fix: align network map builder with account isolation

2026-04-12 05:05:27 +00:00
parent bb24078d60
commit 3c2b1dd16e
10 changed files with 207 additions and 58 deletions
--- a/backend/alembic/versions/074_add_network_diagrams_table.py
+++ b/backend/alembic/versions/074_add_network_diagrams_table.py
@@ -2,7 +2,7 @@

 Revision ID: 074
 Revises: 073
-Create Date: 2026-04-04
+Create Date: 2026-04-12
 """
 from alembic import op
 import sqlalchemy as sa
@@ -14,12 +14,19 @@ down_revision = "073"
 branch_labels = None
 depends_on = None

+_CURRENT_ACCOUNT = (
+    "COALESCE("
+    "NULLIF(current_setting('app.current_account_id', TRUE), ''), "
+    "'00000000-0000-0000-0000-000000000000'"
+    ")::uuid"
+)
+

 def upgrade() -> None:
    op.create_table(
        "network_diagrams",
        sa.Column("id", UUID(as_uuid=True), primary_key=True, server_default=sa.text("gen_random_uuid()")),
-        sa.Column("team_id", UUID(as_uuid=True), sa.ForeignKey("teams.id", ondelete="CASCADE"), nullable=False),
+        sa.Column("account_id", UUID(as_uuid=True), sa.ForeignKey("accounts.id", ondelete="CASCADE"), nullable=False),
        sa.Column("name", sa.String(255), nullable=False),
        sa.Column("client_name", sa.String(255), nullable=True),
        sa.Column("asset_name", sa.String(255), nullable=True),
@@ -33,9 +40,18 @@ def upgrade() -> None:
        sa.Column("updated_at", sa.DateTime(timezone=True), server_default=sa.text("now()")),
    )

-    op.create_index("idx_network_diagrams_team", "network_diagrams", ["team_id"])
-    op.create_index("idx_network_diagrams_client", "network_diagrams", ["team_id", "client_name"])
+    op.create_index("ix_network_diagrams_account_id", "network_diagrams", ["account_id"])
+    op.create_index("idx_network_diagrams_account_client", "network_diagrams", ["account_id", "client_name"])
+    op.execute("ALTER TABLE network_diagrams ENABLE ROW LEVEL SECURITY")
+    op.execute("ALTER TABLE network_diagrams FORCE ROW LEVEL SECURITY")
+    op.execute(f"""
+        CREATE POLICY tenant_isolation ON network_diagrams
+        USING (account_id = {_CURRENT_ACCOUNT})
+        WITH CHECK (account_id = {_CURRENT_ACCOUNT})
+    """)


 def downgrade() -> None:
+    op.execute("DROP POLICY IF EXISTS tenant_isolation ON network_diagrams")
+    op.execute("ALTER TABLE network_diagrams DISABLE ROW LEVEL SECURITY")
    op.drop_table("network_diagrams")