[Draft] Optimize role creation signal with schema version tracking

[mihow]

Summary

This PR dramatically reduces database overhead during migrations by implementing smart schema version tracking for role permissions.

Key Improvements

• Add RoleSchemaVersion model to track permission schema changes via MD5 hash
• Update create_roles() signal to only run when schema actually changes
• Optimize create_roles_for_project() with bulk database operations
• Add update_roles management command for manual control

Performance Impact

Before Optimization

• Every migration: Loops through ALL projects
• Per project: ~215 DB operations
• 100 projects: ~21,500 operations per migration (regardless of whether permissions changed)
• 1,000 projects: ~215,000 operations per migration
• Time: Minutes for large databases

After Optimization

Normal migrations (99% of cases - no schema changes):

• 1-2 DB queries to check schema version (constant time, not per-project)
• Zero per-project operations
• Time: Milliseconds
• 99.9% reduction in overhead

Schema change migrations (rare - when permissions actually change):

• Per project: ~12-15 DB operations (bulk operations)
• 100 projects: ~1,500 operations
• 1,000 projects: ~15,000 operations
• Time: Seconds to minutes
• 14x faster than before

New projects:

• Unchanged - still automatic via post_save signal

Technical Details

• Schema version is MD5 hash of all Role class names and their permissions
• Migration creates RoleSchemaVersion table and performs initial update
• Bulk operations used:
  • Permission.objects.bulk_create()
  • group.permissions.set()
  • GroupObjectPermission.objects.bulk_create()
• Backwards compatible: All existing functionality preserved

Files Modified

• ami/users/models.py: Add RoleSchemaVersion model with version tracking
• ami/users/roles.py:197: Optimize create_roles_for_project() with bulk operations
• ami/users/signals.py:14: Add conditional schema version check to create_roles()
• ami/users/management/commands/update_roles.py: New management command
• ami/users/migrations/0004_roleschemaversion.py: New migration
• CLAUDE.md: Add Role Permission Management documentation section

Testing

• ✅ Migration creates RoleSchemaVersion table successfully
• ✅ Initial migration updates all projects and records schema version
• ✅ Subsequent migrations skip update when schema hasn't changed
• ✅ New projects automatically get roles via post_save signal
• ✅ Management command works for all projects and specific projects
• ✅ Management command dry-run mode works correctly

Migration Strategy

First deployment with this change:

1. Deploy code changes
2. Run migrations - creates RoleSchemaVersion table
3. Post-migrate signal runs (because schema version is empty)
4. All projects get roles updated with optimized bulk operations
5. Schema version is recorded in database

Subsequent deployments:

1. Run migrations as normal
2. Signal checks schema version automatically
3. Only runs full update if role permissions changed (rare)
4. Most migrations: 1-2 quick queries, zero per-project overhead

Manual Updates

If needed, force update roles for all projects:

docker compose run --rm django python manage.py update_roles

Options:

• --project-id=N - Update specific project only
• --dry-run - Preview changes without applying
• --force - Force update even if groups exist (default: True)

Backwards Compatibility

• ✅ All existing functionality preserved
• ✅ New projects get roles automatically (post_save signal unchanged)
• ✅ Schema changes trigger automatic updates (post_migrate signal enhanced)
• ✅ Zero awareness needed - system automatically detects and handles schema changes

Summary by CodeRabbit

• New Features

  • Added enhanced role and permission management capabilities with support for updating specific or all projects, dry-run mode for previewing changes before applying, and force-update option for re-creating role groups.
  • Introduced role schema version tracking to monitor and record permission schema changes.

• Chores

  • Added database migration to support role schema version tracking infrastructure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	766eb28
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/6971e3d42cfe2f0008214e3d

[netlify]

✅ Deploy Preview for antenna-ssec canceled.

Name	Link
🔨 Latest commit	766eb28
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-ssec/deploys/6971e3d4ff355c00087b0afa

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The changes introduce role schema version tracking to the users app. A new RoleSchemaVersion model persists schema versions, a Django management command enables manual per-project or global role updates with dry-run support, and role creation logic now supports forced updates with bulk permission operations. Signals trigger updates only when schema changes are detected.

