From 561fb6af6fff37b7b30f8ba30e72282cd820176f Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 2 May 2017 21:54:16 -0500 Subject: [PATCH] Cleanup: re-structure the database sql for standard and reservation To avoid having duplicate queries, I moved all the permission related information for standard into a separate sql file. - This allows for referencing the standard sql files as part of the install, without having to modify them for name changes. The only files that should need to be replaced from standard are standard-first.sql, standard-permissions.sql, and standard-last.sql. I changed all references of u_standard and r_standard to u_reservation and r_reservation to generate the reservation specific versions of standard-first.sql, standard-permissions.sql, and standard-last. - These changes were saved in their respective reservation equivalent files: reservation-first.sql, reservation-permissions.sql, and reservation-last. While making these changes, I noticed that there is a way to disable all triggers for a table so that I can alter content without a trigger being 'triggered'. - This made it easy for me to move some special cases to the standard-permissions.sql file. --- database/sql/reservation/order.install | 21 +- .../sql/reservation/reservation-associations.sql | 17 +- database/sql/reservation/reservation-dates.sql | 7 +- database/sql/reservation/reservation-fields.sql | 15 +- database/sql/reservation/reservation-files.sql | 97 ---- database/sql/reservation/reservation-groups.sql | 273 ---------- database/sql/reservation/reservation-last.sql | 9 +- database/sql/reservation/reservation-legal.sql | 15 +- .../sql/reservation/reservation-log_groups.sql | 135 ----- .../sql/reservation/reservation-log_problems.sql | 114 ---- database/sql/reservation/reservation-log_types.sql | 144 ------ database/sql/reservation/reservation-log_users.sql | 210 -------- database/sql/reservation/reservation-main.sql | 329 ------------ database/sql/reservation/reservation-paths.sql | 156 ------ ...ation-users.sql => reservation-permissions.sql} | 516 ++++++++++--------- database/sql/reservation/reservation-requests.sql | 35 +- .../sql/reservation/reservation-statistics.sql | 65 +-- database/sql/reservation/reservation-types.sql | 152 ------ database/sql/reservation/reservation-workflow.sql | 2 +- database/sql/standard/order.install | 2 + database/sql/standard/standard-files.sql | 8 - database/sql/standard/standard-groups.sql | 33 +- database/sql/standard/standard-last.sql | 7 + database/sql/standard/standard-log_groups.sql | 14 - database/sql/standard/standard-log_problems.sql | 17 - database/sql/standard/standard-log_types.sql | 16 +- database/sql/standard/standard-log_users.sql | 19 - database/sql/standard/standard-main.sql | 13 - database/sql/standard/standard-paths.sql | 8 - database/sql/standard/standard-permissions.sql | 571 +++++++++++++++++++++ database/sql/standard/standard-statistics.sql | 66 --- database/sql/standard/standard-types.sql | 18 - database/sql/standard/standard-users.sql | 393 +------------- 33 files changed, 872 insertions(+), 2625 deletions(-) delete mode 100644 database/sql/reservation/reservation-files.sql delete mode 100644 database/sql/reservation/reservation-groups.sql delete mode 100644 database/sql/reservation/reservation-log_groups.sql delete mode 100644 database/sql/reservation/reservation-log_problems.sql delete mode 100644 database/sql/reservation/reservation-log_types.sql delete mode 100644 database/sql/reservation/reservation-log_users.sql delete mode 100644 database/sql/reservation/reservation-main.sql delete mode 100644 database/sql/reservation/reservation-paths.sql rename database/sql/reservation/{reservation-users.sql => reservation-permissions.sql} (51%) delete mode 100644 database/sql/reservation/reservation-types.sql create mode 100644 database/sql/standard/standard-permissions.sql diff --git a/database/sql/reservation/order.install b/database/sql/reservation/order.install index c925a28..568e79e 100644 --- a/database/sql/reservation/order.install +++ b/database/sql/reservation/order.install @@ -1,13 +1,15 @@ reservation-first -reservation-main -reservation-users -reservation-groups -reservation-types -reservation-paths -reservation-log_types -reservation-log_groups -reservation-log_problems -reservation-log_users +standard-main +standard-users +standard-groups +standard-types +standard-files +standard-paths +standard-log_types +standard-log_groups +standard-log_problems +standard-log_users +standard-statistics reservation-dates reservation-fields reservation-associations @@ -15,4 +17,5 @@ reservation-requests reservation-workflow reservation-statistics reservation-legal +reservation-permissions reservation-last diff --git a/database/sql/reservation/reservation-associations.sql b/database/sql/reservation/reservation-associations.sql index 1d4e0d4..515ff14 100644 --- a/database/sql/reservation/reservation-associations.sql +++ b/database/sql/reservation/reservation-associations.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Associations **/ +/** Reservation SQL Structure - Associations **/ /** This depends on: reservation-fields.sql **/ start transaction; @@ -63,11 +63,6 @@ create table s_tables.t_associations ( create sequence s_tables.se_associations_id owned by s_tables.t_associations.id; alter table s_tables.t_associations alter column id set default nextval('s_tables.se_associations_id'::regclass); -grant select,insert,update on s_tables.t_associations to r_reservation_manager; -grant select on s_tables.t_associations to r_reservation_auditor; -grant select,usage on s_tables.se_associations_id to r_reservation_manager; -grant usage on s_tables.se_associations_id to r_reservation_requester, r_reservation_reviewer; - /* @todo: should associations allow names that begin with numbers? */ /* Note: id_sort is not needed when directly validating against id or name_machine because both of those are already an index. */ create index i_associations_id_sort_a on s_tables.t_associations (id_sort) with (fillfactor = 100) where id_sort = 97; @@ -105,8 +100,6 @@ create view s_users.v_associations_self with (security_barrier=true) as select id, id_manager, id_coordinator, id_group, id_sort, name_machine, name_human, is_approved, is_cancelled, is_denied, is_troubled, is_locked, date_created, date_changed, date_synced, date_approved, date_cancelled, date_denied, date_troubled, date_locked, field_affiliation, field_classification from s_tables.t_associations where not is_deleted and (id_manager in (select * from this_user) or id_group in (select * from allowed_groups)); -grant select on s_users.v_associations_self to r_reservation_requester, r_reservation_reviewer; - /*** provide current user access to associations who they are assigned as the manager of ***/ create view s_users.v_associations_manage with (security_barrier=true) as @@ -114,8 +107,6 @@ create view s_users.v_associations_manage with (security_barrier=true) as select id, id_creator, id_coordinator, id_group, id_sort, name_machine, name_human, is_approved, is_cancelled, is_denied, is_troubled, is_locked, date_created, date_changed, date_synced, date_approved, date_cancelled, date_denied, date_troubled, date_locked, field_affiliation, field_classification from s_tables.t_associations where not is_deleted and id_manager in (select * from this_user); -grant select on s_users.v_associations_manage to r_reservation_requester, r_reservation_reviewer; - /*** provide current user access to associations who they are assigned as the coordinator of ***/ create view s_users.v_associations_coordinate with (security_barrier=true) as @@ -123,8 +114,6 @@ create view s_users.v_associations_coordinate with (security_barrier=true) as select id, id_creator, id_manager, id_group, id_sort, name_machine, name_human, is_approved, is_cancelled, is_denied, is_troubled, is_locked, date_created, date_changed, date_synced, date_approved, date_cancelled, date_denied, date_troubled, date_locked, field_affiliation, field_classification from s_tables.t_associations where not is_deleted and id_coordinator in (select * from this_user); -grant select on s_users.v_associations_coordinate to r_reservation_requester, r_reservation_reviewer; - /** provide current user access to insert their own associations (with them as the manager) **/ create view s_users.v_associations_self_insert with (security_barrier=true) as @@ -132,8 +121,6 @@ create view s_users.v_associations_self_insert with (security_barrier=true) as where not is_deleted and id_manager in (select id from v_users_self_locked_not) with check option; -grant insert on s_users.v_associations_self_insert to r_reservation_requester, r_reservation_reviewer; - /** provide current user access to update associations they manager **/ create view s_users.v_associations_self_update with (security_barrier=true) as @@ -141,8 +128,6 @@ create view s_users.v_associations_self_update with (security_barrier=true) as where not is_deleted and id_manager in (select id from v_users_self_locked_not) with check option; -grant update on s_users.v_associations_self_update to r_reservation_requester, r_reservation_reviewer; - create trigger tr_associations_update_date_changed_deleted_or_locked before update on s_tables.t_associations diff --git a/database/sql/reservation/reservation-dates.sql b/database/sql/reservation/reservation-dates.sql index d47b878..8ff7df5 100644 --- a/database/sql/reservation/reservation-dates.sql +++ b/database/sql/reservation/reservation-dates.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Dates **/ +/** Reservation SQL Structure - Dates **/ /** This depends on: reservation-main.sql **/ start transaction; @@ -38,9 +38,6 @@ create table s_tables.t_date_contexts ( create sequence s_tables.se_date_contexts_id owned by s_tables.t_date_contexts.id; alter table s_tables.t_date_contexts alter column id set default nextval('s_tables.se_date_contexts_id'::regclass); -grant select,insert,update on s_tables.t_date_contexts to r_reservation_manager; -grant select on s_tables.t_date_contexts to r_reservation_auditor; -grant select,usage on s_tables.se_date_contexts_id to r_reservation_manager; create index i_date_contexts_deleted_not on s_tables.t_date_contexts (id) where not is_deleted; @@ -53,8 +50,6 @@ create view s_requesters.v_date_contexts with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked from s_tables.t_date_contexts where not is_deleted; -grant select on s_requesters.v_date_contexts to r_reservation_requester, r_reservation_reviewer; - create trigger tr_date_contexts_update_date_changed_deleted_or_locked before update on s_tables.t_date_contexts diff --git a/database/sql/reservation/reservation-fields.sql b/database/sql/reservation/reservation-fields.sql index bc9a73c..ec44221 100644 --- a/database/sql/reservation/reservation-fields.sql +++ b/database/sql/reservation/reservation-fields.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Fields **/ +/** Reservation SQL Structure - Fields **/ /** This depends on: reservation-users.sql **/ start transaction; @@ -38,9 +38,6 @@ create table s_tables.t_field_affiliations ( create sequence s_tables.se_field_affiliations_id owned by s_tables.t_field_affiliations.id; alter table s_tables.t_field_affiliations alter column id set default nextval('s_tables.se_field_affiliations_id'::regclass); -grant select,insert,update on s_tables.t_field_affiliations to r_reservation_manager; -grant select on s_tables.t_field_affiliations to r_reservation_auditor; -grant select,usage on s_tables.se_field_affiliations_id to r_reservation_manager; create index i_field_affiliations_deleted_not on s_tables.t_field_affiliations (id) where not is_deleted; @@ -48,12 +45,11 @@ create index i_field_affiliations_deleted_not on s_tables.t_field_affiliations ( create index i_field_affiliations_locked_not on s_tables.t_field_affiliations (id) where not is_deleted and not is_locked; + create view s_users.v_field_affiliations with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked from s_tables.t_field_affiliations where not is_deleted; -grant select on s_users.v_field_affiliations to r_reservation, r_reservation_system; - create trigger tr_field_affiliations_update_date_changed_deleted_or_locked before update on s_tables.t_field_affiliations @@ -86,9 +82,6 @@ create table s_tables.t_field_classifications ( create sequence s_tables.se_field_classifications_id owned by s_tables.t_field_classifications.id; alter table s_tables.t_field_classifications alter column id set default nextval('s_tables.se_field_classifications_id'::regclass); -grant select,insert,update on s_tables.t_field_classifications to r_reservation_manager; -grant select on s_tables.t_field_classifications to r_reservation_auditor; -grant select,usage on s_tables.se_field_classifications_id to r_reservation_manager; create index i_field_classifications_deleted_not on s_tables.t_field_classifications (id) where not is_deleted; @@ -101,8 +94,6 @@ create view s_users.v_field_classifications with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked from s_tables.t_field_classifications where not is_deleted; -grant select on s_users.v_field_classifications to r_reservation, r_reservation_system; - create trigger tr_field_classifications_update_date_changed_deleted_or_locked before update on s_tables.t_field_classifications @@ -110,4 +101,6 @@ create trigger tr_field_classifications_update_date_changed_deleted_or_locked /** @todo: create all field types needed for f_requests fields **/ + + commit transaction; diff --git a/database/sql/reservation/reservation-files.sql b/database/sql/reservation/reservation-files.sql deleted file mode 100644 index 604a38a..0000000 --- a/database/sql/reservation/reservation-files.sql +++ /dev/null @@ -1,97 +0,0 @@ -/** Standardized SQL Structure - Files **/ -/** This depends on: reservation-users.sql, reservation-types.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -create table s_tables.t_files ( - id bigint not null, - id_creator bigint not null, - id_creator_session bigint not null, - id_type bigint not null, - id_group bigint, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_private boolean default true not null, - is_locked boolean default false not null, - is_deleted boolean default false not null, - is_system boolean default false not null, - is_user boolean default false not null, - - field_data bytea not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - constraint cp_files primary key (id), - - constraint cu_files_name_machine unique (name_machine), - constraint cu_files_field_path unique (field_path), - - constraint cc_files_id check (id > 0), - constraint cc_files_name_machine check (name_machine ~ '[A-Za-z]\w*'), - - constraint cf_files_id_creator foreign key (id_creator) references s_tables.t_users (id) on delete cascade on update cascade, - constraint cf_files_id_creator_session foreign key (id_creator_session) references s_tables.t_users (id) on delete cascade on update cascade, - constraint cf_files_id_type foreign key (id_type) references s_tables.t_file_types (id) on delete restrict on update cascade, - constraint cf_files_id_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade -); - -create sequence s_tables.se_files_id owned by s_tables.t_files.id; -alter table s_tables.t_files alter column id set default nextval('s_tables.se_files_id'::regclass); - -grant select,insert,update on s_tables.t_files to r_reservation_administer; -grant select on s_tables.t_files to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_files_id to r_reservation_administer; -grant usage on s_tables.se_files_id to r_reservation, r_reservation_system; - -create index i_files_deleted_not on s_tables.t_files (id) - where not is_deleted; - -create index i_files_private_not on s_tables.t_files (id) - where not is_deleted and not is_private; - -create index i_files_locked_not on s_tables.t_files (id) - where not is_deleted and not is_locked; - -create index i_files_public on s_tables.t_files (id) - where not is_deleted and not is_locked and not is_private; - - -create view s_users.v_files with (security_barrier=true) as - with allowed_groups as (select id from s_users.v_groups_self) - select id, id_type, id_group, name_machine, name_human, is_private, date_created, date_changed from s_tables.t_files - where not is_deleted and (not is_locked or id_group in (select * from allowed_groups)) and (not is_private or (is_private and id_group in (select * from allowed_groups))); - -grant select on s_users.v_files to r_reservation, r_reservation_system; - -create view public.v_files with (security_barrier=true) as - select id, id_type, NULL::bigint as id_group, name_machine, name_human, NULL::bool as is_private, NULL::bool as date_created, NULL::bool as date_changed from s_tables.t_files - where not is_deleted and not is_locked and not is_private; - -grant select on public.v_path_types to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_files_date_changed_deleted_or_locked - before update on s_tables.t_files - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - -create trigger tr_files_enforce_creator_and_session_ids - before insert on s_tables.t_files - for each row execute procedure s_administers.f_common_enforce_creator_and_session_ids(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-groups.sql b/database/sql/reservation/reservation-groups.sql deleted file mode 100644 index eeaf445..0000000 --- a/database/sql/reservation/reservation-groups.sql +++ /dev/null @@ -1,273 +0,0 @@ -/** Standardized SQL Structure - Groups */ -/** This depends on: reservation-users.