flip_api.db.seed.role_permissions
=================================

.. py:module:: flip_api.db.seed.role_permissions


Functions
---------

.. autoapisummary::

   flip_api.db.seed.role_permissions._grant_permissions
   flip_api.db.seed.role_permissions.seed_role_permissions


Module Contents
---------------

.. py:function:: _grant_permissions(session: sqlmodel.Session, role_id: uuid.UUID, permission_ids: list[uuid.UUID]) -> None

   Grant a role a set of permissions, skipping pairs already present.

   Matches the check-then-insert idempotency pattern used by ``seed_roles``
   and ``seed_permissions``: avoids relying on IntegrityError recovery and
   stays DB-driver agnostic.

   :param session: Database session.
   :type session: Session
   :param role_id: Role receiving the permissions.
   :type role_id: UUID
   :param permission_ids: Permissions to grant.
   :type permission_ids: list[UUID]

   :returns: None


.. py:function:: seed_role_permissions(session: sqlmodel.Session) -> None

   Seed role/permission intersections.

   Idempotent: running against a populated DB inserts only the missing
   pairs. Does not remove permissions that have been taken out of the
   seed (that would need an explicit migration, not a seed).

   - Admin: every permission defined in ``PermissionRef``.
   - Researcher: ``CAN_CREATE_PROJECTS`` only. ``CAN_MANAGE_PROJECTS`` is
     reserved for Admin — it bypasses per-project access checks (see issue #358).
   - Viewer: none — read-only access is enforced at the route layer by
     the absence of ``CAN_MANAGE_PROJECTS``.

   :param session: Database session.
   :type session: Session

   :returns: None