Changes

Cohort / File(s)	Summary
Model & Migration ami/users/models.py, ami/users/migrations/0004_roleschemaversion.py	New RoleSchemaVersion model with version, description, and updated_at fields. Includes class methods: get_current_version() to compute schema hash, needs_update() to compare with stored version, and mark_updated() to persist version records. Migration creates the model table.
Management Command ami/users/management/commands/update_roles.py	New Django command to update roles per-project (--project-id), all projects, or dry-run mode. Calls create_roles_for_project() in transactions, reports per-project success/failure, updates RoleSchemaVersion on completion, and displays summary counts.
Role Creation Logic ami/users/roles.py	Added force_update parameter to create_roles_for_project(). Pre-fetches permission codenames, creates missing Permission records in bulk, and conditionally updates Group permissions and Guardian object permissions using bulk operations instead of per-permission create/add calls. Skips updates if group exists and force_update is False.
Signal-Triggered Updates ami/users/signals.py	Added pre-check to only run role creation if RoleSchemaVersion.needs_update() is true. Iterates over projects calling create_roles_for_project(force_update=True) and marks version updated on success. Improved error handling and logging for conditional flow.

Sequence Diagram(s)

sequenceDiagram
    participant Admin as Admin/CLI
    participant Cmd as Management<br/>Command
    participant RoleVer as RoleSchemaVersion
    participant Project as Project
    participant RoleFunc as create_roles_<br/>for_project()
    participant DB as Database

    Admin->>Cmd: Run update_roles (--dry-run/--force)
    Cmd->>Project: Query target projects
    Project-->>Cmd: Project list
    
    loop For each project
        Cmd->>RoleFunc: Call with force_update flag
        RoleFunc->>DB: Fetch Permission codenames
        RoleFunc->>DB: Create missing Permissions (bulk)
        RoleFunc->>DB: Update Group.permissions
        RoleFunc->>DB: Update Guardian object permissions (bulk)
        DB-->>RoleFunc: Success
        RoleFunc-->>Cmd: Complete
    end
    
    alt Not dry-run
        Cmd->>RoleVer: mark_updated()
        RoleVer->>DB: Create RoleSchemaVersion record
        DB-->>RoleVer: Persisted
        RoleVer-->>Cmd: Updated
    end
    
    Cmd->>Cmd: Print summary (updated/failed counts)
    Cmd-->>Admin: Done

Loading

sequenceDiagram
    participant Migration as Post-Migrate<br/>Signal
    participant RoleVer as RoleSchemaVersion
    participant RoleFunc as create_roles_<br/>for_project()
    participant Project as Project
    participant DB as Database

    Migration->>RoleVer: needs_update()?
    RoleVer->>DB: Compare get_current_version() with latest
    DB-->>RoleVer: True/False
    
    alt Schema needs update
        RoleVer-->>Migration: True
        Migration->>Project: Query all projects
        Project-->>Migration: Project list
        
        loop For each project
            Migration->>RoleFunc: Call with force_update=True
            RoleFunc->>DB: Update roles/permissions/groups
            DB-->>RoleFunc: Success
        end
        
        Migration->>RoleVer: mark_updated()
        RoleVer->>DB: Persist version
        DB-->>RoleVer: Recorded
    else No update needed
        RoleVer-->>Migration: False
        Migration->>Migration: Exit (log skip)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hops excitedly through the schema trees

Our roles now versioned, tracked with care,
Bulk permissions dance in the database air,
Dry-runs and forces make updates a breeze,
While signals watch for changes with ease!
Version-aware, the system takes flight, 🚀
Permission schemas polished just right! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is comprehensive and well-structured, covering summary, key improvements, performance metrics, technical details, files modified, testing, and migration strategy—exceeding template requirements.
Title check	✅ Passed	The PR title accurately summarizes the main objectives: optimizing role creation signal and adding schema version tracking to reduce database overhead during migrations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@ami/users/models.py`:
- Around line 89-93: The mark_updated classmethod can raise IntegrityError
because version is unique; change it to atomically ensure a single row per
version by using cls.objects.get_or_create(version=current,
defaults={'description': description}) after computing current via
cls.get_current_version(), or wrap the cls.objects.create call in a transaction
and catch IntegrityError to ignore duplicate inserts; update mark_updated to use
cls.objects.get_or_create(...) (or handle IntegrityError) so concurrent calls
for the same version do not crash.