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - -/* Note about composite groups (is_composite) - Instead of having an array of multiple groups assigned to one entity or having a table of group and entity associates, use a group that logically represents multiple groups. - For example, if I want to add both group_1 and group_2 to entity_a, then I can create group_3 and put all users from group_1 and group_2 in it. - @todo: I will likely need to create a composite groups table to manage the relations between a composite group and its non-composites for management purposes. - - @todo: with this composite groups design, I can get rid of the user to groups table and need users only to be assigned to a single (composite) group. - the current flaw with this design may be with access control in creating or auto-creating composite groups. -*/ - -/** Groups **/ -create table s_tables.t_groups ( - id bigint not null, - id_external bigint, - id_manager bigint, - - id_sort smallint default 0, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - is_composite boolean default false not null, - is_user boolean default false not null, - - can_manage_paths boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_synced timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - settings json, - - constraint cp_groups primary key (id), - - constraint cc_groups_id check (id > 0), - constraint cc_groups_id_external check (id_external >= -1), - constraint cc_groups_name_machine check (name_machine ~ '[A-Za-z]\w*'), - - constraint cu_groups_id_external unique (id_external), - constraint cu_groups_name_machine unique (name_machine), - - constraint cf_groups_manager foreign key (id_manager) references s_tables.t_users (id) on delete restrict on update cascade -); - -create sequence s_tables.se_groups_id owned by s_tables.t_groups.id; -alter table s_tables.t_groups alter column id set default nextval('s_tables.se_groups_id'::regclass); - -grant select,insert,update on s_tables.t_groups to r_reservation_manager, u_reservation_groups_handler; -grant select on s_tables.t_groups to r_reservation_auditor; -grant select,usage on s_tables.se_groups_id to r_reservation_manager; -grant usage on s_tables.se_groups_id to r_reservation, r_reservation_system, u_reservation_groups_handler; - -/* Note: id_sort is not needed when directly validating against id or name_machine because both of those are already an index. */ -create index i_groups_id_sort_a on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 97; -create index i_groups_id_sort_b on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 98; -create index i_groups_id_sort_c on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 99; -create index i_groups_id_sort_d on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 100; -create index i_groups_id_sort_e on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 101; -create index i_groups_id_sort_f on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 102; -create index i_groups_id_sort_g on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 103; -create index i_groups_id_sort_h on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 104; -create index i_groups_id_sort_i on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 105; -create index i_groups_id_sort_j on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 106; -create index i_groups_id_sort_k on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 107; -create index i_groups_id_sort_l on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 108; -create index i_groups_id_sort_m on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 109; -create index i_groups_id_sort_n on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 110; -create index i_groups_id_sort_o on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 111; -create index i_groups_id_sort_p on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 112; -create index i_groups_id_sort_q on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 113; -create index i_groups_id_sort_r on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 114; -create index i_groups_id_sort_s on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 115; -create index i_groups_id_sort_t on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 116; -create index i_groups_id_sort_u on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 117; -create index i_groups_id_sort_v on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 118; -create index i_groups_id_sort_w on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 119; -create index i_groups_id_sort_x on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 120; -create index i_groups_id_sort_y on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 121; -create index i_groups_id_sort_z on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 122; - -/* only allow one user group per user. */ -create unique index i_groups_one_user_group on s_tables.t_groups (id_manager) where is_user; - - -/*** provide group managers access to manage their groups ***/ -create view s_users.v_groups_manage_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not) - select id, id_external, name_machine, name_human, is_locked, is_composite, is_user, can_manage_paths, settings from s_tables.t_groups - where not is_deleted and id_manager in (select * from this_user); - -grant select on s_users.v_groups_manage_self to r_reservation, r_reservation_system; - -create view s_users.v_groups_manage_update with (security_barrier=true) as - select id, id_external, name_machine, name_human, is_locked, is_composite, is_user, can_manage_paths, settings from s_tables.t_groups - where not is_deleted and id_manager in (select id from v_users_self_locked_not) - with check option; - -grant update on s_users.v_groups_manage_update to r_reservation, r_reservation_system; - - -/** each user shall have their own group. - Note: this violates the naming standard where group name should be first, such as 'group_kday' instead of 'kday_group'. - This is done specifically because of the id_sort index optimization. - name_machine is used instad of name_human for the group human name because name_machine is guaranteed to exist. -**/ -create function s_administers.f_groups_group_user_insert() returns trigger security definer as $$ - begin - insert into s_tables.t_groups (id_manager, name_machine, name_human, is_user) values (new.id, new.name_machine || '_user', 'User: ' || new.name_machine, true); - - return null; - end; -$$ language plpgsql; - -alter function s_administers.f_groups_group_user_insert () owner to u_reservation_groups_handler; - -create function s_administers.f_groups_group_user_update() returns trigger security definer as $$ - begin - if (old.name_machine <> new.name_machine) then - update s_tables.t_groups set name_machine = new.name_machine || '_user', name_human = 'User: ' || new.name_machine, is_locked = new.is_locked, is_deleted = new.is_deleted where id_manager = new.id and is_user; - elseif (old.is_deleted <> new.is_deleted) then - update s_tables.t_groups set is_locked = new.is_locked, is_deleted = new.is_deleted where id_manager = new.id and is_user; - elseif (old.is_locked <> new.is_locked) then - update s_tables.t_groups set is_locked = new.is_locked where id_manager = new.id and is_user; - end if; - - return null; - end; -$$ language plpgsql; - -alter function s_administers.f_groups_group_user_update () owner to u_reservation_groups_handler; - - -create trigger tr_groups_group_user_insert - after insert on s_tables.t_users - for each row execute procedure s_administers.f_groups_group_user_insert(); - -create trigger tr_groups_group_user_update - after update on s_tables.t_users - for each row execute procedure s_administers.f_groups_group_user_update(); - - -/** Groups to Users Association **/ -create table s_tables.t_group_users ( - id_user bigint not null, - id_group bigint not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - constraint cp_group_users unique (id_user, id_group), - - constraint cf_group_users_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - - constraint cf_group_users_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade -); - -grant select,insert,update on s_tables.t_groups to r_reservation_manager; -grant select on s_tables.t_groups to r_reservation_auditor; - - -/*** provide current user access to their own information ***/ -create view s_users.v_groups_self with (security_barrier=true) as - with allowed_groups as (select id_group from s_tables.t_group_users where not is_deleted and not is_locked and id_user in (select id from v_users_self_locked_not)) - select id, id_external, id_manager, name_machine, name_human, is_locked, is_composite, date_created, date_changed, date_synced, can_manage_paths, settings from s_tables.t_groups - where not is_deleted and id in (select * from allowed_groups); - -grant select on s_users.v_groups_self to r_reservation, r_reservation_system; - -/*** provide group managers access to manage users assigned to their groups (any user id less than 1000 is reserved/special case, prohibit those). ***/ -create view s_users.v_group_users_manage with (security_barrier=true) as - with managed_groups as (select id from s_tables.t_groups where not is_deleted and id_manager in (select id from v_users_self_locked_not)), - available_users as (select id from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public) - select id_user, id_group, is_locked from s_tables.t_group_users - where not is_deleted and id_group in (select * from managed_groups) and id_user in (select * from available_users); - -grant select on s_users.v_group_users_manage to r_reservation, r_reservation_system; - -create view s_users.v_group_users_manage_insert with (security_barrier=true) as - select id_user, id_group from s_tables.t_group_users - where not is_deleted and id_group in (select id from s_users.v_groups_manage_self) and id_group in (select id_group from s_tables.t_group_users where not is_deleted and not is_locked and id_user in (select id from v_users_self_locked_not)) and id_user in (select id from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public) - with check option; - -grant insert on s_users.v_group_users_manage_insert to r_reservation, r_reservation_system; - -create view s_users.v_group_users_manage_update with (security_barrier=true) as - select id_user, id_group from s_tables.t_group_users - where not is_deleted and id_group in (select id from s_users.v_groups_manage_self) and id_group in (select id_group from s_tables.t_group_users where not is_deleted and not is_locked and id_user in (select id from v_users_self_locked_not)) and id_user in (select id from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public) - with check option; - -grant update on s_users.v_group_users_manage_update to r_reservation, r_reservation_system; - - -create trigger tr_groups_users_date_changed_deleted_or_locked - before update on s_tables.t_group_users - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -/** Groups Composites **/ -create table s_tables.t_group_composites ( - id_composite bigint not null, - id_group bigint not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - constraint cu_group_composites_id unique (id_composite, id_group), - - constraint cf_group_composites_composite foreign key (id_composite) references s_tables.t_groups (id) on delete restrict on update cascade, - constraint cf_group_composites_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade -); - -grant select,insert,update,delete on s_tables.t_groups to r_reservation_manager; -grant select on s_tables.t_groups to r_reservation_auditor; - - -/*** provide group managers access to manage composite groups. ***/ -create view s_users.v_group_composites with (security_barrier=true) as - with allowed_groups as (select id from s_users.v_groups_self where not is_locked), - managed_groups as (select id from s_users.v_groups_manage_self where not is_locked) - select id_composite, id_group, is_locked from s_tables.t_group_composites - where not is_deleted and id_group in (select * from managed_groups) or id_group in (select * from allowed_groups); - -grant select on s_users.v_group_composites to r_reservation, r_reservation_system; - -create view s_users.v_group_composites_manage_insert with (security_barrier=true) as - select id_user, id_group from s_tables.t_group_users - where not is_deleted and id_group in (select id_group from s_users.v_group_users_manage where not is_locked) - with check option; - -grant insert on s_users.v_group_composites_manage_insert to r_reservation, r_reservation_system; - -create view s_users.v_group_composites_manage_update with (security_barrier=true) as - select id_user, id_group from s_tables.t_group_users - where not is_deleted and id_group in (select id_group from s_users.v_group_users_manage where not is_locked) - with check option; - -grant update on s_users.v_group_composites_manage_update to r_reservation, r_reservation_system; - - -create trigger tr_groups_date_changed_deleted_or_locked - before update on s_tables.t_group_composites - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-last.sql b/database/sql/reservation/reservation-last.sql index df385e3..70d3ad1 100644 --- a/database/sql/reservation/reservation-last.sql +++ b/database/sql/reservation/reservation-last.