From c0288d2980337c3058304686a7ff0e2497c96190 Mon Sep 17 00:00:00 2001
From: thiloho <123883702+thiloho@users.noreply.github.com>
Date: Tue, 10 Sep 2024 18:13:00 +0200
Subject: [PATCH] GRANT anon users image viewing functionality

---
 .../migrations/20240724191017_row_level_security.sql | 12 ------------
 .../20240808141708_collaborator_not_owner.sql        |  3 +--
 .../20240810115846_image_upload_function.sql         |  2 ++
 3 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/rest-api/db/migrations/20240724191017_row_level_security.sql b/rest-api/db/migrations/20240724191017_row_level_security.sql
index 61c256c..eecd7db 100644
--- a/rest-api/db/migrations/20240724191017_row_level_security.sql
+++ b/rest-api/db/migrations/20240724191017_row_level_security.sql
@@ -81,14 +81,6 @@ CREATE POLICY delete_website ON internal.website
   FOR DELETE
     USING (internal.user_has_website_access (id, 40));
 
-CREATE POLICY view_media ON internal.media
-  FOR SELECT
-    USING (internal.user_has_website_access (website_id, 10));
-
-CREATE POLICY insert_media ON internal.media
-  FOR INSERT
-    WITH CHECK (internal.user_has_website_access (website_id, 20));
-
 CREATE POLICY view_settings ON internal.settings
   FOR SELECT
     USING (internal.user_has_website_access (website_id, 10));
@@ -194,10 +186,6 @@ DROP POLICY delete_website ON internal.website;
 
 DROP POLICY update_website ON internal.website;
 
-DROP POLICY view_media ON internal.media;
-
-DROP POLICY insert_media ON internal.media;
-
 DROP POLICY view_settings ON internal.settings;
 
 DROP POLICY update_settings ON internal.settings;
diff --git a/rest-api/db/migrations/20240808141708_collaborator_not_owner.sql b/rest-api/db/migrations/20240808141708_collaborator_not_owner.sql
index cc3a11f..8cbfbc2 100644
--- a/rest-api/db/migrations/20240808141708_collaborator_not_owner.sql
+++ b/rest-api/db/migrations/20240808141708_collaborator_not_owner.sql
@@ -17,8 +17,7 @@ END IF;
   RETURN NEW;
 END;
 $$
-LANGUAGE plpgsql
-SECURITY DEFINER;
+LANGUAGE plpgsql;
 
 CREATE CONSTRAINT TRIGGER check_user_not_website_owner
   AFTER INSERT ON internal.collab
diff --git a/rest-api/db/migrations/20240810115846_image_upload_function.sql b/rest-api/db/migrations/20240810115846_image_upload_function.sql
index af6d115..7a801bf 100644
--- a/rest-api/db/migrations/20240810115846_image_upload_function.sql
+++ b/rest-api/db/migrations/20240810115846_image_upload_function.sql
@@ -72,6 +72,8 @@ SECURITY DEFINER;
 
 GRANT EXECUTE ON FUNCTION api.upload_file (BYTEA) TO authenticated_user;
 
+GRANT EXECUTE ON FUNCTION api.retrieve_file (UUID) TO anon;
+
 GRANT EXECUTE ON FUNCTION api.retrieve_file (UUID) TO authenticated_user;
 
 -- migrate:down