In `@ami/users/roles.py`:
- Around line 250-260: The delete-then-bulk_create sequence for
GroupObjectPermission can leave permissions missing if bulk_create fails; wrap
the critical section in an atomic transaction (using transaction.atomic) around
the deletion and bulk_create so they succeed or roll back together, e.g., in the
function that builds group_obj_perms and calls
GroupObjectPermission.objects.filter(...).delete() and
GroupObjectPermission.objects.bulk_create(group_obj_perms); ensure to import
django.db.transaction and apply the atomic context there (or add a
savepoint/atomic in the signal handler that invokes this code) so the operation
is executed as one transactional unit.

In `@ami/users/signals.py`:
- Around line 43-49: The code currently calls RoleSchemaVersion.mark_updated()
unconditionally even if some projects failed; change the migration flow in the
function handling the project loop to track failures (e.g., a failed_projects
list or a boolean flag updated_failed) while iterating projects, and only call
RoleSchemaVersion.mark_updated(description="Post-migration role update") when no
failures were recorded; if failures exist, log the failed project ids via
logger.error/info and skip calling mark_updated (or re-raise/return a non-zero
status) so failed projects can be retried or handled manually. Ensure you
reference the existing logger and RoleSchemaVersion.mark_updated symbols and
preserve the existing exception logging behavior for per-project errors.

🧹 Nitpick comments (3)

ami/users/models.py (1)

78-87: Broad exception catch is intentional but could mask unexpected errors.

The except Exception is designed to handle the case where the table doesn't exist during initial migration. However, catching all exceptions may mask other database errors (e.g., connection issues). Consider catching ProgrammingError or OperationalError specifically.

♻️ Suggested improvement

     `@classmethod`
     def needs_update(cls):
         """Check if roles need updating based on schema version."""
         current = cls.get_current_version()
         try:
             latest = cls.objects.first()
             return latest is None or latest.version != current
-        except Exception:
+        except (ProgrammingError, OperationalError):
             # Table doesn't exist yet (first migration)
             return False

Add the import at the top:

from django.db import ProgrammingError, OperationalError

ami/users/signals.py (1)

48-49: Use logger.exception to include traceback.

As flagged by static analysis (TRY400), logger.exception should be used instead of logger.error when logging within an exception handler to include the full traceback.

♻️ Proposed fix

     except Exception as e:
-        logger.error(f"Failed to create roles during migration: {e}")
+        logger.exception(f"Failed to create roles during migration: {e}")

ami/users/management/commands/update_roles.py (1)

13-32: The --force flag defaults to True, making it effectively a no-op.

Since --force has default=True, the flag has no effect unless explicitly set to --no-force (which isn't defined). If the intent is to always force updates by default, consider removing the flag or changing it to --no-force / --skip-existing to allow opting out.

♻️ Option A: Remove redundant flag

-        parser.add_argument(
-            "--force",
-            action="store_true",
-            default=True,
-            help="Force update even if groups already exist (default: True)",
-        )

And update handle:

-        force = options.get("force", True)
+        force = True  # Always force updates in management command

♻️ Option B: Add --skip-existing to opt out

         parser.add_argument(
-            "--force",
-            action="store_true",
-            default=True,
-            help="Force update even if groups already exist (default: True)",
+            "--skip-existing",
+            action="store_true",
+            help="Skip groups that already exist (default: update all)",
         )

-        force = options.get("force", True)
+        force = not options.get("skip_existing", False)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential IntegrityError if mark_updated is called concurrently with same version.

The version field has a unique=True constraint. If mark_updated is called twice with the same schema version (e.g., concurrent migrations or re-runs), it will raise an IntegrityError. Consider using get_or_create or handling the conflict.

🐛 Proposed fix

     `@classmethod`
     def mark_updated(cls, description="Schema updated"):
         """Mark schema as updated to current version."""
         current = cls.get_current_version()
-        cls.objects.create(version=current, description=description)
+        cls.objects.get_or_create(
+            version=current,
+            defaults={"description": description}
+        )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@classmethod
	def mark_updated(cls, description="Schema updated"):
	"""Mark schema as updated to current version."""
	current = cls.get_current_version()
	cls.objects.create(version=current, description=description)
	`@classmethod`
	def mark_updated(cls, description="Schema updated"):
	"""Mark schema as updated to current version."""
	current = cls.get_current_version()
	cls.objects.get_or_create(
	version=current,
	defaults={"description": description}
	)