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Last */ +/** Reservation SQL Structure - Last */ /** This depends on: everything (run this absolutely last) **/ /** The purpose of this is to add all initial data after all appropriate triggers are defined. ***/ start transaction; @@ -385,6 +385,13 @@ alter sequence s_tables.se_users_id restart; /*** create hard-coded/internal user ids ***/ + +/** Special Cases: manually add the postgresql and public users first before with all triggers disabled (because some of the triggers depend on this table, recursively). **/ +alter table s_tables.t_users disable trigger all; +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_public) values (1, 'u_reservation_public', (null, 'Unknown', null, null, null, 'Unknown'), false, true); +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system) values (2, 'postgres', (null, 'Database', null, 'Administer', null, 'Database (Administer)'), true, true); +alter table s_tables.t_users enable trigger all; + insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_administer) values (3, 'u_reservation_system_administer', (null, 'System', null, 'Administer', null, 'System (Administer)'), false, true, true); insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_manager) values (4, 'u_reservation_system_manager', (null, 'System', null, 'Manager', null, 'System (Manager)'), false, true, true); insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_auditor) values (5, 'u_reservation_system_auditor', (null, 'System', null, 'Auditor', null, 'System (Auditor)'), false, true, true); diff --git a/database/sql/reservation/reservation-legal.sql b/database/sql/reservation/reservation-legal.sql index be24a38..d96ec78 100644 --- a/database/sql/reservation/reservation-legal.sql +++ b/database/sql/reservation/reservation-legal.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Legal */ +/** Reservation SQL Structure - Legal */ /** This depends on: reservation-users.sql **/ start transaction; @@ -38,9 +38,6 @@ create table s_tables.t_legal_types ( create sequence s_tables.se_legal_types_id owned by s_tables.t_legal_types.id; alter table s_tables.t_legal_types alter column id set default nextval('s_tables.se_legal_types_id'::regclass); -grant select,insert,update on s_tables.t_legal_types to r_reservation_manager; -grant select on s_tables.t_legal_types to r_reservation_auditor; -grant select,usage on s_tables.se_legal_types_id to r_reservation_manager; create index i_legal_types_deleted_not on s_tables.t_legal_types (id) where not is_deleted; @@ -53,8 +50,6 @@ create view s_users.v_legal_types with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked from s_tables.t_legal_types where not is_deleted and not is_locked; -grant select on s_users.v_legal_types to r_reservation_auditor, r_reservation_requester; - create trigger tr_legal_types_date_changed_deleted_or_locked before update on s_tables.t_legal_types @@ -92,10 +87,6 @@ create table s_tables.t_signatures ( create sequence s_tables.se_signatures_id owned by s_tables.t_signatures.id; alter table s_tables.t_signatures alter column id set default nextval('s_tables.se_signatures_id'::regclass); -grant select,insert,update on s_tables.t_signatures to r_reservation_manager; -grant select on s_tables.t_signatures to r_reservation_auditor; -grant select,usage on s_tables.se_signatures_id to r_reservation_manager; -grant usage on s_tables.se_signatures_id to r_reservation, r_reservation_system; create index i_signatures_deleted_not on s_tables.t_signatures (id) where not is_deleted; @@ -107,8 +98,6 @@ create view s_users.v_signatures_self with (security_barrier=true) as select id, id_type, id_request, date_created, field_fingerprint, field_signature from s_tables.t_signatures where not is_deleted and id_creator in (select * from this_user); -grant select on s_users.v_signatures_self to r_reservation, r_reservation_system; - /** provide current user access to insert their own associations **/ create view s_users.v_signatures_self_insert with (security_barrier=true) as @@ -116,8 +105,6 @@ create view s_users.v_signatures_self_insert with (security_barrier=true) as where not is_deleted and id_creator in (select id from v_users_self_locked_not) with check option; -grant insert on s_users.v_signatures_self_insert to r_reservation, r_reservation_system; - create trigger tr_signatures_date_deleted before update on s_tables.t_signatures diff --git a/database/sql/reservation/reservation-log_groups.sql b/database/sql/reservation/reservation-log_groups.sql deleted file mode 100644 index 0c37a90..0000000 --- a/database/sql/reservation/reservation-log_groups.sql +++ /dev/null @@ -1,135 +0,0 @@ -/** Standardized SQL Structure - Logs - Groups */ -/** This depends on: reservation-groups.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/*** provide group activity logging ***/ -create table s_tables.t_log_groups ( - id bigint not null, - id_user bigint not null, - id_user_session bigint not null, - id_group bigint not null, - - log_type bigint not null, - log_type_sub bigint not null, - log_severity bigint not null, - log_facility bigint not null, - log_details json, - log_date timestamp with time zone default current_timestamp not null, - - constraint cp_log_groups primary key (id), - - constraint cc_log_groups_id check (id > 0), - - constraint cf_log_groups_id_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_groups_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_groups_id_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade, - constraint cf_log_groups_log_type foreign key (log_type) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_groups_log_type_sub foreign key (log_type_sub) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_groups_log_severity foreign key (log_severity) references s_tables.t_log_type_severitys (id) on delete restrict on update cascade, - constraint cf_log_groups_log_facility foreign key (log_facility) references s_tables.t_log_type_facilitys (id) on delete restrict on update cascade -); - -create sequence s_tables.se_log_groups_id owned by s_tables.t_log_groups.id; -alter table s_tables.t_log_groups alter column id set default nextval('s_tables.se_log_groups_id'::regclass); - -grant select,usage on s_tables.se_log_groups_id to r_reservation_manager, r_reservation_auditor; -grant usage on s_tables.se_log_groups_id to r_reservation, r_reservation_system; - - -/** only allow select and insert for users when user id is current user **/ -create view s_users.v_log_groups_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not) - select id, id_user, id_group, log_type, log_type_sub, log_severity, log_facility, log_details, log_date from s_tables.t_log_groups - where id_user in (select * from this_user); - -grant select on s_users.v_log_groups_self to r_reservation, r_reservation_system; - -create view s_users.v_log_groups_self_insert with (security_barrier=true) as - select id_group, log_type, log_type_sub, log_severity, log_facility, log_details from s_tables.t_log_groups - where id_user in (select id from v_users_self_locked_not) and id_group in (select id from s_users.v_groups_self where not is_locked) - with check option; - -grant insert on s_users.v_log_groups_self_insert to r_reservation, r_reservation_system; - - -create trigger tr_log_groups_date_changed_deleted_or_locked - before update on s_tables.t_log_groups - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - -create trigger tr_log_groups_enforce_user_and_session_ids - before insert on s_tables.t_log_groups - for each row execute procedure s_administers.f_common_enforce_user_and_session_ids(); - - - -/*** provide group user activity logging ***/ -create table s_tables.t_log_group_users ( - id bigint not null, - id_user bigint not null, - id_user_session bigint not null, - id_group bigint not null, - - log_type bigint not null, - log_type_sub bigint not null, - log_severity bigint not null, - log_facility bigint not null, - log_date timestamp with time zone default current_timestamp not null, - - constraint cp_log_group_users primary key (id), - - constraint cc_log_group_users_id check (id > 0), - - constraint cf_log_group_users_id_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_group_users_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_group_users_id_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade, - constraint cf_log_group_users_log_type foreign key (log_type) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_group_users_log_type_sub foreign key (log_type_sub) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_group_users_log_severity foreign key (log_severity) references s_tables.t_log_type_severitys (id) on delete restrict on update cascade, - constraint cf_log_group_users_log_facility foreign key (log_facility) references s_tables.t_log_type_facilitys (id) on delete restrict on update cascade -); - -create sequence s_tables.se_log_group_users_id owned by s_tables.t_log_group_users.id; -alter table s_tables.t_log_group_users alter column id set default nextval('s_tables.se_log_group_users_id'::regclass); - -grant select,usage on s_tables.se_log_group_users_id to r_reservation_manager, r_reservation_auditor; -grant usage on s_tables.se_log_group_users_id to r_reservation, r_reservation_system; - - -/** only allow select and insert for users when user id is current user **/ -create view s_users.v_log_group_users_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not), - allowed_groups as (select id from s_users.v_groups_self where not is_locked) - select id, id_user, id_group, log_type, log_type_sub, log_severity, log_facility, log_date from s_tables.t_log_group_users - where id_user in (select * from this_user) or id_group in (select * from allowed_groups); - -grant select on s_users.v_log_group_users_self to r_reservation, r_reservation_system; - -create view s_users.v_log_group_users_self_insert with (security_barrier=true) as - select id_group, log_type, log_type_sub, log_severity, log_facility from s_tables.t_log_group_users - where id_user in (select id from v_users_self_locked_not) and id_group in (select id from s_users.v_groups_self where not is_locked) - with check option; - -grant insert on s_users.v_log_group_users_self_insert to r_reservation, r_reservation_system; - - -create trigger tr_log_group_users_date_changed_deleted_or_locked - before update on s_tables.t_log_group_users - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - -create trigger tr_log_group_users_enforce_user_and_session_ids - before insert on s_tables.t_log_group_users - for each row execute procedure s_administers.f_common_enforce_user_and_session_ids(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-log_problems.sql b/database/sql/reservation/reservation-log_problems.sql deleted file mode 100644 index 5337653..0000000 --- a/database/sql/reservation/reservation-log_problems.sql +++ /dev/null @@ -1,114 +0,0 @@ -/** Standardized SQL Structure - Logs - Problems */ -/** This depends on: reservation-users.sql **/ -/* The problem logs are intended for temporary reporting of problems and are meant to allow permanent deletion. */ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/** Provide a log of problems, which are defined by the software. **/ -create table s_tables.t_log_problems ( - id bigint not null, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - - constraint cp_log_problems primary key (id), - - constraint cc_log_problems_id check (id > 0), - - constraint cu_log_problems_name_machine unique (name_machine) -); - -create sequence s_tables.se_log_problems_id owned by s_tables.t_log_problems.id; -alter table s_tables.t_log_problems alter column id set default nextval('s_tables.se_log_problems_id'::regclass); - -grant select,insert,update,delete on s_tables.t_log_problems to r_reservation_manager; -grant select on s_tables.t_log_problems to r_reservation_auditor; -grant select,usage on s_tables.se_log_problems_id to r_reservation_manager; -grant usage on s_tables.se_log_problems_id to r_reservation, r_reservation_system; - - - -/** Provide a log of problems, associated with a given user. **/ -create table s_tables.t_log_problems_users ( - id_problem bigint not null, - id_user bigint not null, - id_user_session bigint not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - - log_details json, - - constraint cp_log_problems_users primary key (id_problem, id_user), - - constraint cf_log_problems_users_id_problem foreign key (id_problem) references s_tables.t_log_problems (id) on delete restrict on update cascade, - constraint cf_log_problems_users_id_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_problems_users_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade -); - -grant select,insert,update,delete on s_tables.t_log_problems_users to r_reservation_manager; -grant select on s_tables.t_log_problems_users to r_reservation_auditor; - - -/** only allow select, insert, and delete for users when user id is current user **/ -create view s_users.v_log_problems_users_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not) - select id_problem, date_created, date_changed, log_details from s_tables.t_log_problems_users - where id_user in (select * from this_user); - -grant select on s_users.v_log_problems_users_self to r_reservation, r_reservation_system; - - -create view s_users.v_log_problems_users_self_insert with (security_barrier=true) as - select id_problem, date_changed, log_details from s_tables.t_log_problems_users - where id_user in (select id from v_users_self_locked_not) - with check option; - -grant insert on s_users.v_log_problems_users_self_insert to r_reservation, r_reservation_system; - - -create view s_users.v_log_problems_users_self_delete with (security_barrier=true) as - select id_problem from s_tables.t_log_problems_users - where id_user in (select id from v_users_self_locked_not) - with check option; - -grant delete on s_users.v_log_problems_users_self_delete to r_reservation, r_reservation_system; - - -/** automatically delete problems deleted from the table s_tables.t_log_problems_users **/ -create function s_tables.f_log_problems_users_delete() returns trigger security definer as $$ - begin - if (tg_op = 'DELETE') then - delete from s_tables.t_log_problems where id = old.id_problem; - return old; - end if; - - return null; - end; -$$ language plpgsql; - -alter function s_tables.f_log_problems_users_delete () owner to u_reservation_logger; - -create trigger tr_log_problems_users_delete - after delete on s_tables.t_log_problems_users - for each row execute procedure s_tables.f_log_problems_users_delete(); - -create trigger tr_log_problems_enforce_user_and_session_ids - before insert on s_tables.t_log_problems - for each row execute procedure s_administers.f_common_enforce_user_and_session_ids(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-log_types.sql b/database/sql/reservation/reservation-log_types.sql deleted file mode 100644 index 72d38de..0000000 --- a/database/sql/reservation/reservation-log_types.sql +++ /dev/null @@ -1,144 +0,0 @@ -/** Standardized SQL Structure - Logs - Types */ -/** This depends on: reservation-users.