agent-rls: PostgreSQL Row Level Security für Mandanten-Isolation
- Migration 0024: RLS + FORCE RLS auf 18 Tabellen
- Direkte company_id-Policies: users, departments, companies, absence_types,
audit_logs, kiosk_devices, ldap_configs, smtp_configs, caldav_company_configs,
work_schedules, overtime_balances
- JOIN-Policies (user_id → company_id): absences, sessions, password_resets,
time_entries, vacation_balances, caldav_user_configs
- public_holidays ausgenommen (globale Referenztabelle)
- database.py: get_db setzt bypass_rls='on' als Default (Auth-Endpoints unverändert)
- dependencies.py: get_current_user setzt app.company_id + bypass_rls='off'
für alle nicht-SUPER_ADMIN Rollen
- migrations/env.py: Alembic-Migrationen nutzen bypass_rls='on'
- tests/conftest.py: override_get_db setzt bypass_rls='on' für Test-Session
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -43,6 +43,10 @@ async def db_session():
|
||||
async def client(db_session: AsyncSession):
|
||||
async def override_get_db():
|
||||
try:
|
||||
# Tests use a shared session without a real transaction context per
|
||||
# request. Set bypass_rls = 'on' so that all test queries succeed
|
||||
# regardless of whether app.company_id is set.
|
||||
await db_session.execute(text("SET LOCAL app.bypass_rls = 'on'"))
|
||||
yield db_session
|
||||
await db_session.commit()
|
||||
except Exception:
|
||||
|
||||
Reference in New Issue
Block a user