🤖 Prompt for AI Agents

In `@ami/users/models.py` around lines 89 - 93, The mark_updated classmethod can
raise IntegrityError because version is unique; change it to atomically ensure a
single row per version by using cls.objects.get_or_create(version=current,
defaults={'description': description}) after computing current via
cls.get_current_version(), or wrap the cls.objects.create call in a transaction
and catch IntegrityError to ignore duplicate inserts; update mark_updated to use
cls.objects.get_or_create(...) (or handle IntegrityError) so concurrent calls
for the same version do not crash.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Delete-then-bulk-create pattern could leave inconsistent state on failure.

The delete operation at line 252 followed by bulk_create at line 260 is not atomic within this function. If bulk_create fails (e.g., database error), the existing permissions will already be deleted, leaving the group without object permissions.

The caller (signals.py and management command) wraps this in a transaction for the management command, but the signal handler processes each project in a separate iteration without transaction wrapping around the delete+create.

🐛 Consider wrapping in a savepoint or documenting caller responsibility

+        # Note: Caller should wrap in transaction.atomic() for consistency
         # Bulk update Guardian object permissions
         # Remove all existing, then bulk create new ones
         GroupObjectPermission.objects.filter(group=group, content_type=project_ct, object_pk=project.pk).delete()

         group_obj_perms = [
             GroupObjectPermission(
                 group=group, permission=existing_perms[codename], content_type=project_ct, object_pk=project.pk
             )
             for codename in permissions
         ]
         GroupObjectPermission.objects.bulk_create(group_obj_perms)

Alternatively, wrap the critical section in a savepoint:

from django.db import transaction

with transaction.atomic():
    GroupObjectPermission.objects.filter(...).delete()
    GroupObjectPermission.objects.bulk_create(group_obj_perms)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Bulk update Guardian object permissions
	# Remove all existing, then bulk create new ones
	GroupObjectPermission.objects.filter(group=group, content_type=project_ct, object_pk=project.pk).delete()
	group_obj_perms = [
	GroupObjectPermission(
	group=group, permission=existing_perms[codename], content_type=project_ct, object_pk=project.pk
	)
	for codename in permissions
	]
	GroupObjectPermission.objects.bulk_create(group_obj_perms)
	# Note: Caller should wrap in transaction.atomic() for consistency
	# Bulk update Guardian object permissions
	# Remove all existing, then bulk create new ones
	GroupObjectPermission.objects.filter(group=group, content_type=project_ct, object_pk=project.pk).delete()
	group_obj_perms = [
	GroupObjectPermission(
	group=group, permission=existing_perms[codename], content_type=project_ct, object_pk=project.pk
	)
	for codename in permissions
	]
	GroupObjectPermission.objects.bulk_create(group_obj_perms)

🤖 Prompt for AI Agents

In `@ami/users/roles.py` around lines 250 - 260, The delete-then-bulk_create
sequence for GroupObjectPermission can leave permissions missing if bulk_create
fails; wrap the critical section in an atomic transaction (using
transaction.atomic) around the deletion and bulk_create so they succeed or roll
back together, e.g., in the function that builds group_obj_perms and calls
GroupObjectPermission.objects.filter(...).delete() and
GroupObjectPermission.objects.bulk_create(group_obj_perms); ensure to import
django.db.transaction and apply the atomic context there (or add a
savepoint/atomic in the signal handler that invokes this code) so the operation
is executed as one transactional unit.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Schema marked as updated even when some projects fail.

If some projects fail during the loop (line 40-41), mark_updated is still called at line 45. This means subsequent migrations won't retry the failed projects. Consider either:

1. Not marking as updated if any failures occurred
2. Or documenting that failed projects require manual intervention via the management command

🐛 Suggested approach

+        failed_count = 0
         for project in Project.objects.all():
             try:
                 create_roles_for_project(project, force_update=True)
             except Exception as e:
                 logger.warning(f"Failed to create roles for project {project.pk} ({project.name}): {e}")
+                failed_count += 1
                 continue