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/*** provide log type id and names ***/ -create table s_tables.t_log_types ( - id bigint not null, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_deleted timestamp with time zone, - - constraint cp_log_types primary key (id), - - constraint cu_log_types_user unique (name_machine), - - constraint cc_log_types_id check (id >= 0) -); - -create sequence s_tables.se_log_types_id owned by s_tables.t_log_types.id; -alter table s_tables.t_log_types alter column id set default nextval('s_tables.se_log_types_id'::regclass); - -grant select,insert,update on s_tables.t_log_types to r_reservation_administer; -grant select on s_tables.t_log_types to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_types_id to r_reservation_administer; - -create index i_log_types_deleted_not on s_tables.t_log_types (id) - where not is_deleted; - -create index i_log_types_public on s_tables.t_log_types (id) - where not is_deleted and not is_locked; - -create view public.v_log_types with (security_barrier=true) as - select id, name_machine, name_human from s_tables.t_log_types - where not is_deleted and not is_locked; - -grant select on public.v_log_types to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_log_types_date_changed_deleted_or_locked - before update on s_tables.t_log_types - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -/*** provide log severity level id and names ***/ -create table s_tables.t_log_type_severitys ( - id bigint not null, - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - constraint cp_log_type_severitys primary key (id), - - constraint cu_log_type_severitys_user unique (name_machine), - - constraint cc_log_type_severitys_id check (id >= 0) -); - -create sequence s_tables.se_log_type_severitys_id owned by s_tables.t_log_type_severitys.id; -alter table s_tables.t_log_type_severitys alter column id set default nextval('s_tables.se_log_type_severitys_id'::regclass); - -grant select,insert,update on s_tables.t_log_type_severitys to r_reservation_administer; -grant select on s_tables.t_log_type_severitys to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_type_severitys_id to r_reservation_administer; - -create view s_users.v_log_type_severitys with (security_barrier=true) as - select id, name_machine, name_human from s_tables.t_log_type_severitys - where not is_deleted; - -grant select on s_users.v_log_type_severitys to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_log_type_severitys_date_changed_deleted_or_locked - before update on s_tables.t_log_type_severitys - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -/*** provide log facility level id and names ***/ -create table s_tables.t_log_type_facilitys ( - id bigint not null, - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - constraint cp_log_type_facilitys primary key (id), - - constraint cu_log_type_facilitys_user unique (name_machine), - - constraint cc_log_type_facilitys_id check (id >= 0) -); - -create sequence s_tables.se_log_type_facilitys_id owned by s_tables.t_log_type_facilitys.id; -alter table s_tables.t_log_type_facilitys alter column id set default nextval('s_tables.se_log_type_facilitys_id'::regclass); - -grant select,insert,update on s_tables.t_log_type_facilitys to r_reservation_administer; -grant select on s_tables.t_log_type_facilitys to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_type_facilitys_id to r_reservation_administer; - -create view s_users.v_log_type_facilitys with (security_barrier=true) as - select id, name_machine, name_human from s_tables.t_log_type_facilitys - where not is_deleted; - -grant select on s_users.v_log_type_facilitys to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_log_type_facilitys_date_changed_deleted_or_locked - before update on s_tables.t_log_type_facilitys - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-log_users.sql b/database/sql/reservation/reservation-log_users.sql deleted file mode 100644 index 656dca1..0000000 --- a/database/sql/reservation/reservation-log_users.sql +++ /dev/null @@ -1,210 +0,0 @@ -/** Standardized SQL Structure - Logs */ -/** This depends on: reservation-users.sql, reservation-types.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/*** provide user activity logging ***/ -create table s_tables.t_log_users ( - id bigint not null, - id_user bigint not null, - id_user_session bigint not null, - - log_title varchar(512) not null, - log_type bigint not null, - log_type_sub bigint not null, - log_severity bigint not null, - log_facility bigint not null, - log_details json, - log_date timestamp with time zone default current_timestamp not null, - - request_client public.ct_client not null, - response_code smallint not null default 0, - - constraint cp_log_users primary key (id), - - constraint cc_log_users_id check (id > 0), - constraint cc_log_users_log_severity check (log_severity > 0), - - constraint cf_log_users_id_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_users_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_users_log_type foreign key (log_type) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_users_log_type_sub foreign key (log_type_sub) references s_tables.t_log_types (id) on delete restrict on update cascade, - constraint cf_log_users_log_severity foreign key (log_severity) references s_tables.t_log_type_severitys (id) on delete restrict on update cascade, - constraint cf_log_users_log_facility foreign key (log_facility) references s_tables.t_log_type_facilitys (id) on delete restrict on update cascade, - constraint cf_log_users_response_code foreign key (response_code) references s_tables.t_type_http_status_codes (id) on delete restrict on update cascade -); - -create sequence s_tables.se_log_users_id owned by s_tables.t_log_users.id; -alter table s_tables.t_log_users alter column id set default nextval('s_tables.se_log_users_id'::regclass); - -grant select on s_tables.t_log_users to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_users_id to r_reservation_administer; -grant usage on s_tables.se_log_users_id to r_reservation, r_reservation_public, r_reservation_system; - - -create index i_log_users_response_code_200 on s_tables.t_log_users (id) - where response_code = 200; - -create index i_log_users_response_code_400 on s_tables.t_log_users (id) - where response_code = 400; - -create index i_log_users_response_code_403 on s_tables.t_log_users (id) - where response_code = 403; - -create index i_log_users_response_code_404 on s_tables.t_log_users (id) - where response_code = 404; - -create index i_log_users_response_code_410 on s_tables.t_log_users (id) - where response_code = 410; - -create index i_log_users_response_code_451 on s_tables.t_log_users (id) - where response_code = 451; - -create index i_log_users_response_code_500 on s_tables.t_log_users (id) - where response_code = 500; - -create index i_log_users_response_code_503 on s_tables.t_log_users (id) - where response_code = 503; - -create index i_log_users_response_code_normal on s_tables.t_log_users (id) - where response_code in (200, 201, 202, 304); - -create index i_log_users_response_code_redirects on s_tables.t_log_users (id) - where response_code in (301, 302, 303, 307, 308); - -create index i_log_users_response_code_notable on s_tables.t_log_users (id) - where response_code in (400, 403, 404, 410, 451, 500, 503); - - -/** only allow select and insert for users when user id is current user **/ -create view s_users.v_log_users_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not) - select id, id_user, log_title, log_type, log_type_sub, log_severity, log_facility, log_details, log_date, request_client, response_code from s_tables.t_log_users - where id_user in (select * from this_user); - -grant select on s_users.v_log_users_self to r_reservation, r_reservation_system; - -create view s_users.v_log_users_self_insert with (security_barrier=true) as - select log_title, log_type, log_type_sub, log_severity, log_facility, log_details, request_client, response_code from s_tables.t_log_users - where id_user in (select id from v_users_self_locked_not) - with check option; - -grant insert on s_users.v_log_users_self_insert to r_reservation, r_reservation_system; - - -/** public users should be able to insert, but should never be able to view the logs that they insert. **/ -create view public.v_log_users_self_insert with (security_barrier=true) as - select log_title, log_type, log_type_sub, log_severity, log_facility, log_details, request_client, response_code from s_tables.t_log_users - where 'r_reservation_public' in (select pr.rolname from pg_auth_members pam inner join pg_roles pr on (pam.roleid = pr.oid) inner join pg_roles pr_u on (pam.member = pr_u.oid) where pr_u.rolname = current_user and pr.rolname = 'r_reservation_public') - with check option; - -grant insert on public.v_log_users_self_insert to r_reservation_public; - - -create trigger tr_log_users_enforce_user_and_session_ids - before insert on s_tables.t_log_users - for each row execute procedure s_administers.f_common_enforce_user_and_session_ids(); - - - -/*** provide access activity logging ***/ -create table s_tables.t_log_user_activity ( - id bigint not null, - id_user bigint not null, - id_user_session bigint not null, - - request_path varchar(512) not null, - request_arguments varchar(512) not null, - request_date timestamp with time zone default current_timestamp not null, - request_client public.ct_client not null, - request_headers json, - - response_headers json, - response_code smallint not null default 0, - - constraint cp_log_user_activity primary key (id), - - constraint cc_log_user_activity_id check (id > 0), - - constraint cf_log_user_activity_id_user foreign key (id_user) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_user_activity_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade, - constraint cf_log_user_activity_response_code foreign key (response_code) references s_tables.t_type_http_status_codes (id) on delete restrict on update cascade -); - -create sequence s_tables.se_log_user_activity_id owned by s_tables.t_log_user_activity.id; -alter table s_tables.t_log_user_activity alter column id set default nextval('s_tables.se_log_user_activity_id'::regclass); - -grant select on s_tables.t_log_user_activity to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_user_activity_id to r_reservation_administer; -grant usage on s_tables.se_log_user_activity_id to r_reservation, r_reservation_public, r_reservation_system; - -create index i_log_user_activity_response_code_4xx on s_tables.t_log_user_activity (id) - where response_code >= 400 and response_code < 500; - -create index i_log_user_activity_response_code_403 on s_tables.t_log_user_activity (id) - where response_code = 403; - -create index i_log_user_activity_response_code_404 on s_tables.t_log_user_activity (id) - where response_code = 404; - -create index i_log_user_activity_response_code_410 on s_tables.t_log_user_activity (id) - where response_code = 410; - -create index i_log_user_activity_response_code_451 on s_tables.t_log_user_activity (id) - where response_code = 451; - -create index i_log_user_activity_response_code_5xx on s_tables.t_log_user_activity (id) - where response_code >= 500 and response_code < 600; - -create index i_log_user_activity_response_code_500 on s_tables.t_log_user_activity (id) - where response_code = 500; - -create index i_log_user_activity_response_code_503 on s_tables.t_log_user_activity (id) - where response_code = 503; - -create index i_log_user_activity_response_code_notable on s_tables.t_log_user_activity (id) - where response_code in (403, 404, 410, 451, 500, 503); - - - -/** only allow select and insert for users when user id is current user **/ -create view s_users.v_log_user_activity_self with (security_barrier=true) as - with this_user as (select id from v_users_self_locked_not) - select id, id_user, request_path, request_arguments, request_date, request_client, request_headers, response_headers, response_code from s_tables.t_log_user_activity - where id_user in (select * from this_user); - -grant select on s_users.v_log_user_activity_self to r_reservation, r_reservation_system; - -create view s_users.v_log_user_activity_self_insert with (security_barrier=true) as - select request_path, request_arguments, request_client, request_headers, response_headers, response_code from s_tables.t_log_user_activity - where id_user in (select id from v_users_self_locked_not) - with check option; - -grant insert on s_users.v_log_user_activity_self_insert to r_reservation, r_reservation_system; - - -/** public users should be able to insert, but should never be able to view the logs that they insert. **/ -create view public.v_log_user_activity_self_insert with (security_barrier=true) as - select request_path, request_arguments, request_client, request_headers, response_headers, response_code from s_tables.t_log_user_activity - where id_user in (select id from v_users_self_locked_not) - with check option; - -grant insert on public.v_log_user_activity_self_insert to r_reservation_public; - - -create trigger tr_log_user_activity_enforce_user_and_session_ids - before insert on s_tables.t_log_user_activity - for each row execute procedure s_administers.f_common_enforce_user_and_session_ids(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-main.sql b/database/sql/reservation/reservation-main.sql deleted file mode 100644 index f4b843a..0000000 --- a/database/sql/reservation/reservation-main.sql +++ /dev/null @@ -1,329 +0,0 @@ -/** Standardized SQL Structure - Main */ -/** This depends on: reservation-first.sql **/ -/* @todo: add restrictions to even managers and administers so that ALL users access via views to allow for disabling any account (even an admin). - only the postgresql/root account may access tables directly. - This requires changing permissions and adding the appropriate s_administers and s_managers tables. -*/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/** Schemas **/ -create schema s_administers authorization postgres; -create schema s_managers authorization postgres; -create schema s_auditors authorization postgres; -create schema s_publishers authorization postgres; -create schema s_insurers authorization postgres; -create schema s_financers authorization postgres; -create schema s_reviewers authorization postgres; -create schema s_editors authorization postgres; -create schema s_drafters authorization postgres; -create schema s_requesters authorization postgres; -create schema s_users authorization postgres; -create schema s_tables authorization postgres; - -grant usage on schema s_administers to r_reservation_administer; -grant usage on schema s_managers to r_reservation_manager; -grant usage on schema s_auditors to r_reservation_auditor; -grant usage on schema s_publishers to r_reservation_publisher; -grant usage on schema s_insurers to r_reservation_insurer; -grant usage on schema s_financers to r_reservation_financer; -grant usage on schema s_reviewers to r_reservation_reviewer; -grant usage on schema s_editors to r_reservation_editor; -grant usage on schema s_drafters to r_reservation_drafter; -grant usage on schema s_requesters to r_reservation_requester; -grant usage on schema s_users to r_reservation; - -grant usage on schema s_tables to u_reservation_revision_requests, u_reservation_statistics_update, u_reservation_logger, u_reservation_groups_handler; - - -/** Composite Types **/ -create type public.ct_name_person as ( - prefix varchar(32), - first varchar(64), - middle varchar(64), - last varchar(64), - suffix varchar(32), - complete varchar(256) -); - -create type public.ct_client as ( - ip inet, - port int, - agent varchar(256) -); - -create type public.ct_email as ( - name varchar(128), - domain varchar(128), - private boolean -); - -create type public.ct_text as ( - content text, - context bigint -); - -create type public.ct_location as ( - building bigint, - room bigint[] -); - -create type public.ct_date as ( - date timestamp with time zone, - time_start timestamp with time zone, - time_stop timestamp with time zone -); - -create type public.ct_date_context as ( - date timestamp with time zone, - time_start timestamp with time zone, - time_stop timestamp with time zone, - context bigint -); - -create type public.ct_phone_number as ( - country smallint, - area smallint, - number smallint, - extension smallint -); - -create type public.ct_phone_number_context as ( - country smallint, - area smallint, - number smallint, - extension smallint, - context bigint -); - -create type public.ct_money_context as ( - money money, - context bigint -); - -create type public.ct_field_fees as ( - needed bool, - quantity bigint, - days bigint, - hours bigint, - amount money -); - -create type public.ct_field_used_with_contact as ( - used bool, - email text, - name text, - phone public.ct_phone_number -); - -create type public.ct_field_needed_with_total as ( - needed bool, - total bigint -); - -create type public.ct_field_needed_with_details as ( - needed bool, - details text -); - -create type public.ct_field_used_with_details as ( - used bool, - details text -); - -create type public.ct_field_used_with_designer as ( - used bool, - designer text -); - -create type public.ct_field_served_with_caterer as ( - served bool, - caterer