automatisch/packages/backend/src/db/migrations/20230615205857_create_permissions.js

const getPermissionForRole = (roleId, subject, actions, conditions = []) =>
  actions.map((action) => ({
    role_id: roleId,
    subject,
    action,
    conditions,
  }));

export async function up(knex) {
  await knex.schema.createTable('permissions', (table) => {
    table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
    table.uuid('role_id').references('id').inTable('roles');
    table.string('action').notNullable();
    table.string('subject').notNullable();
    table.jsonb('conditions').notNullable().defaultTo([]);

    table.timestamps(true, true);
  });

  const roles = await knex('roles').select(['id', 'key']);

  for (const role of roles) {
    // `admin` role should have no conditions unlike others by default
    const isAdmin = role.key === 'admin';
    const roleConditions = isAdmin ? [] : ['isCreator'];

    // default permissions
    await knex('permissions').insert([
      ...getPermissionForRole(
        role.id,
        'Connection',
        ['create', 'read', 'delete', 'update'],
        roleConditions
      ),
      ...getPermissionForRole(role.id, 'Execution', ['read'], roleConditions),
      ...getPermissionForRole(
        role.id,
        'Flow',
        ['create', 'delete', 'publish', 'read', 'update'],
        roleConditions
      ),
    ]);

    // admin specific permission
    if (isAdmin) {
      await knex('permissions').insert([
        ...getPermissionForRole(role.id, 'User', [
          'create',
          'read',
          'delete',
          'update',
        ]),
        ...getPermissionForRole(role.id, 'Role', [
          'create',
          'read',
          'delete',
          'update',
        ]),
      ]);
    }
  }
}

export async function down(knex) {
  return knex.schema.dropTable('permissions');
}