-        # Mark schema as updated
-        RoleSchemaVersion.mark_updated(description="Post-migration role update")
-        logger.info(f"Successfully updated roles for {project_count} projects")
+        # Mark schema as updated only if all projects succeeded
+        if failed_count == 0:
+            RoleSchemaVersion.mark_updated(description="Post-migration role update")
+            logger.info(f"Successfully updated roles for {project_count} projects")
+        else:
+            logger.warning(
+                f"Roles updated for {project_count - failed_count}/{project_count} projects. "
+                f"Run 'manage.py update_roles' to retry failed projects."
+            )

🧰 Tools

🪛 Ruff (0.14.13)

48-48: Do not catch blind exception: Exception

(BLE001)

---

49-49: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

🤖 Prompt for AI Agents

In `@ami/users/signals.py` around lines 43 - 49, The code currently calls
RoleSchemaVersion.mark_updated() unconditionally even if some projects failed;
change the migration flow in the function handling the project loop to track
failures (e.g., a failed_projects list or a boolean flag updated_failed) while
iterating projects, and only call
RoleSchemaVersion.mark_updated(description="Post-migration role update") when no
failures were recorded; if failures exist, log the failed project ids via
logger.error/info and skip calling mark_updated (or re-raise/return a non-zero
status) so failed projects can be retried or handled manually. Ensure you
reference the existing logger and RoleSchemaVersion.mark_updated symbols and
preserve the existing exception logging behavior for per-project errors.

[Copilot]

Pull request overview

This PR optimizes role permission management during Django migrations by introducing schema version tracking to avoid unnecessary database operations. Instead of updating roles for all projects on every migration, the system now only performs updates when role permission schemas actually change.

Changes:

• Adds RoleSchemaVersion model with MD5-based schema tracking to detect when role permissions change
• Optimizes create_roles_for_project() function with bulk database operations and conditional updates based on force_update parameter
• Updates create_roles() signal to check schema version before processing projects and marks schema as updated after completion
• Adds update_roles management command for manual role updates with options for specific projects, dry-run mode, and forced updates

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 18 comments.

Show a summary per file

File	Description
ami/users/models.py	Adds RoleSchemaVersion model with version tracking methods
ami/users/roles.py	Optimizes create_roles_for_project() with bulk operations and adds force_update parameter
ami/users/signals.py	Updates create_roles() to conditionally execute based on schema version changes
ami/users/management/commands/update_roles.py	New management command for manual role updates
ami/users/migrations/0004_roleschemaversion.py	Creates RoleSchemaVersion table
ami/users/management/commands/init.py	Empty init file for management commands module
ami/users/management/init.py	Empty init file for management module

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When creating missing permissions with bulk_create, if there's a collision due to ignore_conflicts=True, the newly created permission objects won't have their IDs set. This could cause a KeyError on line 256 when trying to access existing_perms[codename] if the permission was created by another concurrent process but not yet in the refreshed existing_perms dict. Consider using get_or_create for each missing permission, or handle potential KeyErrors when accessing existing_perms.

Suggested change

	# Create any missing permissions
	missing_perms = []
	for codename in all_perm_codenames:
	if codename not in existing_perms:
	missing_perms.append(
	Permission(codename=codename, content_type=project_ct, name=f"Can {codename.replace('_', ' ')}")
	)
	if missing_perms:
	Permission.objects.bulk_create(missing_perms, ignore_conflicts=True)
	# Refresh existing_perms dict after bulk create
	existing_perms = {
	perm.codename: perm
	for perm in Permission.objects.filter(codename__in=all_perm_codenames, content_type=project_ct)
	}
	# Ensure all required permissions exist, handling concurrency safely
	for codename in all_perm_codenames:
	if codename not in existing_perms:
	perm, _ = Permission.objects.get_or_create(
	codename=codename,
	content_type=project_ct,
	defaults={"name": f"Can {codename.replace('_', ' ')}"},
	)
	existing_perms[codename] = perm

[Copilot]

Similar to line 247, if a permission codename is not in existing_perms, this will raise a KeyError when building the GroupObjectPermission objects. This could happen due to race conditions or if the permission creation failed silently.

[Copilot]

When updating a specific project with --project-id, the schema version is not updated (line 85 condition checks "not project_id"). This means if you manually update roles for a specific project when the schema has changed, the schema version won't be marked as updated, and the next migration will still try to update all projects. Consider either always updating the schema version when successful, or adding a warning that single-project updates don't affect schema version tracking.

