Mercurial > gemma
comparison schema/auth.sql @ 113:25b28fd0e256
Moved schema stuff to own subfolder.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Tue, 26 Jun 2018 16:14:59 +0200 |
parents | auth.sql@767f3edc502c |
children | d349db18bece |
comparison
equal
deleted
inserted
replaced
112:894f633e2d3f | 113:25b28fd0e256 |
---|---|
1 BEGIN; | |
2 | |
3 -- | |
4 -- Roles, privileges and policies for the WAMOS database | |
5 -- | |
6 SET search_path TO public, wamos, wamos_waterway, wamos_fairway; | |
7 | |
8 -- We do not want any users to be able to create any objects | |
9 REVOKE CREATE ON SCHEMA public FROM PUBLIC; | |
10 | |
11 -- | |
12 -- Primary WAMOS roles (SRS table 3) | |
13 -- | |
14 CREATE ROLE waterway_user; | |
15 CREATE ROLE waterway_admin IN ROLE waterway_user; | |
16 CREATE ROLE sys_admin CREATEROLE BYPASSRLS IN ROLE waterway_admin; | |
17 | |
18 -- | |
19 -- Privileges for waterway_user | |
20 -- | |
21 GRANT USAGE ON SCHEMA wamos, wamos_waterway, wamos_fairway TO waterway_user; | |
22 GRANT SELECT ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway | |
23 TO waterway_user; | |
24 GRANT SELECT ON templates, user_templates, user_profiles TO waterway_user; | |
25 | |
26 -- | |
27 -- Extended privileges for waterway_admin | |
28 -- | |
29 GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway | |
30 TO waterway_admin; | |
31 -- TODO: will there ever be UPDATEs or can we drop that due to historicisation? | |
32 GRANT INSERT, UPDATE ON templates, user_templates TO waterway_admin; | |
33 GRANT SELECT ON responsibility_areas TO waterway_admin; | |
34 | |
35 -- | |
36 -- Extended privileges for sys_admin | |
37 -- | |
38 GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA wamos | |
39 TO sys_admin; | |
40 | |
41 -- | |
42 -- RLS policies for waterway_user | |
43 -- | |
44 | |
45 -- Staging area | |
46 CREATE FUNCTION create_hide_staging_policy() RETURNS void AS $$ | |
47 DECLARE the_table varchar; | |
48 BEGIN | |
49 FOREACH the_table IN ARRAY ARRAY[ | |
50 'bottlenecks', 'sounding_results'] | |
51 -- TODO: add all relevant tables here | |
52 LOOP | |
53 EXECUTE format('CREATE POLICY hide_staging ON %I ' | |
54 'FOR SELECT TO waterway_user USING (staging_done)', the_table); | |
55 EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table); | |
56 END LOOP; | |
57 END; | |
58 $$ LANGUAGE plpgsql; | |
59 SELECT create_hide_staging_policy(); | |
60 DROP FUNCTION create_hide_staging_policy; | |
61 | |
62 CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user | |
63 USING (username = current_user); | |
64 ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; | |
65 | |
66 CREATE POLICY own_templates ON templates FOR SELECT TO waterway_user | |
67 USING (id IN(SELECT template_id FROM user_templates | |
68 WHERE username = current_user)); | |
69 ALTER TABLE templates ENABLE ROW LEVEL SECURITY; | |
70 | |
71 -- | |
72 -- RLS policies for waterway_admin | |
73 -- | |
74 | |
75 -- Staging area | |
76 -- TODO: add all relevant tables here | |
77 CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin | |
78 USING (ST_Within(area, (SELECT area FROM responsibility_areas | |
79 WHERE country = (SELECT country FROM user_profiles)))); | |
80 CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin | |
81 USING (ST_Within(area, (SELECT area FROM responsibility_areas | |
82 WHERE country = (SELECT country FROM user_profiles)))); | |
83 | |
84 CREATE POLICY manage_templates ON templates FOR ALL TO waterway_admin | |
85 USING (id IN(SELECT template_id FROM user_templates ut | |
86 JOIN user_profiles p ON ut.username = p.username | |
87 WHERE p.country = (SELECT country FROM user_profiles))); | |
88 | |
89 COMMIT; |