATE user_roles ur
|
||||
SET admin_from_email_policy = TRUE
|
||||
FROM users u
|
||||
WHERE ur.user_id = u.id
|
||||
AND ur.role::text = 'admin'
|
||||
AND lower(u.email::text) IN (
|
||||
'thaontt@ump.edu.vn',
|
||||
'nltanh@ump.edu.vn',
|
||||
'ldbaochau@ump.edu.vn',
|
||||
'htchuong@ump.edu.vn'
|
||||
);
|
||||
Reference in New Issue
Block a user