paliad

m/paliad

Fork 0

Commit Graph

Author	SHA1	Message	Date
m	b34500ad31	feat(t-paliad-051): split paliad.users.role into job_title + global_role Conflation: paliad.users.role was simultaneously job title (display only) and global permission ('role=admin' checks across Go/SQL/JS). m wanted to set his real job title ('Counsel Knowledge Lawyer') without losing admin access — the t-paliad-050 admin-team UI even rejected role='admin' on edit, so any UI-driven update silently demoted m. Per m's three-axis principle ("firm roles are not project roles are not tool roles"), this lands TWO orthogonal columns: * paliad.users.job_title — free text, NULL allowed, display only. NEVER gates anything in code or SQL. * paliad.users.global_role — CHECK ('standard'\|'global_admin'), default 'standard'. The only thing that gates ops. Migration 023: * Drops NOT NULL + 'associate' default off the legacy role column * Promotes role='admin' rows to global_role='global_admin'; clears their role text; sets m's job_title='Counsel Knowledge Lawyer' * Renames role -> job_title with CHECK (job_title IS NULL OR <> '') * Replaces can_see_project body with global_role='global_admin' * CASCADE-rebuilds every RLS policy under canonical English names — with the historic u.role IN ('partner','admin') gates simplified to u.global_role='global_admin' only (job_title NEVER gates) Code surface: * internal/models/models.go: User.Role -> User.JobTitle (string) + User.GlobalRole (string) internal/services/user_service.go: bootstrap (first row promoted to global_admin via pg_advisory_xact_lock(7346298141), unchanged constant); UpdateProfile drops role, accepts job_title only; AdminUpdateUser adds global_role with last-admin demotion guard (ErrLastGlobalAdmin); IsAdmin reads global_role * Other services (dashboard/agenda/appointment/project/deadline/ department/party/note/checklist_instance): pass user.GlobalRole into visibility predicates; partner-or-admin gates simplified to global_admin only * Handlers: drop now-impossible ErrAdminBootstrapOnly cases; admin_users handles ErrLastGlobalAdmin -> 409 * department_service: SQL u.role -> u.job_title, DepartmentMember.Role -> JobTitle (string) Frontend: /api/me + Me interfaces ship {job_title, global_role} * Onboarding form: 'Berufsbezeichnung / Job title' (job_title) * Settings + admin-team forms: same renames + i18n updates * Admin-team: new 'Berechtigung / Permission' column with 'Standard'\|'Global Admin' badge + dropdown editor; last-admin demotion guard at the UI layer * Sidebar admin-section reveal: me.global_role==='global_admin' * deadlines/deadlines-detail/projects-detail/notes: partner-as-permission gates dropped, only global_admin grants those operations Tests: * user_service_test: bootstrap promotes first user to global_admin, subsequent default to standard; AdminUpdateUser refuses to demote the last global_admin; IsAdmin reads global_role Migration applied to ydb 2026-04-27. Live state verified: * m: job_title='Counsel Knowledge Lawyer', global_role='global_admin' * tester: job_title=NULL, global_role='global_admin' * 29 stub colleagues: job_title='associate', global_role='standard'	2026-04-27 14:59:03 +02:00
m	aec150f1cd	design(t-paliad-051): split paliad.users.role into job_title + global_role Conflation today: paliad.users.role is simultaneously job title (display only), global permission (`role='admin'` checks across Go/SQL/JS), and not-quite-but- sort-of project_teams.role (already separated). m wants to record his real job title ("Counsel Knowledge Lawyer") without losing admin access — the existing admin-team UI even rejects role='admin' on edit, so any UI-driven update silently demotes him. Design proposes: - Rename paliad.users.role -> paliad.users.job_title (free text, NULL allowed) - Add paliad.users.global_role (CHECK IN ('standard','global_admin'), default 'standard') - Single migration 023 does the rename, populates global_role from the old role, fixes m to job_title='Counsel Knowledge Lawyer', updates can_see_project, rebuilds RLS policies - Inventory of every role='admin' call site across services/handlers/ migrations/frontend bucketed by what migrates vs. what stays - Keeps the existing 'partner' gate as job_title-driven (already broken in prod — "Partner" capital-P vs lowercase 'partner' check; documented as out-of-scope follow-up) - Bootstrap rule (first user becomes admin) keeps the same advisory lock, flips global_role instead of role - API surface: /api/me returns both fields; admin-team UI gets a Permission column with a global_role dropdown + last-admin demotion guard Awaiting m greenlight before implementation phase.	2026-04-27 14:31:15 +02:00

Author

SHA1

Message

Date

b34500ad31

feat(t-paliad-051): split paliad.users.role into job_title + global_role

Conflation: paliad.users.role was simultaneously job title (display only)
and global permission ('role=admin' checks across Go/SQL/JS). m wanted
to set his real job title ('Counsel Knowledge Lawyer') without losing
admin access — the t-paliad-050 admin-team UI even rejected role='admin'
on edit, so any UI-driven update silently demoted m.

