flip_api.db.seed.role_permissions

Functions

_grant_permissions(→ None)

Grant a role a set of permissions, skipping pairs already present.

seed_role_permissions(→ None)

Seed role/permission intersections.

Module Contents

flip_api.db.seed.role_permissions._grant_permissions(session: sqlmodel.Session, role_id: uuid.UUID, permission_ids: list[uuid.UUID]) None

Grant a role a set of permissions, skipping pairs already present.

Matches the check-then-insert idempotency pattern used by seed_roles and seed_permissions: avoids relying on IntegrityError recovery and stays DB-driver agnostic.

Parameters:

  • session (Session) – Database session.

  • role_id (UUID) – Role receiving the permissions.

  • permission_ids (list[UUID]) – Permissions to grant.

Returns:

None

flip_api.db.seed.role_permissions.seed_role_permissions(session: sqlmodel.Session) None

Seed role/permission intersections.

Idempotent: running against a populated DB inserts only the missing pairs. Does not remove permissions that have been taken out of the seed (that would need an explicit migration, not a seed).

  • Admin: every permission defined in PermissionRef.

  • Researcher: CAN_CREATE_PROJECTS only. CAN_MANAGE_PROJECTS is reserved for Admin — it bypasses per-project access checks (see issue #358).

  • Observer: none — read-only access is enforced at the route layer by the absence of CAN_MANAGE_PROJECTS.

Parameters:

session (Session) – Database session.

Returns:

None