text -); - -create type public.ct_field_generated_with_types as ( - generated bool, - types bigint[] -); - -create type public.ct_field_needed_with_types as ( - needed bool, - types bigint[] -); - -create type public.ct_field_needed_with_types_and_microphone as ( - needed bool, - types bigint[], - microphone bigint -); - -create type public.ct_field_insurance as ( - needed bool, - provided bool -); - - - -/** Common Functions **/ -/* User ID and Session User ID Functions */ -create function s_administers.f_common_enforce_user_and_session_ids() returns trigger as $$ - begin - new.id_user = (select id from v_users_self); - new.id_user_session = (select id from v_users_self_session); - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_enforce_creator_and_session_ids() returns trigger as $$ - begin - new.id_creator = (select id from v_users_self); - new.id_creator_session = (select id from v_users_self_session); - return new; - end; -$$ language plpgsql; - - -/* Date Change Functions */ -create function s_administers.f_common_update_date_deleted() returns trigger as $$ - begin - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_update_date_changed_or_deleted() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_update_date_changed_or_locked() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_locked = false and new.is_locked = true) then - new.date_locked = localtimestamp; - elseif (old.is_locked = true and new.is_locked = false) then - new.date_locked = localtimestamp; - end if; - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_update_date_changed_deleted_or_locked() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - if (old.is_locked = false and new.is_locked = true) then - new.date_locked = localtimestamp; - elseif (old.is_locked = true and new.is_locked = false) then - new.date_locked = localtimestamp; - end if; - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_update_date_changed_deleted_cancelled_or_locked() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - if (old.is_locked = false and new.is_locked = true) then - new.date_locked = localtimestamp; - elseif (old.is_locked = true and new.is_locked = false) then - new.date_locked = localtimestamp; - end if; - - if (old.is_cancelled = false and new.is_cancelled = true) then - new.date_cancelled = localtimestamp; - elseif (old.is_cancelled = true and new.is_cancelled = false) then - new.date_cancelled = localtimestamp; - end if; - - return new; - end; -$$ language plpgsql; - - -/* Revision Increment Functions */ -create function s_administers.f_common_increment_revision() returns trigger as $$ - begin - new.id_revision = old.id_revision + 1; - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_increment_revision_update_date_changed_or_deleted() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - new.id_revision = old.id_revision + 1; - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_common_increment_revision_update_date_changed_deleted_or_locked() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - if (old.is_locked = false and new.is_locked = true) then - new.date_locked = localtimestamp; - elseif (old.is_locked = true and new.is_locked = false) then - new.date_locked = localtimestamp; - end if; - - new.id_revision = old.id_revision + 1; - - return new; - end; -$$ language plpgsql; - -commit transaction; diff --git a/database/sql/reservation/reservation-paths.sql b/database/sql/reservation/reservation-paths.sql deleted file mode 100644 index 529cbfb..0000000 --- a/database/sql/reservation/reservation-paths.sql +++ /dev/null @@ -1,156 +0,0 @@ -/** Standardized SQL Structure - Content **/ -/** This depends on: reservation-groups.sql, reservation-types.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/* @todo: come up with a design for dynamic path management via users/managers (as opposed to hardcoded paths in source). */ -/*** provide paths table (@todo: this is added as a stub and needs to be finished) ***/ -create table s_tables.t_paths ( - id bigint not null, - id_creator bigint not null, - id_creator_session bigint not null, - id_group bigint, - id_sort smallint default 0, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_content boolean default true not null, - is_alias boolean default false not null, - is_redirect boolean default false not null, - is_coded boolean default false not null, - is_dynamic boolean default true not null, - is_user boolean default false not null, - is_private boolean default true not null, - is_locked boolean default false not null, - is_deleted boolean default false not null, - - field_path varchar(256) not null, - field_destination varchar(256), - field_response_code smallint, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - constraint cp_paths primary key (id), - - constraint cu_paths_name_machine unique (name_machine), - constraint cu_paths_field_path unique (field_path), - - constraint cc_paths_id check (id > 0), - constraint cc_paths_name_machine check (name_machine ~ '[A-Za-z]\w*'), - constraint cc_paths_one_of_content_alias_redirect check ((is_content and not (is_alias or is_redirect)) or (is_alias and not (is_content or is_redirect))), - - constraint cf_paths_id_creator foreign key (id_creator) references s_tables.t_users (id) on delete cascade on update cascade, - constraint cf_paths_id_creator_session foreign key (id_creator_session) references s_tables.t_users (id) on delete cascade on update cascade, - constraint cf_paths_id_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade, - constraint cf_paths_field_response_code foreign key (field_response_code) references s_tables.t_type_http_status_codes (id) on delete restrict on update cascade -); - -create sequence s_tables.se_paths_id owned by s_tables.t_paths.id; -alter table s_tables.t_paths alter column id set default nextval('s_tables.se_paths_id'::regclass); - -grant select,insert,update on s_tables.t_paths to r_reservation_administer; -grant select on s_tables.t_paths to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_paths_id to r_reservation_administer; -grant usage on s_tables.se_paths_id to r_reservation, r_reservation_system; - -create index i_paths_deleted_not on s_tables.t_paths (id) - where not is_deleted; - -create index i_paths_private_not on s_tables.t_paths (id) - where not is_deleted and not is_private; - -create index i_paths_locked_not on s_tables.t_paths (id) - where not is_deleted and not is_locked; - -create index i_paths_public on s_tables.t_paths (id) - where not is_deleted and not is_locked and not is_private; - -create index i_paths_content on s_tables.t_paths (id) - where not is_deleted and is_content; - -create index i_paths_alias on s_tables.t_paths (id) - where not is_deleted and is_alias; - -create index i_paths_redirect on s_tables.t_paths (id) - where not is_deleted and is_redirect; - -/* Note: id sort here is intended for paths that do not have group paths, like '/a/hello', and '/b/world', where 'a' and 'b' are group paths, respectively. */ -/* however, NULL (id_sort = 0) is effectively for all group paths. */ -create index i_paths_id_sort_null on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 0; -create index i_paths_id_sort_0 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 48; -create index i_paths_id_sort_1 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 49; -create index i_paths_id_sort_2 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 50; -create index i_paths_id_sort_3 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 51; -create index i_paths_id_sort_4 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 52; -create index i_paths_id_sort_5 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 53; -create index i_paths_id_sort_6 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 54; -create index i_paths_id_sort_7 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 55; -create index i_paths_id_sort_8 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 56; -create index i_paths_id_sort_9 on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 57; -create index i_paths_id_sort_a on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 97; -create index i_paths_id_sort_b on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 98; -create index i_paths_id_sort_c on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 99; -create index i_paths_id_sort_d on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 100; -create index i_paths_id_sort_e on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 101; -create index i_paths_id_sort_f on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 102; -create index i_paths_id_sort_g on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 103; -create index i_paths_id_sort_h on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 104; -create index i_paths_id_sort_i on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 105; -create index i_paths_id_sort_j on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 106; -create index i_paths_id_sort_k on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 107; -create index i_paths_id_sort_l on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 108; -create index i_paths_id_sort_m on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 109; -create index i_paths_id_sort_n on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 110; -create index i_paths_id_sort_o on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 111; -create index i_paths_id_sort_p on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 112; -create index i_paths_id_sort_q on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 113; -create index i_paths_id_sort_r on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 114; -create index i_paths_id_sort_s on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 115; -create index i_paths_id_sort_t on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 116; -create index i_paths_id_sort_u on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 117; -create index i_paths_id_sort_v on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 118; -create index i_paths_id_sort_w on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 119; -create index i_paths_id_sort_x on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 120; -create index i_paths_id_sort_y on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 121; -create index i_paths_id_sort_z on s_tables.t_paths (id_sort) with (fillfactor = 100) where id_sort = 122; - - -/* @todo: provide management functionality for managers (for all user content) and users (for groups they belong to with appropriate can_manage role). */ -create view s_users.v_paths with (security_barrier=true) as - with allowed_groups as (select id from s_users.v_groups_self) - select id, id_group, name_machine, name_human, is_content, is_alias, is_redirect, is_coded, is_dynamic, is_locked, is_private, field_path, field_destination, field_response_code, date_created, date_changed, date_locked from s_tables.t_paths - where not is_deleted and (not is_locked or not is_private or id_group in (select * from allowed_groups)); - -grant select on s_users.v_paths to r_reservation, r_reservation_system; - -create view public.v_paths with (security_barrier=true) as - select id, NULL::bigint as id_group, name_machine, name_human, is_content, is_alias, is_redirect, is_coded, is_dynamic, FALSE as is_locked, FALSE as is_private, field_path, field_destination, field_response_code, NULL::bool as date_created, NULL::bool as date_changed, NULL::bool as date_locked from s_tables.t_paths - where not is_deleted and not is_locked and not is_private; - -grant select on public.v_paths to r_reservation_public; - - -create trigger tr_paths_date_changed_deleted_or_locked - before update on s_tables.t_paths - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - -create trigger tr_paths_enforce_creator_and_session_ids - before insert on s_tables.t_paths - for each row execute procedure s_administers.f_common_enforce_creator_and_session_ids(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-users.sql b/database/sql/reservation/reservation-permissions.sql similarity index 51% rename from database/sql/reservation/reservation-users.sql rename to database/sql/reservation/reservation-permissions.sql index 0f4ad01..7e661a3 100644 --- a/database/sql/reservation/reservation-users.sql +++ b/database/sql/reservation/reservation-permissions.sql @@ -1,223 +1,50 @@ -/** Standardized SQL Structure - Users */ -/** This depends on: reservation-main.sql **/ +/** Reservation SQL Structure - Permissions */ +/** This depends on: everything in reservation, do this after everything but before reservation-last.sql **/ start transaction; -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; +/* standard-main.sql permissions */ +grant usage on schema s_administers to r_reservation_administer; +grant usage on schema s_managers to r_reservation_manager; +grant usage on schema s_auditors to r_reservation_auditor; +grant usage on schema s_publishers to r_reservation_publisher; +grant usage on schema s_insurers to r_reservation_insurer; +grant usage on schema s_financers to r_reservation_financer; +grant usage on schema s_reviewers to r_reservation_reviewer; +grant usage on schema s_editors to r_reservation_editor; +grant usage on schema s_drafters to r_reservation_drafter; +grant usage on schema s_requesters to r_reservation_requester; +grant usage on schema s_users to r_reservation; +grant usage on schema s_tables to u_reservation_revision_requests, u_reservation_statistics_update, u_reservation_logger, u_reservation_groups_handler; -/** Users **/ -/* Note: is_public and is_private have two different contexts, is_public refers to the r_reservation_public role and is_private refers to making certain user fields public/private within the system to a certain degree. */ -create table s_tables.t_users ( - id bigint not null, - id_external bigint, - - id_sort smallint default 0, - - name_machine varchar(128) not null, - name_human public.ct_name_person default (null, null, null, null, null, null) not null, - - address_email public.ct_email default (null, null, true) not null, - - is_administer boolean default false not null, - is_manager boolean default false not null, - is_auditor boolean default false not null, - is_publisher boolean default false not null, - is_insurer boolean default false not null, - is_financer boolean default false not null, - is_reviewer boolean default false not null, - is_editor boolean default false not null, - is_drafter boolean default false not null, - is_requester boolean default false not null, - is_system boolean default false not null, - is_public boolean default false not null, - is_locked boolean default false not null, - is_private boolean default true not null, - is_deleted boolean default false not null, - - can_manage_roles boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_synced timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - settings json, - - constraint cp_users primary key (id), - - constraint cc_users_id check (id > 0), - constraint cc_users_id_external check (id_external >= -1), - - constraint cu_users_id_external unique (id_external), - constraint cu_users_name_machine unique (name_machine) -); - -create sequence s_tables.se_users_id owned by s_tables.t_users.id; -alter table s_tables.t_users alter column id set default nextval('s_tables.se_users_id'::regclass); - +/* standard-users.sql permissions */ grant select,insert,update on s_tables.t_users to r_reservation_administer; grant select on s_tables.t_users to r_reservation_auditor; + grant select,usage on s_tables.se_users_id to r_reservation_administer; grant usage on s_tables.se_users_id to r_reservation, r_reservation_system; -create index i_users_deleted_not on s_tables.t_users (id) - where not is_deleted; - -create index