Mercurial > gemma
comparison schema/auth.sql @ 182:4df4e4bf480e
Beautify SQL
E.g. indent with 4 spaces more consequently.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Wed, 18 Jul 2018 16:48:27 +0200 |
parents | 0423eab4ad45 |
children | 5dc8e734487a |
comparison
equal
deleted
inserted
replaced
181:e509eccff303 | 182:4df4e4bf480e |
---|---|
11 -- | 11 -- |
12 -- Privileges for waterway_user | 12 -- Privileges for waterway_user |
13 -- | 13 -- |
14 GRANT USAGE ON SCHEMA gemma, gemma_waterway, gemma_fairway TO waterway_user; | 14 GRANT USAGE ON SCHEMA gemma, gemma_waterway, gemma_fairway TO waterway_user; |
15 GRANT SELECT ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway | 15 GRANT SELECT ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway |
16 TO waterway_user; | 16 TO waterway_user; |
17 GRANT SELECT ON templates, user_templates, user_profiles TO waterway_user; | 17 GRANT SELECT ON templates, user_templates, user_profiles TO waterway_user; |
18 | 18 |
19 -- | 19 -- |
20 -- Extended privileges for waterway_admin | 20 -- Extended privileges for waterway_admin |
21 -- | 21 -- |
22 GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway | 22 GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway |
23 TO waterway_admin; | 23 TO waterway_admin; |
24 -- TODO: will there ever be UPDATEs or can we drop that due to historicisation? | 24 -- TODO: will there ever be UPDATEs or can we drop that due to historicisation? |
25 GRANT INSERT, UPDATE, DELETE ON templates, user_templates TO waterway_admin; | 25 GRANT INSERT, UPDATE, DELETE ON templates, user_templates TO waterway_admin; |
26 GRANT SELECT ON responsibility_areas TO waterway_admin; | 26 GRANT SELECT ON responsibility_areas TO waterway_admin; |
27 | 27 |
28 -- | 28 -- |
29 -- Extended privileges for sys_admin | 29 -- Extended privileges for sys_admin |
30 -- | 30 -- |
31 GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA gemma | 31 GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA gemma |
32 TO sys_admin; | 32 TO sys_admin; |
33 | 33 |
34 -- | 34 -- |
35 -- RLS policies for waterway_user | 35 -- RLS policies for waterway_user |
36 -- | 36 -- |
37 -- Sometimes using FOR ALL because we rely on GRANTed privileges for allowing | 37 -- Sometimes using FOR ALL because we rely on GRANTed privileges for allowing |
41 -- allowed more with these policies (note that the subselect implies different | 41 -- allowed more with these policies (note that the subselect implies different |
42 -- policies on user_profiles depending on current_user). | 42 -- policies on user_profiles depending on current_user). |
43 -- | 43 -- |
44 | 44 |
45 -- Staging area | 45 -- Staging area |
46 CREATE FUNCTION create_hide_staging_policy() RETURNS void AS $$ | 46 CREATE FUNCTION create_hide_staging_policy() |
47 RETURNS void | |
48 AS $$ | |
47 DECLARE the_table varchar; | 49 DECLARE the_table varchar; |
48 BEGIN | 50 BEGIN |
49 FOREACH the_table IN ARRAY ARRAY[ | 51 FOREACH the_table IN ARRAY ARRAY[ |
50 'bottlenecks', 'sounding_results'] | 52 'bottlenecks', 'sounding_results'] |
51 -- TODO: add all relevant tables here | 53 -- TODO: add all relevant tables here |
53 EXECUTE format('CREATE POLICY hide_staging ON %I ' | 55 EXECUTE format('CREATE POLICY hide_staging ON %I ' |
54 'FOR SELECT TO waterway_user USING (staging_done)', the_table); | 56 'FOR SELECT TO waterway_user USING (staging_done)', the_table); |
55 EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table); | 57 EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table); |
56 END LOOP; | 58 END LOOP; |
57 END; | 59 END; |
58 $$ LANGUAGE plpgsql; | 60 $$ |
61 LANGUAGE plpgsql; | |
59 SELECT create_hide_staging_policy(); | 62 SELECT create_hide_staging_policy(); |
60 DROP FUNCTION create_hide_staging_policy; | 63 DROP FUNCTION create_hide_staging_policy; |
61 | 64 |
62 CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user | 65 CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user |
63 USING (username = current_user); | 66 USING (username = current_user); |
64 ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; | 67 ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; |
65 | 68 |
66 CREATE POLICY user_templates ON user_templates FOR ALL TO waterway_user | 69 CREATE POLICY user_templates ON user_templates FOR ALL TO waterway_user |
67 USING (username IN(SELECT username FROM user_profiles)); | 70 USING (username IN(SELECT username FROM user_profiles)); |
68 ALTER TABLE user_templates ENABLE ROW LEVEL SECURITY; | 71 ALTER TABLE user_templates ENABLE ROW LEVEL SECURITY; |
69 | 72 |
70 CREATE POLICY user_templates ON templates FOR ALL TO waterway_user | 73 CREATE POLICY user_templates ON templates FOR ALL TO waterway_user |
71 USING (template_name IN(SELECT template_name FROM user_templates)) | 74 USING (template_name IN(SELECT template_name FROM user_templates)) |
72 WITH CHECK (true); | 75 WITH CHECK (true); |
73 ALTER TABLE templates ENABLE ROW LEVEL SECURITY; | 76 ALTER TABLE templates ENABLE ROW LEVEL SECURITY; |
74 | 77 |
75 -- | 78 -- |
76 -- RLS policies for waterway_admin | 79 -- RLS policies for waterway_admin |
77 -- | 80 -- |
78 | 81 |
79 -- Security-definer function to get current users country, which allows to | 82 -- Security-definer function to get current users country, which allows to |
80 -- restrict the view on user_profiles by country without infinite recursion | 83 -- restrict the view on user_profiles by country without infinite recursion |
81 CREATE FUNCTION current_user_country() | 84 CREATE FUNCTION current_user_country() |
82 RETURNS gemma.user_profiles.country%TYPE | 85 RETURNS gemma.user_profiles.country%TYPE |
83 AS $$ SELECT country FROM user_profiles WHERE username = session_user $$ | 86 AS $$ SELECT country FROM user_profiles WHERE username = session_user $$ |
84 LANGUAGE SQL | 87 LANGUAGE SQL |
85 SECURITY DEFINER | 88 SECURITY DEFINER |
86 STABLE PARALLEL SAFE; | 89 STABLE PARALLEL SAFE; |
87 | 90 |
88 -- Staging area | 91 -- Staging area |
89 -- TODO: add all relevant tables here | 92 -- TODO: add all relevant tables here |
90 CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin | 93 CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin |
91 USING (ST_Within(area, (SELECT area FROM responsibility_areas | 94 USING (ST_Within(area, (SELECT area FROM responsibility_areas |
92 WHERE country = current_user_country()))); | 95 WHERE country = current_user_country()))); |
93 CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin | 96 CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin |
94 USING (ST_Within(area, (SELECT area FROM responsibility_areas | 97 USING (ST_Within(area, (SELECT area FROM responsibility_areas |
95 WHERE country = current_user_country()))); | 98 WHERE country = current_user_country()))); |
96 | 99 |
97 CREATE POLICY country_profiles ON user_profiles FOR SELECT TO waterway_admin | 100 CREATE POLICY country_profiles ON user_profiles FOR SELECT TO waterway_admin |
98 USING (country = current_user_country()); | 101 USING (country = current_user_country()); |
99 | 102 |
100 COMMIT; | 103 COMMIT; |