Merge pull request #2897 from data-for-change/dev

ziv17 · web-flow · commit 63702a59d47a · 2026-01-15T10:01:13.000+02:00
Merge dev to master
diff --git a/alembic/versions/b7c8d9e0f1a2_add_app_composite_foreign_keys.py b/alembic/versions/b7c8d9e0f1a2_add_app_composite_foreign_keys.py
@@ -0,0 +1,100 @@
+"""Add app-aware composite foreign keys to user association tables
+
+Revision ID: b7c8d9e0f1a2
+Revises: a1b2c3d4e5f6
+Create Date: 2026-01-02 12:00:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = 'b7c8d9e0f1a2'
+down_revision = 'a1b2c3d4e5f6'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    """
+    Add composite foreign key constraints to ensure app-level data integrity.
+    This ensures that:
+    - users_to_roles references only users and roles from the same app
+    - users_to_organizations references only users and organizations from the same app
+    - users_to_grants references only users and grants from the same app
+    """
+
+    # First, add unique constraints on (id, app) for the referenced tables
+    # These are needed for composite foreign keys
+    op.create_index('ix_users_id_app', 'users', ['id', 'app'], unique=True)
+    op.create_index('ix_roles_id_app', 'roles', ['id', 'app'], unique=True)
+    op.create_index('ix_organization_id_app', 'organization', ['id', 'app'], unique=True)
+    op.create_index('ix_grants_id_app', 'grants', ['id', 'app'], unique=True)
+
+    # Add composite foreign key constraint to users_to_roles
+    # This ensures user_id and role_id both exist and have matching app values
+    op.create_foreign_key(
+        'fk_users_to_roles_user_app',
+        'users_to_roles', 'users',
+        ['user_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+    op.create_foreign_key(
+        'fk_users_to_roles_role_app',
+        'users_to_roles', 'roles',
+        ['role_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+    # Add composite foreign key constraint to users_to_organizations
+    # This ensures user_id and organization_id both exist and have matching app values
+    op.create_foreign_key(
+        'fk_users_to_organizations_user_app',
+        'users_to_organizations', 'users',
+        ['user_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+    op.create_foreign_key(
+        'fk_users_to_organizations_org_app',
+        'users_to_organizations', 'organization',
+        ['organization_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+    # Add composite foreign key constraint to users_to_grants
+    # This ensures user_id and grant_id both exist and have matching app values
+    op.create_foreign_key(
+        'fk_users_to_grants_user_app',
+        'users_to_grants', 'users',
+        ['user_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+    op.create_foreign_key(
+        'fk_users_to_grants_grant_app',
+        'users_to_grants', 'grants',
+        ['grant_id', 'app'], ['id', 'app'],
+        ondelete='CASCADE'
+    )
+
+
+def downgrade():
+    """
+    Remove composite foreign key constraints and unique indexes.
+    """
+
+    # Drop foreign key constraints
+    op.drop_constraint('fk_users_to_grants_grant_app', 'users_to_grants', type_='foreignkey')
+    op.drop_constraint('fk_users_to_grants_user_app', 'users_to_grants', type_='foreignkey')
+    op.drop_constraint('fk_users_to_organizations_org_app', 'users_to_organizations', type_='foreignkey')
+    op.drop_constraint('fk_users_to_organizations_user_app', 'users_to_organizations', type_='foreignkey')
+    op.drop_constraint('fk_users_to_roles_role_app', 'users_to_roles', type_='foreignkey')
+    op.drop_constraint('fk_users_to_roles_user_app', 'users_to_roles', type_='foreignkey')
+
+    # Drop unique indexes
+    op.drop_index('ix_grants_id_app', table_name='grants')
+    op.drop_index('ix_organization_id_app', table_name='organization')
+    op.drop_index('ix_roles_id_app', table_name='roles')
+    op.drop_index('ix_users_id_app', table_name='users')
diff --git a/anyway/error_code_and_strings.py b/anyway/error_code_and_strings.py
@@ -45,7 +45,7 @@ class Errors:
     Errors.BR_ONLY_SUPPORT_GOOGLE: "Google is the only supported OAuth 2.0 provider.",
     Errors.BR_UNKNOWN_FIELD: "Bad Request (Unknown field {}).",
     Errors.BR_NAME_MISSING: "Bad Request (Name is missing from request json).",
-    Errors.BR_NOT_EXIST: "Bad Request ({} doesn't exist in DB).",
+    Errors.BR_NOT_EXIST: "Bad Request ({} doesn't exist in DB for requested app).",
     Errors.BR_USER_NOT_FOUND: "Bad Request (User(email:{}) not found).",
     Errors.BR_USER_ALREADY_IN: "Bad Request (User is already in {}).",
     Errors.BR_MISSING_PERMISSION: "Bad Request (User is missing permission to access this resource).",
