From 37f5c3d00524258909b241cd6d4ecd23bf9438b8 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 24 Mar 2026 08:52:32 +0100
Subject: [PATCH] feat(db): add migration to grant ANNOTATE_ALL to existing
 admin groups

Covers existing deployments where the Administrators group was created
before DataInitializer started including ANNOTATE_ALL.

Refs #40
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../db/migration/V11__add_annotate_all_permission.sql      | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql

diff --git a/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql b/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql
new file mode 100644
index 00000000..4c797f6c
--- /dev/null
+++ b/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql
@@ -0,0 +1,7 @@
+-- Grant ANNOTATE_ALL to every group that already has ADMIN.
+-- New installs get it via DataInitializer; this covers existing deployments.
+INSERT INTO group_permissions (group_id, permission)
+SELECT g.id, 'ANNOTATE_ALL'
+FROM user_groups g
+WHERE g.id IN (SELECT group_id FROM group_permissions WHERE permission = 'ADMIN')
+  AND g.id NOT IN (SELECT group_id FROM group_permissions WHERE permission = 'ANNOTATE_ALL');