chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: tree_shares.account_id must come from tree owner, not the actor

Browse Source 
- trees.py: change account_id=current_user.account_id →
  account_id=tree.account_id so super-admin cross-account shares land in
  the tree's tenant where RLS will see them.

- migration a05e1a1bea7c: fix backfill to join tree_shares → trees instead
  of tree_shares → users(created_by). Same logic: historical shares belong
  to the tree's tenant.

- test_tree_sharing.py: add test_share_account_id_matches_tree_not_actor
  to assert share.account_id == tree.account_id after POST /share; also
  add missing account_id to all direct TreeShare(...) constructors in
  existing tests.

- test_phase1_migrations.py: remove team_id= from TargetList constructor
  (column dropped in Phase 3).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
chihlasm
2026-04-11 05:17:25 +00:00
parent e05472615b
commit 893b8a5008
4 changed files with 48 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/alembic/versions/a05e1a1bea7c_add_account_id_tree_shares.py
View File

@@ -1,4 +1,8 @@
"""Add account_id to tree_shares and backfill via created_by user.
"""Add account_id to tree_shares and backfill via tree owner's account.
The share belongs to the tree's tenant, not the actor who created it.
A super admin in account A can share a tree owned by account B; that share
must land in account B so account B's RLS filter sees it.
Revision ID: a05e1a1bea7c
Revises: 2a9056eddd90
@@ -21,13 +25,15 @@ def upgrade() -> None:
['account_id'], ['id'], ondelete='CASCADE',
)
# Backfill: derive from the creating user's account
# Backfill: derive from the tree's account, not the creator's account.
# A share lives in the same tenant as its tree so that the tree owner's
# RLS context covers their own shares regardless of who created them.
op.execute("""
UPDATE tree_shares ts
SET account_id = u.account_id
FROM users u
WHERE ts.created_by = u.id
AND u.account_id IS NOT NULL
SET account_id = t.account_id
FROM trees t
WHERE ts.tree_id = t.id
AND t.account_id IS NOT NULL
AND ts.account_id IS NULL
""")