fix ceadr policies

backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts

@@ -8,11 +8,15 @@ export async function migratePermissionsToCedar(dataSource: DataSource): Promise
 	const groupRepository = dataSource.getRepository(GroupEntity);
 	let migratedCount = 0;
 
+	// Migrate groups with no Cedar policy OR groups with old-format policies (using "principal in" instead of bare "principal")
 	const groups = await groupRepository
 		.createQueryBuilder('group')
 		.leftJoinAndSelect('group.connection', 'connection')
 		.leftJoinAndSelect('group.permissions', 'permission')
-		.where('group.cedarPolicy IS NULL OR group.cedarPolicy = :empty', { empty: '' })
+		.where('group.cedarPolicy IS NULL OR group.cedarPolicy = :empty OR group.cedarPolicy LIKE :oldFormat', {
+			empty: '',
+			oldFormat: '%principal in RocketAdmin::Group%',
+		})
 		.getMany();
 
 	for (const group of groups) {

backend/src/entities/demo-data/demo-data.service.ts

@@ -2,6 +2,7 @@ import { Inject, Injectable } from '@nestjs/common';
 import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js';
 import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../common/data-injection.tokens.js';
+import { AccessLevelEnum } from '../../enums/access-level.enum.js';
 import { FilterCriteriaEnum } from '../../enums/filter-criteria.enum.js';
 import { TableActionEventEnum } from '../../enums/table-action-event-enum.js';
 import { TableActionTypeEnum } from '../../enums/table-action-type.enum.js';
@@ -27,6 +28,7 @@ import { TableSettingsEntity } from '../table-settings/common-table-settings/tab
 import { buildNewTableSettingsEntity } from '../table-settings/common-table-settings/utils/build-new-table-settings-entity.js';
 import { buildConnectionEntitiesFromTestDtos } from '../user/utils/build-connection-entities-from-test-dtos.js';
 import { buildDefaultAdminGroups } from '../user/utils/build-default-admin-groups.js';
+import { generateCedarPolicyForGroup } from '../cedar-authorization/cedar-policy-generator.js';
 import { buildDefaultAdminPermissions } from '../user/utils/build-default-admin-permissions.js';
 import { CreateTableWidgetDs } from '../widget/application/data-sctructures/create-table-widgets.ds.js';
 import { buildNewTableWidgetEntity } from '../widget/utils/build-new-table-widget-entity.js';
@@ -77,6 +79,21 @@ export class DemoDataService {
 			}),
 		);
 
+		await Promise.all(
+			createdTestGroups.map(async (group: GroupEntity) => {
+				const connectionId = group.connection?.id;
+				if (!connectionId) return;
+				group.cedarPolicy = generateCedarPolicyForGroup(connectionId, group.isMain, {
+					connection: { connectionId, accessLevel: AccessLevelEnum.edit },
+					group: { groupId: group.id, accessLevel: AccessLevelEnum.edit },
+					tables: [],
+				});
+				delete group.permissions;
+				delete group.users;
+				await this._dbContext.groupRepository.saveNewOrUpdatedGroup(group);
+			}),
+		);
+
 		if (!isTest()) {
 			const createdPostgresConnection = createdTestConnections.find(
 				(connection) => connection.type === ConnectionTypesEnum.postgres,

backend/src/helpers/constants/constants.ts

@@ -225,6 +225,7 @@ export const Constants = {
 		if (!isSaaS || isSaaS !== 'true') {
 			return [];
 		}
+
 		const testConnections: Array<CreateConnectionDto> = Constants.getTestConnectionsFromDSN() || [];
 		if (!testConnections.length) {
 			testConnections.push(