pub async fn grant_model_to_default_groups(
db: &Db,
app: &str,
singular: &str,
) -> Result<()>Expand description
Per-model permission grants for the seeded default groups
(PR 2.2 / DESIGN_PERMISSIONS.md). Called by
crate::admin::Admin::seed_permissions after the four CRUD
permissions are registered for <app>.<singular>. Each grant
is idempotent (grant_to_group uses ON CONFLICT DO NOTHING);
missing groups (because seed_default_groups was skipped by
the user-defined-groups guard) cause silent no-ops, not errors.
Grant matrix:
add | change | delete | view | |
|---|---|---|---|---|
| administrator | ✓ | ✓ | ✓ | ✓ |
| editor | ✓ | ✓ | ✓ | |
| viewer | ✓ |
editor deliberately lacks delete — destructive operations
belong to administrators by default. Projects that want
editor-level delete access either grant <app>.delete_<model>
to the editor group explicitly via the admin permission-matrix
UI, or move those users to administrator.