Use security invoker for overview endpoint and update last modified by triggers

2025-11-22 10:51:36 +01:00 · 2024-08-07 19:51:29 +02:00
parent fbadbb18a4
commit bcc26322d3
3 changed files with 36 additions and 17 deletions
--- a/rest-api/db/migrations/20240803163047_website_overview_view.sql
+++ b/rest-api/db/migrations/20240803163047_website_overview_view.sql
@@ -1,5 +1,7 @@
 -- migrate:up
-CREATE VIEW api.website_overview AS
+CREATE VIEW api.website_overview
+WITH (security_invoker = on)
+AS
 SELECT
  w.id,
  w.owner_id,
--- a/rest-api/db/migrations/20240805132306_last_modified_triggers.sql
+++ b/rest-api/db/migrations/20240805132306_last_modified_triggers.sql
@@ -1,47 +1,64 @@
 -- migrate:up
-CREATE FUNCTION update_last_modified()
+CREATE FUNCTION internal.update_last_modified()
 RETURNS TRIGGER AS $$
 BEGIN
  NEW.last_modified_at = CLOCK_TIMESTAMP();
  NEW.last_modified_by = (current_setting('request.jwt.claims', true)::JSON->>'user_id')::UUID;
+
+  IF TG_TABLE_NAME != 'website' THEN
+    UPDATE internal.website
+    SET 
+      last_modified_at = NEW.last_modified_at,
+      last_modified_by = NEW.last_modified_by
+    WHERE id = 
+      CASE
+        WHEN TG_TABLE_NAME = 'settings' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'header' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'home' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'article' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'footer' THEN NEW.website_id
+        WHEN TG_TABLE_NAME = 'collab' THEN NEW.website_id
+      END;
+  END IF;
+
  RETURN NEW;
 END;
-$$ LANGUAGE plpgsql;
+$$ LANGUAGE plpgsql SECURITY DEFINER;

 CREATE TRIGGER update_website_last_modified
 BEFORE UPDATE ON internal.website
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_settings_last_modified
 BEFORE UPDATE ON internal.settings
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_header_last_modified
 BEFORE UPDATE ON internal.header
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_home_last_modified
 BEFORE UPDATE ON internal.home
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_article_last_modified
-BEFORE UPDATE ON internal.article
+BEFORE INSERT OR UPDATE OR DELETE ON internal.article
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_footer_last_modified
 BEFORE UPDATE ON internal.footer
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 CREATE TRIGGER update_collab_last_modified
 BEFORE UPDATE ON internal.collab
 FOR EACH ROW
-EXECUTE FUNCTION update_last_modified();
+EXECUTE FUNCTION internal.update_last_modified();

 -- migrate:down
 DROP TRIGGER update_website_last_modified ON internal.website;
@@ -52,4 +69,4 @@ DROP TRIGGER update_article_last_modified ON internal.article;
 DROP TRIGGER update_footer_last_modified ON internal.footer;
 DROP TRIGGER update_collab_last_modified ON internal.collab;

-DROP FUNCTION update_last_modified();
+DROP FUNCTION internal.update_last_modified();
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/collaborators/+page.svelte
@@ -50,10 +50,10 @@
    </Modal>
  </section>

+  {#if data.collaborators.length > 0}
    <section>
      <h2>All collaborators</h2>

-    {#if data.collaborators.length > 0}
      {#each data.collaborators as { website_id, user_id, permission_level, user: { username } } (`${website_id}-${user_id}`)}
        <article class="collaborator-card">
          <h3>{username} ({permission_level})</h3>
@@ -109,8 +109,8 @@
          </div>
        </article>
      {/each}
-    {/if}
    </section>
+  {/if}
 </WebsiteEditor>

 <style>