i_users_private_not on s_tables.t_users (id) - where not is_deleted and not is_private; - -create index i_users_locked_not on s_tables.t_users (id) - where not is_deleted and not is_locked; - -create index i_users_private_email_not on s_tables.t_users (id) - where not is_deleted and not is_private and not (address_email).private; - - -/* Note: id_sort is not needed when directly validating against id or name_machine because both of those are already an index. */ -create index i_users_id_sort_a on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 97; -create index i_users_id_sort_b on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 98; -create index i_users_id_sort_c on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 99; -create index i_users_id_sort_d on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 100; -create index i_users_id_sort_e on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 101; -create index i_users_id_sort_f on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 102; -create index i_users_id_sort_g on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 103; -create index i_users_id_sort_h on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 104; -create index i_users_id_sort_i on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 105; -create index i_users_id_sort_j on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 106; -create index i_users_id_sort_k on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 107; -create index i_users_id_sort_l on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 108; -create index i_users_id_sort_m on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 109; -create index i_users_id_sort_n on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 110; -create index i_users_id_sort_o on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 111; -create index i_users_id_sort_p on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 112; -create index i_users_id_sort_q on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 113; -create index i_users_id_sort_r on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 114; -create index i_users_id_sort_s on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 115; -create index i_users_id_sort_t on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 116; -create index i_users_id_sort_u on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 117; -create index i_users_id_sort_v on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 118; -create index i_users_id_sort_w on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 119; -create index i_users_id_sort_x on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 120; -create index i_users_id_sort_y on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 121; -create index i_users_id_sort_z on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 122; - - - -/*** provide current user access to their own information (system users are not allowed to update their account) ***/ -create view s_users.v_users_self with (security_barrier=true) as - select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users - where not is_deleted and (name_machine)::text = (current_user)::text; - grant select on s_users.v_users_self to r_reservation, r_reservation_system; -create view public.v_users_self_session with (security_barrier=true) as - select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users - where not is_deleted and (name_machine)::text = (session_user)::text; - grant select on public.v_users_self_session to r_reservation, r_reservation_system, r_reservation_public; - -create view public.v_users_self_locked_not with (security_barrier=true) as - select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users - where not is_deleted and not is_locked and (name_machine)::text = (current_user)::text; - grant select on public.v_users_self_locked_not to r_reservation, r_reservation_system, r_reservation_public; - -create view public.v_users_self_exists with (security_barrier=true) as - select id, name_machine, is_system, is_public, is_locked, is_deleted from s_tables.t_users - where (name_machine)::text = (current_user)::text; - grant select on public.v_users_self_exists to r_reservation, r_reservation_system, r_reservation_public; -create view s_users.v_users_self_insert with (security_barrier=true) as - select id_external, name_human, address_email, is_private, settings from s_tables.t_users - where not is_deleted and not is_locked and not is_system and not is_public and (name_machine)::text = (current_user)::text - with check option; - grant insert on s_users.v_users_self_insert to r_reservation, r_reservation_system; - -create view s_users.v_users_self_update with (security_barrier=true) as - select id_external, name_human, address_email, is_private, settings from s_tables.t_users - where not is_deleted and not is_locked and not is_system and not is_public and (name_machine)::text = (current_user)::text - with check option; - grant update on s_users.v_users_self_update to r_reservation, r_reservation_system; - -/**** anonymous user has uid = 1 ****/ -create view public.v_users_self with (security_barrier=true) as - select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users - where not is_deleted and id = 1; - grant select on public.v_users_self to r_reservation_public, r_reservation, r_reservation_system; - - -/*** provide public user information ***/ -create view public.v_users with (security_barrier=true) as - select id, null::bigint as id_external, id_sort, name_machine, name_human, null::public.ct_email as address_email, null::bool as is_administer, null::bool as is_manager, null::bool as is_auditor, null::bool as is_publisher, null::bool as is_insurer, null::bool as is_financer, null::bool as is_reviewer, null::bool as is_editor, null::bool as is_drafter, null::bool as is_requester, is_system, is_public, null::bool as is_locked, is_private, is_deleted, null::bool as can_manage_roles, null::timestamp as date_created, null::timestamp as date_changed, null::timestamp as date_synced, null::timestamp as date_locked, null::timestamp as date_deleted, null::json as settings from s_tables.t_users - where (not is_deleted and not is_private) or (not is_deleted and (name_machine)::text = (current_user)::text); - grant select on public.v_users to r_reservation, r_reservation_public, r_reservation_system; - - -/*** provide e-mail address as public information only if it is explicitly allowed ***/ -create view public.v_users_email with (security_barrier=true) as - select id, null::bigint as id_external, id_sort, name_machine, name_human, address_email, null::bool as is_administer, null::bool as is_manager, null::bool as is_auditor, null::bool as is_publisher, null::bool as is_insurer, null::bool as is_financer, null::bool as is_reviewer, null::bool as is_editor, null::bool as is_drafter, null::bool as is_requester, is_system, is_public, null::bool as is_locked, is_private, is_deleted, null::bool as can_manage_roles, null::timestamp as date_created, null::timestamp as date_changed, null::timestamp as date_synced, null::timestamp as date_locked, null::timestamp as date_deleted, null::json as settings from s_tables.t_users - where (not is_deleted and not is_private and not (address_email).private) or (not is_deleted and (name_machine)::text = (current_user)::text); - grant select on public.v_users_email to r_reservation, r_reservation_public, r_reservation_system; - -/*** provide managers with the ability to modify accounts ***/ -create view s_managers.v_users with (security_barrier=true) as - select * from s_tables.t_users - where not is_deleted; - grant select on s_managers.v_users to r_reservation_manager; - -create view s_managers.v_users_insert with (security_barrier=true) as - select id, id_external, name_machine, name_human, address_email, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, settings from s_tables.t_users - with check option; - grant insert on s_managers.v_users_insert to r_reservation_manager; - -create view s_managers.v_users_update with (security_barrier=true) as - select id, id_external, name_machine, name_human, address_email, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, settings from s_tables.t_users - where not is_deleted - with check option; - grant update on s_managers.v_users_update to r_reservation_manager; - -create view s_managers.v_users_deleted with (security_barrier=true) as - select id, id_external, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, date_created, date_changed, date_synced, date_locked, settings from s_tables.t_users - where is_deleted; - grant select on s_managers.v_users to r_reservation_manager; - -/** Create Materialized views for table based on history (maybe current day should be a view and previous days should be a materialized view that is updated by cron?) **/ -create materialized view s_administers.m_users_date_created_this_day as select * from s_tables.t_users where date_trunc('day', date_created) = date_trunc('day', current_timestamp); -create materialized view s_administers.m_users_date_created_previous_day as select * from s_tables.t_users where date_trunc('day', date_created) = date_trunc('day', current_timestamp) - interval '1 day'; -create materialized view s_administers.m_users_date_created_previous_month as select * from s_tables.t_users where date_trunc('month', date_created) = date_trunc('month', current_timestamp) - interval '1 month'; -create materialized view s_administers.m_users_date_created_previous_year as select * from s_tables.t_users where date_trunc('year', date_created) = date_trunc('year', current_timestamp) - interval '1 year'; - -create materialized view s_administers.m_users_date_changed_this_day as select * from s_tables.t_users where date_trunc('day', date_changed) = date_trunc('day', current_timestamp); -create materialized view s_administers.m_users_date_changed_previous_day as select * from s_tables.t_users where date_trunc('day', date_changed) = date_trunc('day', current_timestamp) - interval '1 day'; -create materialized view s_administers.m_users_date_changed_previous_month as select * from s_tables.t_users where date_trunc('month', date_changed) = date_trunc('month', current_timestamp) - interval '1 month'; -create materialized view s_administers.m_users_date_changed_previous_year as select * from s_tables.t_users where date_trunc('year', date_changed) = date_trunc('year', current_timestamp) - interval '1 year'; - -create materialized view s_administers.m_users_date_synced_this_day as select * from s_tables.t_users where date_trunc('day', date_synced) = date_trunc('day', current_timestamp); -create materialized view s_administers.m_users_date_synced_previous_day as select * from s_tables.t_users where date_trunc('day', date_synced) = date_trunc('day', current_timestamp) - interval '1 day'; -create materialized view s_administers.m_users_date_synced_previous_month as select * from s_tables.t_users where date_trunc('month', date_synced) = date_trunc('month', current_timestamp) - interval '1 month'; -create materialized view s_administers.m_users_date_synced_previous_year as select * from s_tables.t_users where date_trunc('year', date_synced) = date_trunc('year', current_timestamp) - interval '1 year'; - alter materialized view s_administers.m_users_date_created_this_day owner to r_reservation_administer; alter materialized view s_administers.m_users_date_created_previous_day owner to r_reservation_administer; alter materialized view s_administers.m_users_date_created_previous_month owner to r_reservation_administer; @@ -253,49 +80,22 @@ grant select on s_administers.m_users_date_created_previous_day to r_reservation grant select on s_administers.m_users_date_created_previous_month to r_reservation_manager; grant select on s_administers.m_users_date_created_previous_year to r_reservation_manager; +alter function s_administers.f_users_insert_as_administer() owner to u_reservation_grant_roles; +alter function s_administers.f_users_update_as_administer() owner to u_reservation_grant_roles; +alter function s_administers.f_users_update_materialized_views() owner to r_reservation_administer; -create function s_administers.f_users_insert_actions() returns trigger as $$ - begin - if (new.name_machine is null) then - new.name_machine = current_user; - end if; - - new.id_sort = ascii(new.name_machine); - - return new; - end; -$$ language plpgsql; - -create function s_administers.f_users_update_actions() returns trigger as $$ - begin - new.date_changed = localtimestamp; - - if (old.is_deleted = false and new.is_deleted = true) then - new.date_deleted = localtimestamp; - elseif (old.is_deleted = true and new.is_deleted = false) then - new.date_deleted = localtimestamp; - end if; - - if (old.is_locked = false and new.is_locked = true) then - new.date_locked = localtimestamp; - elseif (old.is_locked = true and new.is_locked = false) then - new.date_locked = localtimestamp; - end if; - - if (new.id_sort <> ascii(new.name_machine)) then - new.id_sort = ascii(new.name_machine); - end if; - - return new; - end; -$$ language plpgsql; +/** Special Cases: manually add the postgresql and public users first before with all triggers disabled (because some of the triggers depend on this table, recursively). **/ +alter table s_tables.t_users disable trigger all; +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_public) values (1, 'u_reservation_public', (null, 'Unknown', null, null, null, 'Unknown'), false, true); +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system) values (2, 'postgres', (null, 'Database', null, 'Administer', null, 'Database (Administer)'), true, true); +alter table s_tables.t_users enable trigger all; -/* attempt to auto-manage postgresql reservation roles with the reservation database user roles. */ +/* attempt to auto-manage postgresql standard roles with the standard database user roles. */ /* user ids 1 and 2 are explicitly reserved for anonymous/public and the database postgresql accounts. */ /* postgresql does not seem to support variables for the user with grant and revoke, therefore the execute statement is used to perform the query. */ /* @fixme: the name_machine must be forcibly sanitized to be alphanumeric, -, or _ in all cases. */ -create function s_administers.f_users_insert_as_administer() returns trigger security definer as $$ +create or replace function s_administers.f_users_insert_as_administer() returns trigger security definer as $$ declare name_machine constant text default quote_ident(new.name_machine); begin @@ -408,10 +208,7 @@ create function s_administers.f_users_insert_as_administer() returns trigger sec end; $$ language plpgsql; -alter function s_administers.f_users_insert_as_administer() owner to u_reservation_grant_roles; - - -create function s_administers.f_users_update_as_administer() returns trigger security definer as $$ +create or replace function s_administers.f_users_update_as_administer() returns trigger security definer as $$ declare name_machine constant text default quote_ident(new.name_machine); begin @@ -627,44 +424,245 @@ create function s_administers.f_users_update_as_administer() returns trigger sec end; $$ language plpgsql; -alter function s_administers.f_users_update_as_administer() owner to u_reservation_grant_roles; -create function s_administers.f_users_update_materialized_views() returns trigger security definer as $$ - begin +/* standard-groups.sql permissions */ +grant select,insert,update on s_tables.t_groups to r_reservation_manager, u_reservation_groups_handler; +grant select on s_tables.t_groups to r_reservation_auditor; +grant select,usage on s_tables.se_groups_id to r_reservation_manager; +grant usage on s_tables.se_groups_id to r_reservation, r_reservation_system, u_reservation_groups_handler; - refresh materialized view s_administers.m_users_date_created_this_day; - refresh