Per m's three-axis principle ("firm roles are not project roles are not
tool roles"), this lands TWO orthogonal columns:

* paliad.users.job_title — free text, NULL allowed, display only.
  NEVER gates anything in code or SQL.
* paliad.users.global_role — CHECK ('standard'|'global_admin'),
  default 'standard'. The only thing that gates ops.

Migration 023:
* Drops NOT NULL + 'associate' default off the legacy role column
* Promotes role='admin' rows to global_role='global_admin'; clears
  their role text; sets m's job_title='Counsel Knowledge Lawyer'
* Renames role -> job_title with CHECK (job_title IS NULL OR <> '')
* Replaces can_see_project body with global_role='global_admin'
* CASCADE-rebuilds every RLS policy under canonical English names —
  with the historic u.role IN ('partner','admin') gates simplified
  to u.global_role='global_admin' only (job_title NEVER gates)

Code surface:
* internal/models/models.go: User.Role -> User.JobTitle (*string) +
  User.GlobalRole (string)
* internal/services/user_service.go: bootstrap (first row promoted to
  global_admin via pg_advisory_xact_lock(7346298141), unchanged constant);
  UpdateProfile drops role, accepts job_title only; AdminUpdateUser adds
  global_role with last-admin demotion guard (ErrLastGlobalAdmin);
  IsAdmin reads global_role
* Other services (dashboard/agenda/appointment/project/deadline/
  department/party/note/checklist_instance): pass user.GlobalRole into
  visibility predicates; partner-or-admin gates simplified to
  global_admin only
* Handlers: drop now-impossible ErrAdminBootstrapOnly cases;
  admin_users handles ErrLastGlobalAdmin -> 409
* department_service: SQL u.role -> u.job_title, DepartmentMember.Role
  -> JobTitle (*string)

Frontend:
* /api/me + Me interfaces ship {job_title, global_role}
* Onboarding form: 'Berufsbezeichnung / Job title' (job_title)
* Settings + admin-team forms: same renames + i18n updates
* Admin-team: new 'Berechtigung / Permission' column with
  'Standard'|'Global Admin' badge + dropdown editor; last-admin
  demotion guard at the UI layer
* Sidebar admin-section reveal: me.global_role==='global_admin'
* deadlines/deadlines-detail/projects-detail/notes: partner-as-permission
  gates dropped, only global_admin grants those operations

Tests:
* user_service_test: bootstrap promotes first user to global_admin,
  subsequent default to standard; AdminUpdateUser refuses to demote
  the last global_admin; IsAdmin reads global_role

Migration applied to ydb 2026-04-27. Live state verified:
* m: job_title='Counsel Knowledge Lawyer', global_role='global_admin'
* tester: job_title=NULL, global_role='global_admin'
* 29 stub colleagues: job_title='associate', global_role='standard'

2026-04-27 14:59:03 +02:00

aec150f1cd

design(t-paliad-051): split paliad.users.role into job_title + global_role

Conflation today: paliad.users.role is simultaneously job title (display only),
global permission (`role='admin'` checks across Go/SQL/JS), and not-quite-but-
sort-of project_teams.role (already separated). m wants to record his real job
title ("Counsel Knowledge Lawyer") without losing admin access — the existing
admin-team UI even rejects role='admin' on edit, so any UI-driven update
silently demotes him.

Design proposes:
- Rename paliad.users.role -> paliad.users.job_title (free text, NULL allowed)
- Add paliad.users.global_role (CHECK IN ('standard','global_admin'),
  default 'standard')
- Single migration 023 does the rename, populates global_role from the old
  role, fixes m to job_title='Counsel Knowledge Lawyer', updates
  can_see_project, rebuilds RLS policies
- Inventory of every role='admin' call site across services/handlers/
  migrations/frontend bucketed by what migrates vs. what stays
- Keeps the existing 'partner' gate as job_title-driven (already broken in
  prod — "Partner" capital-P vs lowercase 'partner' check; documented as
  out-of-scope follow-up)
- Bootstrap rule (first user becomes admin) keeps the same advisory lock,
  flips global_role instead of role
- API surface: /api/me returns both fields; admin-team UI gets a Permission
  column with a global_role dropdown + last-admin demotion guard

Awaiting m greenlight before implementation phase.

2026-04-27 14:31:15 +02:00

2 Commits