mirror of
https://github.com/thiloho/archtika.git
synced 2025-11-22 02:41:35 +01:00
213 lines
6.3 KiB
PL/PgSQL
213 lines
6.3 KiB
PL/PgSQL
-- migrate:up
|
|
ALTER TABLE internal.user ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.website ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.media ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.settings ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.header ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.home ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.article ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.footer ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.collab ENABLE ROW LEVEL SECURITY;
|
|
|
|
CREATE FUNCTION internal.user_has_website_access(website_id UUID, required_permission INTEGER DEFAULT 10)
|
|
RETURNS BOOLEAN AS $$
|
|
DECLARE
|
|
_user_id UUID;
|
|
_has_access BOOLEAN;
|
|
BEGIN
|
|
_user_id := (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID;
|
|
|
|
SELECT EXISTS (
|
|
SELECT 1
|
|
FROM internal.website
|
|
WHERE id = website_id AND user_id = _user_id
|
|
) INTO _has_access;
|
|
|
|
IF _has_access THEN
|
|
RETURN _has_access;
|
|
END IF;
|
|
|
|
SELECT EXISTS (
|
|
SELECT 1
|
|
FROM internal.collab c
|
|
WHERE c.website_id = user_has_website_access.website_id
|
|
AND c.user_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
|
|
AND c.permission_level >= user_has_website_access.required_permission
|
|
) INTO _has_access;
|
|
|
|
RETURN _has_access;
|
|
END;
|
|
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
|
|
|
|
|
CREATE POLICY view_user ON internal.user
|
|
FOR SELECT
|
|
USING (true);
|
|
|
|
CREATE POLICY view_websites ON internal.website
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(id, 10));
|
|
|
|
CREATE POLICY update_website ON internal.website
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(id, 20));
|
|
|
|
CREATE POLICY delete_website ON internal.website
|
|
FOR DELETE
|
|
USING (internal.user_has_website_access(id, 40));
|
|
|
|
|
|
CREATE POLICY view_media ON internal.media
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY insert_media ON internal.media
|
|
FOR INSERT
|
|
WITH CHECK (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_settings ON internal.settings
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY update_settings ON internal.settings
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_header ON internal.header
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY update_header ON internal.header
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_home ON internal.home
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY update_home ON internal.home
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_articles ON internal.article
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY update_article ON internal.article
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(website_id, 20));
|
|
|
|
CREATE POLICY delete_article ON internal.article
|
|
FOR DELETE
|
|
USING (
|
|
internal.user_has_website_access(website_id, 30)
|
|
OR
|
|
(
|
|
internal.user_has_website_access(website_id, 20)
|
|
AND
|
|
user_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
|
|
)
|
|
);
|
|
|
|
CREATE POLICY insert_article ON internal.article
|
|
FOR INSERT
|
|
WITH CHECK (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_footer ON internal.footer
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY update_footer ON internal.footer
|
|
FOR UPDATE
|
|
USING (internal.user_has_website_access(website_id, 20));
|
|
|
|
|
|
CREATE POLICY view_collaborations ON internal.collab
|
|
FOR SELECT
|
|
USING (internal.user_has_website_access(website_id, 10));
|
|
|
|
CREATE POLICY insert_collaborations ON internal.collab
|
|
FOR INSERT
|
|
WITH CHECK (
|
|
CASE
|
|
WHEN internal.user_has_website_access(website_id, 40) THEN
|
|
true
|
|
WHEN internal.user_has_website_access(website_id, 30) THEN
|
|
(user_id != (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID)
|
|
AND
|
|
(permission_level < 30)
|
|
ELSE
|
|
false
|
|
END
|
|
);
|
|
|
|
CREATE POLICY update_collaborations ON internal.collab
|
|
FOR UPDATE
|
|
USING (
|
|
CASE
|
|
WHEN internal.user_has_website_access(website_id, 40) THEN
|
|
true
|
|
WHEN internal.user_has_website_access(website_id, 30) THEN
|
|
(user_id != (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID)
|
|
AND
|
|
(permission_level < 30)
|
|
ELSE
|
|
false
|
|
END
|
|
);
|
|
|
|
CREATE POLICY delete_collaborations ON internal.collab
|
|
FOR DELETE
|
|
USING (
|
|
CASE
|
|
WHEN internal.user_has_website_access(website_id, 40) THEN
|
|
TRUE
|
|
WHEN internal.user_has_website_access(website_id, 30) THEN
|
|
(user_id != (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID)
|
|
AND
|
|
(permission_level < 30)
|
|
ELSE
|
|
FALSE
|
|
END
|
|
);
|
|
|
|
|
|
-- migrate:down
|
|
DROP POLICY view_user ON internal.user;
|
|
DROP POLICY view_websites ON internal.website;
|
|
DROP POLICY delete_website ON internal.website;
|
|
DROP POLICY update_website ON internal.website;
|
|
DROP POLICY view_media ON internal.media;
|
|
DROP POLICY insert_media ON internal.media;
|
|
DROP POLICY view_settings ON internal.settings;
|
|
DROP POLICY update_settings ON internal.settings;
|
|
DROP POLICY view_header ON internal.header;
|
|
DROP POLICY update_header ON internal.header;
|
|
DROP POLICY view_home ON internal.home;
|
|
DROP POLICY update_home ON internal.home;
|
|
DROP POLICY view_articles ON internal.article;
|
|
DROP POLICY update_article ON internal.article;
|
|
DROP POLICY delete_article ON internal.article;
|
|
DROP POLICY insert_article ON internal.article;
|
|
DROP POLICY view_footer ON internal.footer;
|
|
DROP POLICY update_footer ON internal.footer;
|
|
DROP POLICY view_collaborations ON internal.collab;
|
|
DROP POLICY insert_collaborations ON internal.collab;
|
|
DROP POLICY update_collaborations ON internal.collab;
|
|
DROP POLICY delete_collaborations ON internal.collab;
|
|
DROP FUNCTION internal.user_has_website_access(UUID, INTEGER);
|
|
|
|
ALTER TABLE internal.user DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.website DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.media DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.settings DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.header DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.home DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.article DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.footer DISABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE internal.collab DISABLE ROW LEVEL SECURITY; |