hypothesis · seanh · Oct 18, 2024 · seanh · Oct 18, 2024 · marcospri
diff --git a/h/models/__init__.py b/h/models/__init__.py
@@ -30,7 +30,7 @@
 from h.models.feature import Feature
 from h.models.feature_cohort import FeatureCohort, FeatureCohortUser
 from h.models.flag import Flag
-from h.models.group import Group, GroupMembership
+from h.models.group import Group, GroupMembership, GroupMembershipRoles
 from h.models.group_scope import GroupScope
 from h.models.job import Job
 from h.models.organization import Organization

diff --git a/h/models/group.py b/h/models/group.py
@@ -4,6 +4,7 @@
 
 import slugify
 import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import JSONB
 
 from h import pubid
 from h.db import Base, mixins
@@ -33,6 +34,15 @@ class WriteableBy(enum.Enum):
     members = "members"
 
 
+class GroupMembershipRoles(enum.StrEnum):
+    """The valid role strings that're allowed in the GroupMembership.roles column."""
+
+    MEMBER = "member"
+    MODERATOR = "moderator"
+    ADMIN = "admin"
+    OWNER = "owner"
+
+
 class GroupMembership(Base):
     __tablename__ = "user_group"
 
@@ -47,6 +57,17 @@ class GroupMembership(Base):
         nullable=False,
         index=True,
     )
+    roles = sa.Column(
+        JSONB,
+        sa.CheckConstraint(
+            " OR ".join(
+                f"""(roles = '["{role}"]'::jsonb)""" for role in GroupMembershipRoles
+            ),
+            name="validate_role_strings",
+        ),
+        server_default=sa.text("""'["member"]'::jsonb"""),
+        nullable=False,
+    )
 
 
 class Group(Base, mixins.Timestamps):

diff --git a/tests/unit/h/models/group_test.py b/tests/unit/h/models/group_test.py
@@ -1,4 +1,5 @@
 import pytest
+from sqlalchemy.exc import IntegrityError
 
 from h import models
 from h.models.group import (
@@ -218,6 +219,64 @@ def test_non_public_group():
     assert not group.is_public
 
 
+class TestGroupMembership:
+    def test_defaults(self, db_session, user, group):
+        membership = models.GroupMembership(user_id=user.id, group_id=group.id)
+        db_session.add(membership)
+
+        db_session.flush()
+        assert membership.id
+        assert membership.user_id == user.id
+        assert membership.group_id == group.id
+        assert membership.roles == ["member"]
+
+    @pytest.mark.parametrize(
+        "roles",
+        (
+            ["member"],
+            ["moderator"],
+            ["admin"],
+            ["owner"],
+        ),
+    )
+    def test_custom_roles(self, db_session, user, group, roles):
+        membership = models.GroupMembership(
+            user_id=user.id, group_id=group.id, roles=roles
+        )
+        db_session.add(membership)
+
+        db_session.flush()
+        assert membership.roles == roles
+
+    @pytest.mark.parametrize(
+        "roles",
+        (
+            ["unknown_role"],
+            ["moderator", "admin"],  # Two valid roles, only one role is allowed.
+            [],  # Every membership must have at least one role.
+        ),
+    )
+    def test_invalid_roles(self, db_session, user, group, roles):
+        membership = models.GroupMembership(
+            user_id=user.id, group_id=group.id, roles=roles
+        )
+        db_session.add(membership)
+
+        with pytest.raises(
+            IntegrityError,
+            match='new row for relation "user_group" violates check constraint "ck__user_group__validate_role_strings"',
+        ):
+            db_session.flush()
+
+    @pytest.fixture
+    def user(self, factories):
+        return factories.User()
+
+    @pytest.fixture
+    def group(self, factories):
+        return factories.Group()
+
+
 @pytest.fixture()
 def organization(factories):
     return factories.Organization()