Add Role.sync_users flag and make importer logic honor it

rattail/db/alembic/versions/678a32b6cb19_add_role_sync_users.py

@@ -0,0 +1,35 @@
+# -*- coding: utf-8; -*-
+"""add role.sync_users
+
+Revision ID: 678a32b6cb19
+Revises: 43b9e0a6c14e
+Create Date: 2021-11-13 14:52:37.243794
+
+"""
+
+from __future__ import unicode_literals, absolute_import
+
+# revision identifiers, used by Alembic.
+revision = '678a32b6cb19'
+down_revision = '43b9e0a6c14e'
+branch_labels = None
+depends_on = None
+
+from alembic import op
+import sqlalchemy as sa
+import rattail.db.types
+
+
+
+def upgrade():
+
+    # role
+    op.add_column('role', sa.Column('sync_users', sa.Boolean(), nullable=True))
+    op.add_column('role_version', sa.Column('sync_users', sa.Boolean(), autoincrement=False, nullable=True))
+
+
+def downgrade():
+
+    # role
+    op.drop_column('role_version', 'sync_users')
+    op.drop_column('role', 'sync_users')

rattail/db/model/users.py

@@ -64,17 +64,27 @@ class Role(Base):
     """)
 
     sync_me = sa.Column(sa.Boolean(), nullable=True, doc="""
-    Flag indicating that this Role (and its user-ship, and
-    permissions) should be synced across all nodes.
+    Flag indicating that the Role - its primary attributes, and list
+    of permissions - should be synced across all nodes.
 
-    So if set, when the role changes at one node that change should
-    propagate to all other nodes.  This includes "proper" changes e.g.
-    to the role name, but also when any users are added to or removed
-    from the role, that fact also should propagate.  Additionally,
-    when permissions are granted to or revoked from the role, that
-    should propagate.
+    So if set, when the role changes at one node then that change
+    should propagate to all other nodes.
 
-    See also :attr:`node_type`.
+    Note that this does *not* include the user list by default; see
+    :attr:`sync_users` to add that.
+
+    Note that if this flag is set, the role will be synced to *all*
+    nodes regardless of node type.  See also :attr:`node_type`.
+    """)
+
+    sync_users = sa.Column(sa.Boolean(), nullable=True, doc="""
+    Flag indicating that the user list for the role should be synced
+    across all nodes.  This has no effect unless :attr:`sync_me` is
+    also set.
+
+    Note that if this flag is set, the role's user list will be synced
+    to *all* nodes regardless of node type.  See also
+    :attr:`node_type`.
     """)
 
     node_type = sa.Column(sa.String(length=100), nullable=True, doc="""
@@ -83,10 +93,11 @@ class Role(Base):
 
     If set, this value must match a node's configured type, or else it
     will be ignored by that node.  See also
-    :meth:`~rattail.config.RattailConfig.node_type()`.  If there is no
-    value set for this field then the role will be honored by all
-    nodes in which it exists (which is just one unless ``sync_me`` is
-    set, in which case all nodes would have it).
+    :meth:`~rattail.config.RattailConfig.node_type()` for how a node's
+    type is determined.  If there is no value set for this field then
+    the role will be honored by all nodes in which it exists (which is
+    just one unless ``sync_me`` is set, in which case all nodes would
+    have it).
 
     It is useful in combination with ``sync_me`` in that it allows a
     certain role to be "global" (synced) and yet only be "effective"

rattail/importing/rattail.py

@@ -340,7 +340,9 @@ class GlobalRoleImporter(RoleImporter):
         model = self.model
 
         # users
-        if 'users' in self.fields:
+        # nb. we only update users if this role has flag set
+        if 'users' in self.fields and role.sync_users:
+
             new_users = host_data['users']
             old_users = local_data['users'] if local_data else []
             changed = False