Replace SQL wildcard selectors with explicit columns for better versioning

2025-11-22 10:51:36 +01:00 · 2024-08-03 22:06:29 +02:00
parent dfcb129e69
commit 6b05ab1d28
2 changed files with 107 additions and 9 deletions
--- a/rest-api/db/migrations/20240720132802_exposed_views_functions.sql
+++ b/rest-api/db/migrations/20240720132802_exposed_views_functions.sql
@@ -8,55 +8,111 @@ FROM internal.user;
 CREATE VIEW api.website
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  id,
+  owner_id,
+  content_type,
+  title,
+  created_at,
+  last_modified_at,
+  last_modified_by
 FROM internal.website;

 CREATE VIEW api.media
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  id,
+  website_id,
+  user_id,
+  original_name,
+  file_system_path,
+  created_at
 FROM internal.media;

 CREATE VIEW api.settings
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  accent_color_light_theme,
+  accent_color_dark_theme,
+  favicon_image,
+  last_modified_at,
+  last_modified_by
 FROM internal.settings;

 CREATE VIEW api.header
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  logo_type,
+  logo_text,
+  logo_image,
+  last_modified_at,
+  last_modified_by
 FROM internal.header;

 CREATE view api.home
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  main_content,
+  last_modified_at,
+  last_modified_by
 FROM internal.home;

 CREATE VIEW api.article
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  id,
+  website_id,
+  title,
+  meta_description,
+  meta_author,
+  cover_image,
+  publication_date,
+  main_content,
+  created_at,
+  last_modified_at,
+  last_modified_by
 FROM internal.article;

 CREATE VIEW api.footer
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  additional_text,
+  last_modified_at,
+  last_modified_by
 FROM internal.footer;

 CREATE VIEW api.collab
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  user_id,
+  permission_level,
+  added_at,
+  last_modified_at,
+  last_modified_by
 FROM internal.collab;

 CREATE VIEW api.change_log
 WITH (security_invoker = on)
 AS
-SELECT *
+SELECT
+  website_id,
+  user_id,
+  change_summary,
+  previous_value,
+  new_value,
+  timestamp
 FROM internal.change_log;

 CREATE FUNCTION
--- a/rest-api/db/migrations/20240803163047_website_overview_view.sql
+++ b/rest-api/db/migrations/20240803163047_website_overview_view.sql
@@ -0,0 +1,42 @@
+-- migrate:up
+CREATE VIEW api.website_overview AS
+SELECT
+  w.id,
+  w.owner_id,
+  w.content_type,
+  w.title,
+  s.accent_color_light_theme,
+  s.accent_color_dark_theme,
+  s.favicon_image,
+  h.logo_type,
+  h.logo_text,
+  h.logo_image,
+  ho.main_content,
+  f.additional_text,
+  (
+    SELECT json_agg(
+      json_build_object(
+        'title', a.title,
+        'meta_description', a.meta_description,
+        'meta_author', a.meta_author,
+        'cover_image', a.cover_image,
+        'publication_date', a.publication_date,
+        'main_content', a.main_content
+      )
+    )
+    FROM internal.article a
+    WHERE a.website_id = w.id
+  ) AS articles
+FROM 
+  internal.website w
+JOIN internal.settings s ON w.id = s.website_id
+JOIN internal.header h ON w.id = h.website_id
+JOIN internal.home ho ON w.id = ho.website_id
+JOIN internal.footer f ON w.id = f.website_id;
+
+GRANT SELECT ON api.website_overview TO authenticated_user;
+
+-- migrate:down
+REVOKE SELECT ON api.website_overview FROM authenticated_user;
+
+DROP VIEW api.website_overview;