[backend] fix(multi-tenancy): dev env with openaev_owner new user (#0000)

[corinnekrych]

Proposed changes

Flyway migration to use openaev_owner for running migration

To test it, in your application-dev.properties change:

spring.datasource.username=openaev_owner
spring.datasource.password=openaev

Testing Instructions

1. Step-by-step how to test
2. Environment or config notes

Related issues

• Closes #ISSUE-NUMBER

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality
• For bug fix -> I implemented a test that covers the bug

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[Dimfacion]

Question : Does that mean that we need to provide a clear documentation to the existing users that they need to run this before upgrading ?

[corinnekrych]

Yes, this is a pre-requisites

[antoinemzs]

I don't think openaev_owner will be created on most setups by the time this runs

[corinnekrych]

what do you mean?
the user is created via the container bootstrap/seed init-db.sql
it works in dev env, tested locally

what i dont know how to fix - I'm stuck on that one - is how to make drone working as it is not using container to run api-test

[antoinemzs]

Can you explain why this grant is necessary?

[corinnekrych]

This grant is necessary to make SET ROLE openaev_app work at runtime.

In PostgreSQL, SET ROLE only works if the current session user is a member of the target role. Without GRANT openaev_app TO openaev_owner, any attempt by the app to do SET ROLE openaev_app would fail with a "permission denied" error.
By granting openaev_app to openaev_owner, the application can switch into the openaev_app role at runtime, which ensures RLS policies are evaluated under the correct role context — enforcing tenant isolation as intended.

openaev_owner owns the tables (required to run DDL/RLS policies), but table ownership bypasses RLS at query time. The application therefore adopts openaev_app via SET ROLE — a non-owner role that RLS policies are enforced on. GRANT openaev_app TO openaev_owner makes that role switch possible.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.39%. Comparing base (48d2a7e) to head (8b468aa).

Additional details and impacted files

@@                  Coverage Diff                  @@
##             release/current    #5694      +/-   ##
=====================================================
- Coverage              40.40%   40.39%   -0.01%     
  Complexity              6112     6112              
=====================================================
  Files                   2123     2123              
  Lines                  56997    56989       -8     
  Branches                7230     7229       -1     
=====================================================
- Hits                   23028    23023       -5     
+ Misses                 32613    32611       -2     
+ Partials                1356     1355       -1     

Flag	Coverage Δ
backend	64.33% <ø> (+<0.01%)	⬆️
frontend	1.42% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.