Suggested change

	self.stdout.write(f"Schema version updated to: {current_version}")
	self.stdout.write(f"Schema version updated to: {current_version}")
	elif success > 0 and project_id:
	# When updating a single project, the global role schema version is not advanced.
	# This means future migrations that rely on RoleSchemaVersion may still run for all projects.
	self.stdout.write(
	self.style.WARNING(
	"Roles were updated for the specified project, but the global role schema "
	"version was NOT updated because --project-id was used. "
	"Run this command without --project-id to advance the global schema version "
	"after all projects have been updated."
	)
	)

[Copilot]

When schema version tracking is first introduced, needs_update() will return False during the initial migration because the table doesn't exist yet (line 87 returns False on exception). This means the first migration won't create roles for existing projects. The PR description mentions "Initial migration updates all projects" but the code logic prevents this from happening. The schema update will only run after the table is created and on subsequent deployments when the schema actually changes.

Suggested change

	return False
	return True

[Copilot]

The bulk operations optimization in create_roles_for_project lacks test coverage. Tests should verify that bulk_create works correctly with ignore_conflicts, that permissions are properly assigned to groups, and that the force_update parameter behaves as expected.

[Copilot]

The --force argument uses action="store_true" with default=True, which is incorrect. With store_true, the default is False, and passing the flag sets it to True. Having default=True means it's always True regardless of whether the flag is passed. To make force default to True but allow users to disable it, use action="store_false" with dest="force" and default=True, or change the flag to --no-force with store_false action.

Suggested change

	"--force",
	action="store_true",
	default=True,
	help="Force update even if groups already exist (default: True)",
	"--no-force",
	action="store_false",
	dest="force",
	default=True,
	help="Do not force update if groups already exist (default: force=True)",

[Copilot]

The new RoleSchemaVersion model and its methods (get_current_version, needs_update, mark_updated) lack test coverage. Given that this is core functionality for the optimization and affects when role updates occur, comprehensive tests should be added to verify version detection, schema change detection, and the update marking behavior.

[Copilot]

The updated create_roles signal with schema version checking lacks test coverage. Tests should verify that roles are only created when the schema changes, that the schema version is properly marked after updates, and that the signal behaves correctly when the RoleSchemaVersion table doesn't exist yet.

[Copilot]

The exception handling here catches all exceptions generically and returns False. This means if the table doesn't exist (expected during first migration), the schema update will be skipped. However, this also silently catches and ignores other database errors or unexpected exceptions. Consider being more specific about which exception to catch (e.g., OperationalError, ProgrammingError for table not existing) and logging unexpected exceptions.

[Copilot]

There's a potential race condition in mark_updated where multiple processes could call this concurrently. Since version has unique=True, if two processes both detect the schema needs updating and both try to create the same version record, one will fail with an IntegrityError. Consider using get_or_create instead of create, or wrapping in try-except to handle the IntegrityError gracefully.

[mihow]

@copilot @coderabbitai Is this overkill? We may change the role / permission schema once per year.

[Copilot]

@mihow I've opened a new pull request, #1098, to work on those changes. Once the pull request is ready, I'll request review from you.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@mihow Great question! The value depends on how often you run migrations vs. how often the schema changes.

The key insight: Even though the role schema changes ~once per year, the current code runs create_roles_for_project() for every project on every migration (via the post-migrate signal). So if you:

• Run migrations frequently (weekly deployments, dev environments, CI/CD)
• Have many projects (10s, 100s, or more)

Then you're paying the full role-update cost on every single migration, even though 99% of those migrations don't touch roles at all.

When this optimization matters:

• High migration frequency × many projects = substantial cumulative overhead
• Example: 50 projects, weekly deployments = 50 × 52 = 2,600 unnecessary project updates per year

When it might be overkill:

• Small project count (< 10 projects)
• Infrequent migrations (monthly or less)
• Fast migration times aren't critical

Middle ground options:

1. Keep just the bulk operations optimization (the roles.py changes) without the version tracking
2. Use a simpler gate: check an environment variable or setting to skip role updates entirely on most migrations, manually trigger when needed
3. Remove the model entirely and use a cached file/timestamp approach

Given the PR also includes the bulk operations optimization (which is valuable regardless), you could consider whether the RoleSchemaVersion model adds enough value for your scale. What's your typical migration frequency and project count?

