Mercurial > gemma
comparison schema/manage_users.sql @ 271:02aaff4b4a66
Merged.
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Mon, 30 Jul 2018 12:32:11 +0200 |
| parents | 0b2d9f96ddb8 |
| children | 750a9c9cd965 |
comparison
equal
deleted
inserted
replaced
| 270:d1b0d964af09 | 271:02aaff4b4a66 |
|---|---|
| 25 | 25 |
| 26 | 26 |
| 27 -- Security-definer function to get current users country, which allows to | 27 -- Security-definer function to get current users country, which allows to |
| 28 -- restrict the view on user_profiles by country without infinite recursion | 28 -- restrict the view on user_profiles by country without infinite recursion |
| 29 CREATE FUNCTION current_user_country() | 29 CREATE FUNCTION current_user_country() |
| 30 RETURNS users.user_profiles.country%TYPE | 30 RETURNS internal.user_profiles.country%TYPE |
| 31 AS $$ | 31 AS $$ |
| 32 SELECT country FROM users.user_profiles WHERE username = session_user | 32 SELECT country FROM internal.user_profiles |
| 33 WHERE username = session_user | |
| 33 $$ | 34 $$ |
| 34 LANGUAGE SQL | 35 LANGUAGE SQL |
| 35 SECURITY DEFINER | 36 SECURITY DEFINER |
| 36 STABLE PARALLEL SAFE; | 37 STABLE PARALLEL SAFE; |
| 37 | 38 |
| 38 | 39 |
| 39 CREATE OR REPLACE VIEW users.list_users WITH (security_barrier) AS | 40 CREATE OR REPLACE VIEW users.list_users WITH (security_barrier) AS |
| 40 WITH cur AS ( | |
| 41 SELECT rolname | |
| 42 FROM pg_roles r JOIN pg_auth_members a ON r.oid = a.roleid | |
| 43 WHERE member = ( | |
| 44 SELECT oid FROM pg_roles WHERE rolname = current_user)) | |
| 45 SELECT r.rolname, p.* | 41 SELECT r.rolname, p.* |
| 46 FROM cur, users.user_profiles p | 42 FROM internal.user_profiles p |
| 47 JOIN pg_roles u ON p.username = u.rolname | 43 JOIN pg_roles u ON p.username = u.rolname |
| 48 JOIN pg_auth_members a ON u.oid = a.member | 44 JOIN pg_auth_members a ON u.oid = a.member |
| 49 JOIN pg_roles r ON a.roleid = r.oid | 45 JOIN pg_roles r ON a.roleid = r.oid |
| 50 WHERE p.username = current_user | 46 WHERE p.username = current_user |
| 51 OR cur.rolname = 'waterway_admin' | 47 OR pg_has_role('waterway_admin', 'MEMBER') |
| 52 AND p.country = current_user_country() | 48 AND p.country = current_user_country() |
| 53 OR cur.rolname = 'sys_admin'; | 49 OR pg_has_role('sys_admin', 'MEMBER'); |
| 54 | 50 |
| 55 | 51 |
| 56 CREATE OR REPLACE FUNCTION sys_admin.create_user( | 52 CREATE OR REPLACE FUNCTION sys_admin.create_user( |
| 57 userrole varchar, | 53 userrole varchar, |
| 58 username users.user_profiles.username%TYPE, | 54 username internal.user_profiles.username%TYPE, |
| 59 pw varchar, | 55 pw varchar, |
| 60 country users.user_profiles.country%TYPE, | 56 country internal.user_profiles.country%TYPE, |
| 61 map_extent users.user_profiles.map_extent%TYPE, | 57 map_extent internal.user_profiles.map_extent%TYPE, |
| 62 email_address users.user_profiles.email_address%TYPE | 58 email_address internal.user_profiles.email_address%TYPE |
| 63 ) | 59 ) |
| 64 RETURNS void | 60 RETURNS void |
| 65 AS $$ | 61 AS $$ |
| 66 BEGIN | 62 BEGIN |
| 67 IF map_extent IS NULL | 63 IF map_extent IS NULL |
| 68 THEN | 64 THEN |
| 69 map_extent = ST_Extent(area) FROM users.responsibility_areas ra | 65 map_extent = ST_Extent(area) FROM users.responsibility_areas ra |
| 70 WHERE ra.country = create_user.country; | 66 WHERE ra.country = create_user.country; |
| 71 END IF; | 67 END IF; |
| 72 INSERT INTO users.user_profiles VALUES ( | 68 INSERT INTO internal.user_profiles ( |