materialized view s_administers.m_users_date_changed_this_day; - refresh materialized view s_administers.m_users_date_synced_this_day; +grant select on s_users.v_groups_manage_self to r_reservation, r_reservation_system; +grant update on s_users.v_groups_manage_update to r_reservation, r_reservation_system; - return null; - end; -$$ language plpgsql; +alter function s_administers.f_groups_group_user_insert () owner to u_reservation_groups_handler; +alter function s_administers.f_groups_group_user_update () owner to u_reservation_groups_handler; -alter function s_administers.f_users_update_materialized_views() owner to r_reservation_administer; +grant select,insert,update on s_tables.t_groups to r_reservation_manager; +grant select on s_tables.t_groups to r_reservation_auditor; -create trigger tr_users_insert_actions - before insert on s_tables.t_users - for each row execute procedure s_administers.f_users_insert_actions(); +grant select on s_users.v_groups_self to r_reservation, r_reservation_system; +grant select on s_users.v_group_users_manage to r_reservation, r_reservation_system; +grant insert on s_users.v_group_users_manage_insert to r_reservation, r_reservation_system; +grant update on s_users.v_group_users_manage_update to r_reservation, r_reservation_system; -create trigger tr_users_update_actions - before update on s_tables.t_users - for each row execute procedure s_administers.f_users_update_actions(); +grant select,insert,update,delete on s_tables.t_groups to r_reservation_manager; +grant select on s_tables.t_groups to r_reservation_auditor; -create trigger tr_users_insert_as_administer - after insert on s_tables.t_users - for each row execute procedure s_administers.f_users_insert_as_administer(); +grant select on s_users.v_group_composites to r_reservation, r_reservation_system; +grant insert on s_users.v_group_composites_manage_insert to r_reservation, r_reservation_system; +grant update on s_users.v_group_composites_manage_update to r_reservation, r_reservation_system; -create trigger tr_users_update_as_administer - after update on s_tables.t_users - for each row execute procedure s_administers.f_users_update_as_administer(); -create trigger tr_users_update_materialized_views - after insert or update on s_tables.t_users - for each statement execute procedure s_administers.f_users_update_materialized_views(); +/* standard-types.sql permissions */ +grant select,insert,update on s_tables.t_type_http_status_codes to r_reservation_administer; +grant select on s_tables.t_type_http_status_codes to r_reservation_manager, r_reservation_auditor; -/** Special Cases: manually add the postgresql and public users first before any logging triggers are defined (because some of them depend on this table recursively! **/ -insert into s_tables.t_users (id, name_machine, name_human, is_private, is_public) values (1, 'u_reservation_public', (null, 'Unknown', null, null, null, 'Unknown'), false, true); -insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system) values (2, 'postgres', (null, 'Database', null, 'Administer', null, 'Database (Administer)'), true, true); +grant select,usage on s_tables.se_log_type_http_status_codes_id to r_reservation_administer; +grant select on public.v_log_type_http_status_codes to r_reservation, r_reservation_public, r_reservation_system; +grant select,insert,update on s_tables.t_type_mime_categorys to r_reservation_administer; +grant select on public.v_types_mime_categorys to r_reservation, r_reservation_public, r_reservation_system; +grant select,insert,update on s_tables.t_type_mime_categorys to r_reservation_administer; +grant select on public.v_types_mime_categorys_locked_not to r_reservation, r_reservation_public, r_reservation_system; +grant select,insert,update on s_tables.t_type_mime_types to r_reservation_administer; + +grant select on public.v_types_mime_types to r_reservation, r_reservation_public, r_reservation_system; +grant select on public.v_types_mime_types to r_reservation, r_reservation_public, r_reservation_system; + + +/* standard-files.sql permissions */ +grant select,insert,update on s_tables.t_files to r_reservation_administer; +grant select on s_tables.t_files to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_files_id to r_reservation_administer; +grant usage on s_tables.se_files_id to r_reservation, r_reservation_system; + +grant select on s_users.v_files to r_reservation, r_reservation_system; +grant select on public.v_path_types to r_reservation, r_reservation_public, r_reservation_system; + + +/* standard-paths.sql permissions */ +grant select,insert,update on s_tables.t_paths to r_reservation_administer; +grant select on s_tables.t_paths to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_paths_id to r_reservation_administer; + +grant usage on s_tables.se_paths_id to r_reservation, r_reservation_system; + +grant select on s_users.v_paths to r_reservation, r_reservation_system; +grant select on public.v_paths to r_reservation_public; + + +/* standard-log_types.sql permissions */ +grant select,insert,update on s_tables.t_log_types to r_reservation_administer; +grant select on s_tables.t_log_types to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_log_types_id to r_reservation_administer; + +grant select on public.v_log_types to r_reservation, r_reservation_public, r_reservation_system; + +grant select,insert,update on s_tables.t_log_type_severitys to r_reservation_administer; +grant select on s_tables.t_log_type_severitys to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_log_type_severitys_id to r_reservation_administer; + +grant select on s_users.v_log_type_severitys to r_reservation, r_reservation_public, r_reservation_system; + +grant select,insert,update on s_tables.t_log_type_facilitys to r_reservation_administer; +grant select on s_tables.t_log_type_facilitys to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_log_type_facilitys_id to r_reservation_administer; + +grant select on s_users.v_log_type_facilitys to r_reservation, r_reservation_public, r_reservation_system; + + +/* standard-log_groups.sql permissions */ +grant select,usage on s_tables.se_log_groups_id to r_reservation_manager, r_reservation_auditor; +grant usage on s_tables.se_log_groups_id to r_reservation, r_reservation_system; + +grant select on s_users.v_log_groups_self to r_reservation, r_reservation_system; + +grant insert on s_users.v_log_groups_self_insert to r_reservation, r_reservation_system; + +grant select,usage on s_tables.se_log_group_users_id to r_reservation_manager, r_reservation_auditor; +grant usage on s_tables.se_log_group_users_id to r_reservation, r_reservation_system; + +grant select on s_users.v_log_group_users_self to r_reservation, r_reservation_system; + +grant insert on s_users.v_log_group_users_self_insert to r_reservation, r_reservation_system; + + +/* standard-log_problems.sql permissions */ +grant select,insert,update,delete on s_tables.t_log_problems to r_reservation_manager; +grant select on s_tables.t_log_problems to r_reservation_auditor; +grant select,usage on s_tables.se_log_problems_id to r_reservation_manager; +grant usage on s_tables.se_log_problems_id to r_reservation, r_reservation_system; + +grant select,insert,update,delete on s_tables.t_log_problems_users to r_reservation_manager; +grant select on s_tables.t_log_problems_users to r_reservation_auditor; + +grant select on s_users.v_log_problems_users_self to r_reservation, r_reservation_system; + +grant insert on s_users.v_log_problems_users_self_insert to r_reservation, r_reservation_system; + +grant delete on s_users.v_log_problems_users_self_delete to r_reservation, r_reservation_system; + +alter function s_tables.f_log_problems_users_delete () owner to u_reservation_logger; + + +/* standard-log_users.sql permissions */ +grant select on s_tables.t_log_users to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_log_users_id to r_reservation_administer; +grant usage on s_tables.se_log_users_id to r_reservation, r_reservation_public, r_reservation_system; + +grant select on s_users.v_log_users_self to r_reservation, r_reservation_system; +grant insert on s_users.v_log_users_self_insert to r_reservation, r_reservation_system; +grant insert on public.v_log_users_self_insert to r_reservation_public; + +grant select on s_tables.t_log_user_activity to r_reservation_manager, r_reservation_auditor; +grant select,usage on s_tables.se_log_user_activity_id to r_reservation_administer; +grant usage on s_tables.se_log_user_activity_id to r_reservation, r_reservation_public, r_reservation_system; + +grant select on s_users.v_log_user_activity_self to r_reservation, r_reservation_system; +grant insert on s_users.v_log_user_activity_self_insert to r_reservation, r_reservation_system; +grant insert on public.v_log_user_activity_self_insert to r_reservation_public; + + +/* standard-statistics.sql permissions */ +grant select,insert,update on s_tables.t_statistics_http_status_codes to r_reservation_manager, u_reservation_statistics_update; +grant select on s_tables.t_statistics_http_status_codes to r_reservation_auditor; +grant select on s_tables.t_statistics_request_path to r_reservation_manager, r_reservation_auditor; + +grant select,insert,update on s_users.v_statistics_request_path to r_reservation, r_reservation_system; +grant select,insert,update on public.v_statistics_request_path to r_reservation_public; + +alter function s_tables.f_statistics_http_status_codes_insert () owner to u_reservation_statistics_update; + + +/* reservation-dates permissions */ +grant select,insert,update on s_tables.t_date_contexts to r_reservation_manager; +grant select on s_tables.t_date_contexts to r_reservation_auditor; +grant select,usage on s_tables.se_date_contexts_id to r_reservation_manager; + +grant select on s_requesters.v_date_contexts to r_reservation_requester, r_reservation_reviewer; + + +/* reservation-fields permissions */ +grant select,insert,update on s_tables.t_field_affiliations to r_reservation_manager; +grant select on s_tables.t_field_affiliations to r_reservation_auditor; +grant select,usage on s_tables.se_field_affiliations_id to r_reservation_manager; + +grant select on s_users.v_field_affiliations to r_reservation, r_reservation_system; + +grant select,insert,update on s_tables.t_field_classifications to r_reservation_manager; +grant select on s_tables.t_field_classifications to r_reservation_auditor; +grant select,usage on s_tables.se_field_classifications_id to r_reservation_manager; + +grant select on s_users.v_field_classifications to r_reservation, r_reservation_system; + + +/* reservation-associations permissions */ +grant select,insert,update on s_tables.t_associations to r_reservation_manager; +grant select on s_tables.t_associations to r_reservation_auditor; +grant select,usage on s_tables.se_associations_id to r_reservation_manager; +grant usage on s_tables.se_associations_id to r_reservation_requester, r_reservation_reviewer; + +grant select on s_users.v_associations_self to r_reservation_requester, r_reservation_reviewer; +grant select on s_users.v_associations_manage to r_reservation_requester, r_reservation_reviewer; +grant select on s_users.v_associations_coordinate to r_reservation_requester, r_reservation_reviewer; +grant insert on s_users.v_associations_self_insert to r_reservation_requester, r_reservation_reviewer; +grant update on s_users.v_associations_self_update to r_reservation_requester, r_reservation_reviewer; + + +/* reservation-requests permissions */ +grant select,insert,update on s_tables.t_request_types to r_reservation_manager; +grant select on s_tables.t_request_types to r_reservation_auditor; +grant select,usage on s_tables.se_request_types_id to r_reservation_manager; + +grant select on s_requesters.v_request_types to r_reservation_auditor, r_reservation_requester; + +grant select,insert,update on s_tables.t_requests to r_reservation_manager; +grant select on s_tables.t_requests to r_reservation_auditor; +grant select,usage on s_tables.se_requests_id to r_reservation_manager; +grant usage on s_tables.se_requests_id to r_reservation, r_reservation_system; + +grant select on s_users.v_requests_approved to r_reservation, r_reservation_system; +grant select on s_users.v_requests_approved_cancelled to r_reservation, r_reservation_system; +grant select on s_users.v_requests_denied to r_reservation, r_reservation_system; +grant select on s_users.v_requests_troubled to r_reservation, r_reservation_system; +grant select on s_users.v_requests_cancelled to r_reservation, r_reservation_system; +grant select on s_users.v_requests_self to r_reservation, r_reservation_system; +grant select on s_users.v_requests_self to r_reservation, r_reservation_system; +grant select on s_users.v_requests_self to r_reservation, r_reservation_system; + +grant select,insert on s_tables.t_request_revisions_original to r_reservation_administer, u_reservation_revision_requests; +grant select on s_tables.t_request_revisions_original to r_reservation_manager, r_reservation_auditor; + +alter function s_tables.f_request_revisions_original_record_revision () owner to u_reservation_revision_requests; + +grant select,insert on s_tables.t_request_revisions to r_reservation_administer, u_reservation_revision_requests; +grant select on s_tables.t_request_revisions to r_reservation_manager, r_reservation_auditor; + +alter function s_tables.f_request_revisions_record_revision () owner to u_reservation_revision_requests; + + +/* reservation-workflow permissions */ + + +/* reservation-statistics permissions */ +grant select on s_tables.t_statistics_request_path to r_reservation_manager, r_reservation_auditor; +grant select,insert,update on s_users.v_statistics_request_path to r_reservation, r_reservation_system; +grant select,insert,update on public.v_statistics_request_path to r_reservation_public; + + +/* reservation-legal permissions */ +grant select,insert,update on s_tables.t_legal_types to r_reservation_manager; +grant select on s_tables.t_legal_types to r_reservation_auditor; +grant select,usage on s_tables.se_legal_types_id to r_reservation_manager; + +grant select on s_users.v_legal_types to r_reservation_auditor, r_reservation_requester; + +grant select,insert,update on s_tables.t_signatures to r_reservation_manager; +grant select on s_tables.t_signatures to r_reservation_auditor; +grant select,usage on s_tables.se_signatures_id to r_reservation_manager; +grant usage on s_tables.se_signatures_id to r_reservation, r_reservation_system; + +grant select on s_users.v_signatures_self to r_reservation, r_reservation_system; +grant insert on s_users.v_signatures_self_insert to r_reservation, r_reservation_system; diff --git a/database/sql/reservation/reservation-requests.sql b/database/sql/reservation/reservation-requests.sql index b82f730..6331907 100644 --- a/database/sql/reservation/reservation-requests.sql +++ b/database/sql/reservation/reservation-requests.