Mercurial > gemma

--- a/pkg/imports/queue.go	Mon Jan 14 17:12:12 2019 +0100
+++ b/pkg/imports/queue.go	Mon Jan 14 17:43:28 2019 +0100
@@ -286,7 +286,7 @@
 	if trysLeft >= 0 {
 		tl = sql.NullInt64{Int64: int64(trysLeft), Valid: true}
 	}
-	err := auth.RunAs(ctx, queueUser, func(conn *sql.Conn) error {
+	err := auth.RunAs(ctx, user, func(conn *sql.Conn) error {
 		return conn.QueryRowContext(
 			ctx,
 			insertJobSQL,
--- a/schema/auth.sql	Mon Jan 14 17:12:12 2019 +0100
+++ b/schema/auth.sql	Mon Jan 14 17:43:28 2019 +0100
@@ -154,6 +154,34 @@
     FOR ALL TO waterway_admin
     USING (utm_covers(area));

+-- Imports and import config
+
+CREATE POLICY same_country ON waterway.imports
+    FOR ALL TO waterway_admin
+    USING (users.current_user_country() = (
+        SELECT country FROM users.list_users lu
+            WHERE lu.username = imports.username));
+ALTER table waterway.imports ENABLE ROW LEVEL SECURITY;
+
+-- The job running the import queue is running as sys_admin and login users
+-- with that role should see all imports anyhow
+CREATE POLICY read_all ON waterway.imports
+    FOR SELECT TO sys_admin
+    USING (true);
+CREATE POLICY update_all ON waterway.imports
+    FOR UPDATE TO sys_admin
+    USING (true);
+
+CREATE POLICY parent_allowed ON waterway.import_logs
+    FOR ALL TO waterway_admin
+    USING (import_id IN (SELECT id FROM waterway.imports));
+ALTER table waterway.import_logs ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY parent_allowed ON waterway.track_imports
+    FOR ALL TO waterway_admin
+    USING (import_id IN (SELECT id FROM waterway.imports));
+ALTER table waterway.track_imports ENABLE ROW LEVEL SECURITY;
+
 CREATE POLICY import_configuration_policy ON waterway.import_configuration
     FOR ALL TO waterway_admin
     USING (