# HG changeset patch
# User Sascha Wilde <wilde@intevation.de>
# Date 1571841703 -7200
# Node ID 9e077ca975055f3629aacb46b203f63045dbc000
# Parent  3a8ec3c396e09e93bc272dd72acfde08505b3a42
Added epic comments on responsibility_area and same_country policies.

diff -r 3a8ec3c396e0 -r 9e077ca97505 schema/auth.sql
--- a/schema/auth.sql	Wed Oct 23 16:29:07 2019 +0200
+++ b/schema/auth.sql	Wed Oct 23 16:41:43 2019 +0200
@@ -127,6 +127,9 @@
 -- Staging area
 -- TODO: add all relevant tables here
 
+-- In many cases it is more efficient to check for "staging_done" to
+-- prevent the more expensive checks for read only access (which is
+-- allowed for all users, when staging is done).
 CREATE POLICY same_country ON waterway.gauge_measurements
     FOR ALL TO waterway_admin
     USING (staging_done
@@ -162,6 +165,10 @@
     USING (staging_done OR users.utm_covers(area))
     WITH CHECK (users.utm_covers(area));
 
+-- In the case of sections differentiating between read and write
+-- access is not neccessary: the country code based access check is
+-- quiet cheap in this case and there are only (relatively) few
+-- sections in the system anyway.
 CREATE POLICY same_country ON waterway.sections
     FOR ALL TO waterway_admin
     USING (country = (