| 73 username, country, map_extent, email_address); | 69 username, country, map_extent, email_address) |
| 70 VALUES (username, country, map_extent, email_address); | |
| 74 EXECUTE format( | 71 EXECUTE format( |
| 75 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', | 72 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', |
| 76 username, | 73 username, |
| 77 userrole, | 74 userrole, |
| 78 users.check_password(pw)); | 75 users.check_password(pw)); |
| 81 LANGUAGE plpgsql | 78 LANGUAGE plpgsql |
| 82 SECURITY DEFINER; | 79 SECURITY DEFINER; |
| 83 | 80 |
| 84 | 81 |
| 85 CREATE OR REPLACE FUNCTION sys_admin.update_user( | 82 CREATE OR REPLACE FUNCTION sys_admin.update_user( |
| 86 username users.user_profiles.username%TYPE, | 83 username internal.user_profiles.username%TYPE, |
| 87 new_userrole varchar, | 84 new_userrole varchar, |
| 88 new_username users.user_profiles.username%TYPE, | 85 new_username internal.user_profiles.username%TYPE, |
| 89 new_pw varchar, | 86 new_pw varchar, |
| 90 new_country users.user_profiles.country%TYPE, | 87 new_country internal.user_profiles.country%TYPE, |
| 91 new_map_extent users.user_profiles.map_extent%TYPE, | 88 new_map_extent internal.user_profiles.map_extent%TYPE, |
| 92 new_email_address users.user_profiles.email_address%TYPE | 89 new_email_address internal.user_profiles.email_address%TYPE |
| 93 ) | 90 ) |
| 94 RETURNS void | 91 RETURNS void |
| 95 AS $$ | 92 AS $$ |
| 96 DECLARE | 93 DECLARE |
| 97 cur_username name; | 94 cur_username name; |
| 98 cur_userrole name; | 95 cur_userrole name; |
| 99 BEGIN | 96 BEGIN |
| 100 cur_username = username; | 97 cur_username = username; |
| 101 | 98 |
| 102 UPDATE users.user_profiles p | 99 UPDATE internal.user_profiles p |
| 103 SET (username, country, map_extent, email_address) | 100 SET (username, country, map_extent, email_address) |
| 104 = (new_username, new_country, new_map_extent, new_email_address) | 101 = (new_username, new_country, new_map_extent, new_email_address) |
| 105 WHERE p.username = cur_username; | 102 WHERE p.username = cur_username; |
| 106 | 103 |
| 107 IF new_username <> cur_username | 104 IF new_username <> cur_username |
| 137 LANGUAGE plpgsql | 134 LANGUAGE plpgsql |
| 138 SECURITY DEFINER; | 135 SECURITY DEFINER; |
| 139 | 136 |
| 140 | 137 |
| 141 CREATE OR REPLACE FUNCTION sys_admin.delete_user( | 138 CREATE OR REPLACE FUNCTION sys_admin.delete_user( |
| 142 username users.user_profiles.username%TYPE | 139 username internal.user_profiles.username%TYPE |
| 143 ) | 140 ) |
| 144 RETURNS void | 141 RETURNS void |
| 145 AS $$ | 142 AS $$ |
| 146 DECLARE | 143 DECLARE |
| 147 bid int; | 144 bid int; |
| 154 -- in which this function is executed will not be terminated but lost | 151 -- in which this function is executed will not be terminated but lost |
| 155 -- without any privileges after commiting this transaction | 152 -- without any privileges after commiting this transaction |
| 156 | 153 |
| 157 -- Delete user | 154 -- Delete user |
| 158 EXECUTE format('DROP ROLE %I', username); | 155 EXECUTE format('DROP ROLE %I', username); |
| 159 DELETE FROM users.user_profiles p WHERE p.username = delete_user.username; | 156 DELETE FROM internal.user_profiles p |
| 157 WHERE p.username = delete_user.username; | |
| 160 END; | 158 END; |
| 161 $$ | 159 $$ |
| 162 LANGUAGE plpgsql | 160 LANGUAGE plpgsql |
| 163 SECURITY DEFINER; | 161 SECURITY DEFINER; |