[mihow]

@coderabbitai another consideration is that we need to refactor how the permission groups are assigned. Currently we construct special names (strings) with the project name and role to query the right permission group. I propose overriding the Group model with custom Group model with a project_id. Or something like that that is both simpler & more robust. What aspects of the architecture of this PR's refactor would that influence?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the roles.py file to see current group name construction and logic
cat ami/users/roles.py

Length of output: 10010

---

🏁 Script executed:

#!/bin/bash
# Check if there's a custom group model already or any references to group naming patterns
rg -n "Group\.objects\." ami/users/ -A 2 -B 2

Length of output: 1541

---

🏁 Script executed:

#!/bin/bash
# Look for any existing project-group relationship patterns
rg -n "project.*group|group.*project" ami/users/ -C 2 --type py

Length of output: 3787

---

@mihow Excellent question! Moving to a custom Group model with a project_id FK would be a much cleaner architecture, and the good news is that this PR's optimization strategy would remain largely intact. Here's the breakdown:

Components by Impact Level

✅ MINIMALLY AFFECTED (Core optimization preserved)

RoleSchemaVersion model & version tracking logic:

• The schema hash tracks what roles exist and their permissions (get_current_version() iterates over Role.__subclasses__() and their permission sets)
• Completely agnostic to how groups are stored/looked up
• needs_update() and mark_updated() work the same regardless of Group model structure
• The entire "check version → skip if unchanged → bulk update if changed" flow is unaffected

Management command (update_roles.py):

• Just iterates projects and calls create_roles_for_project()
• Internal implementation changes, but command interface stays the same

---

🔧 MODERATELY AFFECTED (Implementation details change)

create_roles_for_project() function:

• Change: Group lookup from get_or_create(name=role_name) → get_or_create(project=project, role_type=role_class.__name__)
• Preserved: All bulk operations remain identical:
  • group.permissions.set(role_perm_objects) ← still works
  • GroupObjectPermission.objects.bulk_create(...) ← still works
  • force_update conditional logic ← unchanged
• The optimization (bulk ops, conditional updates) survives the refactor

---

🔨 SIGNIFICANTLY AFFECTED (Would become simpler!)

Role class methods in roles.py:

# Current (string-based):
def get_group_name(cls, project):
    return f"{project.pk}_{project.name}_{cls.__name__}"

def has_role(cls, user, project):
    group_name = cls.get_group_name(project)
    return user.groups.filter(name=group_name).exists()

# After refactor (FK-based):
def has_role(cls, user, project):
    return user.groups.filter(
        project=project, 
        role_type=cls.__name__
    ).exists()

Signal handler in signals.py:

• Current: Parses group.name.split("_") to extract project_id (fragile!)
• After: Direct FK access: group.project_id (robust!)
• Eliminates the error-prone string parsing at lines 68-75

---

Migration Considerations

When you do this refactor, you'd need:

1. New model:

   class ProjectGroup(models.Model):
       project = models.ForeignKey(Project, on_delete=models.CASCADE)
       role_type = models.CharField(max_length=50)  # Role class name
       group = models.OneToOneField(Group, on_delete=models.CASCADE)
       
       class Meta:
           unique_together = [('project', 'role_type')]

2. Data migration: Convert existing groups (parse current names → create ProjectGroup records)

3. Update create_roles_for_project(): Query/create via FK instead of name strings

4. RoleSchemaVersion stays the same — it's already tracking the right abstraction

---

Architecture Compatibility

The key insight: This PR optimizes "when/how often to update" while your refactor optimizes "how to store/lookup groups." These are orthogonal concerns:

• This PR: Reduces unnecessary work via version tracking + bulk operations
• Your refactor: Makes group lookup robust via proper relational modeling

Both can coexist perfectly. In fact, doing this PR first gives you:

• Bulk operations already in place (easier to adapt than rewrite)
• Version tracking prevents migration overhead when refactoring
• force_update flag useful during migration testing

---

Recommendation

Order of operations:

1. ✅ Land this PR (gets you 99% of performance wins)
2. Refactor to custom Group model (simplifies codebase, removes TODO debt)
3. The version tracking pays dividends during #2 — migrations won't spam role updates

The string-based naming is definitely tech debt (as the TODO comments acknowledge), but this PR's optimization architecture is future-proof for that refactor. 🐰

[mihow]

See more auto-generated reflection on this here #1098