From bcc26322d3cbf978d8cc4938046f434e08b3fb64 Mon Sep 17 00:00:00 2001
From: thiloho <123883702+thiloho@users.noreply.github.com>
Date: Wed, 7 Aug 2024 19:51:29 +0200
Subject: [PATCH] Use security invoker for overview endpoint and update last
 modified by triggers

---
 .../20240803163047_website_overview_view.sql  |  4 +-
 .../20240805132306_last_modified_triggers.sql | 39 +++++++++++++------
 .../[websiteId]/collaborators/+page.svelte    | 10 ++---
 3 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/rest-api/db/migrations/20240803163047_website_overview_view.sql b/rest-api/db/migrations/20240803163047_website_overview_view.sql
index 1c87e11..ca62d1c 100644
--- a/rest-api/db/migrations/20240803163047_website_overview_view.sql
+++ b/rest-api/db/migrations/20240803163047_website_overview_view.sql
@@ -1,5 +1,7 @@
 -- migrate:up
-CREATE VIEW api.website_overview AS
+CREATE VIEW api.website_overview
+WITH (security_invoker = on)
+AS
 SELECT
   w.id,
   w.owner_id,
diff --git a/rest-api/db/migrations/20240805132306_last_modified_triggers.sql b/rest-api/db/migrations/20240805132306_last_modified_triggers.sql
index 98a1cea..20faa7e 100644
--- a/rest-api/db/migrations/20240805132306_last_modified_triggers.sql
+++ b/rest-api/db/migrations/20240805132306_last_modified_triggers.sql
@@ -1,47 +1,64 @@
 -- migrate:up
-CREATE FUNCTION update_last_modified()
+CREATE FUNCTION internal.update_last_modified()
 RETURNS TRIGGER AS $$
 BEGIN
   NEW.last_modified_at = CLOCK_TIMESTAMP();
   NEW.last_modified_by = (current_setting('request.jwt.claims', true)::JSON->>'user_id')::UUID;
+
+  IF TG_TABLE_NAME != 'website' THEN
+    UPDATE internal.website
+    SET 
+      last_modified_at = NEW.last_modified_at,
+      last_modified_by = NEW.last_modified_by
+    WHERE id = 
+      CASE
+        WHEN TG_TABLE_NAME = 'settings' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'header' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'home' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'article' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'footer' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'collab' THEN NEW.website_id
+      END;
+  END IF;
+
   RETURN NEW;
 END;
-$$ LANGUAGE plpgsql;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
 
 CREATE TRIGGER update_website_last_modified
 BEFORE UPDATE ON internal.website
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_settings_last_modified
 BEFORE UPDATE ON internal.settings
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_header_last_modified
 BEFORE UPDATE ON internal.header
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_home_last_modified
 BEFORE UPDATE ON internal.home
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_article_last_modified
-BEFORE UPDATE ON internal.article
+BEFORE INSERT OR UPDATE OR DELETE ON internal.article
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_footer_last_modified
 BEFORE UPDATE ON internal.footer
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 CREATE TRIGGER update_collab_last_modified
 BEFORE UPDATE ON internal.collab
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();
 
 -- migrate:down
 DROP TRIGGER update_website_last_modified ON internal.website;
@@ -52,4 +69,4 @@ DROP TRIGGER update_article_last_modified ON internal.article;
 DROP TRIGGER update_footer_last_modified ON internal.footer;
 DROP TRIGGER update_collab_last_modified ON internal.collab;
 
-DROP FUNCTION update_last_modified();
\ No newline at end of file
+DROP FUNCTION internal.update_last_modified();
\ No newline at end of file
diff --git a/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte b/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte
index 8a405ac..04e7420 100644
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte
@@ -50,10 +50,10 @@
     </Modal>
   </section>
 
-  <section>
-    <h2>All collaborators</h2>
+  {#if data.collaborators.length > 0}
+    <section>
+      <h2>All collaborators</h2>
 
-    {#if data.collaborators.length > 0}
       {#each data.collaborators as { website_id, user_id, permission_level, user: { username } } (`${website_id}-${user_id}`)}
         <article class="collaborator-card">
           <h3>{username} ({permission_level})</h3>
@@ -109,8 +109,8 @@
           </div>
         </article>
       {/each}
-    {/if}
-  </section>
+    </section>
+  {/if}
 </WebsiteEditor>
 
 <style>