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Requests **/ +/** Reservation SQL Structure - Requests **/ /** This depends on: reservation-fields.sql, base-workflow.sql **/ start transaction; @@ -38,9 +38,6 @@ create table s_tables.t_request_types ( create sequence s_tables.se_request_types_id owned by s_tables.t_request_types.id; alter table s_tables.t_request_types alter column id set default nextval('s_tables.se_request_types_id'::regclass); -grant select,insert,update on s_tables.t_request_types to r_reservation_manager; -grant select on s_tables.t_request_types to r_reservation_auditor; -grant select,usage on s_tables.se_request_types_id to r_reservation_manager; create index i_request_types_deleted_not on s_tables.t_request_types (id) where not is_deleted; @@ -53,8 +50,6 @@ create view s_requesters.v_request_types with (security_barrier=true) as select id, id_external, name_machine, name_human from s_tables.t_request_types where not is_deleted and not is_locked; -grant select on s_requesters.v_request_types to r_reservation_auditor, r_reservation_requester; - create trigger tr_request_types_update_date_changed_deleted_or_locked before update on s_tables.t_request_types @@ -161,10 +156,6 @@ create table s_tables.t_requests ( create sequence s_tables.se_requests_id owned by s_tables.t_requests.id; alter table s_tables.t_requests alter column id set default nextval('s_tables.se_requests_id'::regclass); -grant select,insert,update on s_tables.t_requests to r_reservation_manager; -grant select on s_tables.t_requests to r_reservation_auditor; -grant select,usage on s_tables.se_requests_id to r_reservation_manager; -grant usage on s_tables.se_requests_id to r_reservation, r_reservation_system; create index i_requests_deleted_not on s_tables.t_requests (id) where not is_deleted; @@ -202,8 +193,6 @@ create view s_users.v_requests_approved with (security_barrier=true) as from s_tables.t_requests where not is_deleted and not is_cancelled and is_approved; -grant select on s_users.v_requests_approved to r_reservation, r_reservation_system; - /*** approved requests (only cancelled) ***/ create view s_users.v_requests_approved_cancelled with (security_barrier=true) as @@ -216,8 +205,6 @@ create view s_users.v_requests_approved_cancelled with (security_barrier=true) a from s_tables.t_requests where not is_deleted and is_cancelled and is_approved; -grant select on s_users.v_requests_approved_cancelled to r_reservation, r_reservation_system; - /*** denied requests (but not cancelled) ***/ create view s_users.v_requests_denied with (security_barrier=true) as @@ -230,8 +217,6 @@ create view s_users.v_requests_denied with (security_barrier=true) as from s_tables.t_requests where not is_deleted and not is_cancelled and is_denied; -grant select on s_users.v_requests_denied to r_reservation, r_reservation_system; - /*** troubled requests (but not cancelled) ***/ create view s_users.v_requests_troubled with (security_barrier=true) as @@ -244,8 +229,6 @@ create view s_users.v_requests_troubled with (security_barrier=true) as from s_tables.t_requests where not is_deleted and not is_cancelled and is_troubled; -grant select on s_users.v_requests_troubled to r_reservation, r_reservation_system; - /*** cancelled requests ***/ create view s_users.v_requests_cancelled with (security_barrier=true) as @@ -258,8 +241,6 @@ create view s_users.v_requests_cancelled with (security_barrier=true) as from s_tables.t_requests where not is_deleted and is_cancelled; -grant select on s_users.v_requests_cancelled to r_reservation, r_reservation_system; - /*** requests the current user belongs to or can manage. ***/ create view s_users.v_requests_self with (security_barrier=true) as @@ -273,8 +254,6 @@ create view s_users.v_requests_self with (security_barrier=true) as from s_tables.t_requests where not is_deleted and id_association in (select id from associations); -grant select on s_users.v_requests_self to r_reservation, r_reservation_system; - /*** requests the current user belongs to or can manage. ***/ create view s_users.v_requests_manage with (security_barrier=true) as @@ -288,8 +267,6 @@ create view s_users.v_requests_manage with (security_barrier=true) as from s_tables.t_requests where not is_deleted and id_association in (select id from associations); -grant select on s_users.v_requests_self to r_reservation, r_reservation_system; - /*** requests the current user belongs to or can coordinate. ***/ create view s_users.v_requests_coordinate with (security_barrier=true) as @@ -303,8 +280,6 @@ create view s_users.v_requests_coordinate with (security_barrier=true) as from s_tables.t_requests where not is_deleted and id_association in (select id from associations); -grant select on s_users.v_requests_self to r_reservation, r_reservation_system; - create trigger tr_requests_update_date_changed_deleted_or_locked before update on s_tables.t_requests @@ -394,9 +369,6 @@ create table s_tables.t_request_revisions_original ( constraint cf_request_revisions_original_association foreign key (id_association) references s_tables.t_associations (id) on delete restrict on update cascade ); -grant select,insert on s_tables.t_request_revisions_original to r_reservation_administer, u_reservation_revision_requests; -grant select on s_tables.t_request_revisions_original to r_reservation_manager, r_reservation_auditor; - /** automatically insert the original request into the original requests table. **/ create function s_tables.f_request_revisions_original_record_revision() returns trigger security definer as $$ @@ -422,7 +394,6 @@ create function s_tables.f_request_revisions_original_record_revision() returns end; $$ language plpgsql; -alter function s_tables.f_request_revisions_original_record_revision () owner to u_reservation_revision_requests; create trigger tr_requests_save_original_revision after insert on s_tables.t_requests @@ -511,9 +482,6 @@ create table s_tables.t_request_revisions ( constraint cf_request_revisions_association foreign key (id_association) references s_tables.t_associations (id) on delete restrict on update cascade ); -grant select,insert on s_tables.t_request_revisions to r_reservation_administer, u_reservation_revision_requests; -grant select on s_tables.t_request_revisions to r_reservation_manager, r_reservation_auditor; - /** automatically update the request revision table. **/ create function s_tables.f_request_revisions_record_revision() returns trigger security definer as $$ @@ -854,7 +822,6 @@ create function s_tables.f_request_revisions_record_revision() returns trigger s end; $$ language plpgsql; -alter function s_tables.f_request_revisions_record_revision () owner to u_reservation_revision_requests; create trigger tr_requests_save_revision after insert on s_tables.t_request_revisions diff --git a/database/sql/reservation/reservation-statistics.sql b/database/sql/reservation/reservation-statistics.sql index 1d27554..2c08f53 100644 --- a/database/sql/reservation/reservation-statistics.sql +++ b/database/sql/reservation/reservation-statistics.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Statistics **/ +/** Reservation SQL Structure - Statistics **/ /** This depends on: reservation-log_users.sql **/ start transaction; @@ -12,61 +12,6 @@ set timezone to UTC; -/** Provide status code statistics **/ -create table s_tables.t_statistics_http_status_codes ( - code smallint not null, - count bigint not null default 0, - - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_deleted timestamp with time zone, - - constraint cp_statistics_http_status_codes primary key (code), - - constraint cc_statistics_http_status_codes_count check (count >= 0), - - constraint cf_statistics_http_status_codes_code foreign key (code) references s_tables.t_type_http_status_codes (id) on delete restrict on update cascade -); - -grant select,insert,update on s_tables.t_statistics_http_status_codes to r_reservation_manager, u_reservation_statistics_update; -grant select on s_tables.t_statistics_http_status_codes to r_reservation_auditor; - - -/** create an auto-update trigger. set the role to r_reservation_manager so that the function runs as that role when using "SECURITY DEFINER". The r_reservation_manager must also have the appropriate create privileges. **/ -create function s_tables.f_statistics_http_status_codes_insert() returns trigger security definer as $$ - begin - if (tg_op = 'INSERT') then - update s_tables.t_statistics_http_status_codes set count = (select count + 1 as count from s_tables.t_statistics_http_status_codes where code = new.response_code) where code = new.response_code; - if not found then - insert into s_tables.t_statistics_http_status_codes (code, count) values (new.response_code, 1); - if not found then return null; end if; - end if; - - return new; - end if; - - return null; - end; -$$ language plpgsql; - -alter function s_tables.f_statistics_http_status_codes_insert () owner to u_reservation_statistics_update; - -create trigger tr_log_user_activity_insert_statistics_http_status_codes - after insert on s_tables.t_log_user_activity - for each row execute procedure s_tables.f_statistics_http_status_codes_insert(); - -create trigger tr_log_users_insert_statistics_http_status_codes - after insert on s_tables.t_log_users - for each row execute procedure s_tables.f_statistics_http_status_codes_insert(); - -create trigger tr_statistics_http_status_codes_date_deleted - before update on s_tables.t_statistics_http_status_codes - for each row execute procedure s_administers.f_common_update_date_deleted(); - - - /** Provide request path statistics **/ create table s_tables.t_statistics_request_path ( path varchar(512) not null, @@ -83,8 +28,6 @@ create table s_tables.t_statistics_request_path ( constraint cc_statistics_request_path_count check (count >= 0) ); -grant select on s_tables.t_statistics_request_path to r_reservation_manager, r_reservation_auditor; - /** permissions prevent this from working as desired, so for now open up these stats to the following users (via a view) **/ /* @todo: review this and try to restrict what accounts can access and set request_path in the same way s_tables.f_statistics_http_status_codes_insert() is handled. */ @@ -92,15 +35,10 @@ create view s_users.v_statistics_request_path with (security_barrier=true) as select path, count from s_tables.t_statistics_request_path with check option; -grant select,insert,update on s_users.v_statistics_request_path to r_reservation, r_reservation_system; - - create view public.v_statistics_request_path with (security_barrier=true) as select path, count from s_tables.t_statistics_request_path with check option; -grant select,insert,update on public.v_statistics_request_path to r_reservation_public; - /** create an auto-update trigger **/ create function s_tables.f_statistics_request_path_insert() returns trigger as $$ @@ -119,6 +57,7 @@ create function s_tables.f_statistics_request_path_insert() returns trigger as $ end; $$ language plpgsql; + create trigger tr_statistics_request_path_insert after insert on s_tables.t_statistics_request_path for each row execute procedure s_tables.f_statistics_request_path_insert(); diff --git a/database/sql/reservation/reservation-types.sql b/database/sql/reservation/reservation-types.sql deleted file mode 100644 index 83d4df9..0000000 --- a/database/sql/reservation/reservation-types.sql +++ /dev/null @@ -1,152 +0,0 @@ -/** Standardized SQL Structure - Logs - Types */ -/** This depends on: reservation-main.sql **/ -start transaction; - - - -/** Custom database specific settings (do this on every connection made) **/ -set bytea_output to hex; -set search_path to s_administers,s_managers,s_auditors,s_publishers,s_insurers,s_financers,s_reviewers,s_editors,s_drafters,s_requesters,s_users,public; -set datestyle to us; -set timezone to UTC; - - - -/*** provide HTTP status codes ***/ -create table s_tables.t_type_http_status_codes ( - id smallint not null, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - constraint cp_log_type_http_status_codes primary key (id), - - constraint cu_log_type_http_status_codes_user unique (name_machine), - - constraint cc_log_type_http_status_codes_id check (id >= 0 and id < 600) -); - -create sequence s_tables.se_log_type_http_status_codes_id owned by s_tables.t_type_http_status_codes.id; -alter table s_tables.t_type_http_status_codes alter column id set default nextval('s_tables.se_log_type_http_status_codes_id'::regclass); - -grant select,insert,update on s_tables.t_type_http_status_codes to r_reservation_administer; -grant select on s_tables.t_type_http_status_codes to r_reservation_manager, r_reservation_auditor; -grant select,usage on s_tables.se_log_type_http_status_codes_id to r_reservation_administer; - -create view public.v_log_type_http_status_codes with (security_barrier=true) as - select id, name_machine, name_human from s_tables.t_type_http_status_codes; - -grant select on public.v_log_type_http_status_codes to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_log_type_http_status_codes_date_changed_deleted_or_locked - before update on s_tables.t_type_http_status_codes - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -/*** provide mime type category id and names ***/ -create table s_tables.t_type_mime_categorys ( - id bigint not null, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - field_category varchar(64), - - constraint cp_types_mime_categorys primary key (id), - - constraint cu_types_mime_categorys_name_machine unique (name_machine), - - constraint cc_types_mime_categorys_id check (id > -1), - constraint cc_types_mime_categorys_name_machine check (name_machine ~ '[A-Za-z]\w*') -); - -grant select,insert,update on s_tables.t_type_mime_categorys to r_reservation_administer; - -create view public.v_types_mime_categorys with (security_barrier=true) as - select id, name_machine, name_human, is_locked from s_tables.t_type_mime_categorys - where not is_deleted; - -grant select on public.v_types_mime_categorys to r_reservation, r_reservation_public, r_reservation_system; - -grant select,insert,update on s_tables.t_type_mime_categorys to r_reservation_administer; - - -create view public.v_types_mime_categorys_locked_not with (security_barrier=true) as - select id, name_machine, name_human, field_category from s_tables.t_type_mime_categorys - where not is_deleted and not is_locked; - -grant select on public.v_types_mime_categorys_locked_not to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_types_mime_categorys_date_changed_deleted_or_locked - before update on s_tables.t_type_mime_categorys - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -/*** provide mime type ids and names ***/ -create table s_tables.t_type_mime_types ( - id bigint not null, - id_category bigint not null, - - name_machine varchar(128) not null, - name_human varchar(256) not null, - - is_locked boolean default false not null, - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_locked timestamp with time zone, - date_deleted timestamp with time zone, - - field_extension varchar(64), - field_mime varchar(128), - - constraint cc_types_mime_types_id check (id > -1), - - constraint cu_types_mime_types_mime_type unique (id, id_category, field_extension, field_mime), - - constraint cf_types_mime_types_id foreign key (id_category) references s_tables.t_type_mime_categorys (id) on delete restrict on update cascade -); - -grant select,insert,update on s_tables.t_type_mime_types to r_reservation_administer; - -create view public.v_types_mime_types with (security_barrier=true) as - select id, id_category, name_machine, name_human, field_extension, field_mime, is_locked from s_tables.t_type_mime_types - where not is_deleted; - -grant select on public.v_types_mime_types to r_reservation, r_reservation_public, r_reservation_system; - -create view public.v_types_mime_types_locked_not with (security_barrier=true) as - select id, id_category, name_machine, name_human, field_extension, field_mime, is_locked from s_tables.t_type_mime_types - where not is_deleted and not is_locked; - -grant select on public.v_types_mime_types to r_reservation, r_reservation_public, r_reservation_system; - - -create trigger tr_types_mime_types_date_changed_deleted_or_locked - before update on s_tables.t_type_mime_types - for each row execute procedure s_administers.f_common_update_date_changed_deleted_or_locked(); - - - -commit transaction; diff --git a/database/sql/reservation/reservation-workflow.sql b/database/sql/reservation/reservation-workflow.sql index 53eb1db..94d4191 100644 --- a/database/sql/reservation/reservation-workflow.sql +++ b/database/sql/reservation/reservation-workflow.sql @@ -1,4 +1,4 @@ -/** Standardized SQL Structure - Workflow **/ +/** Reservation SQL Structure - Workflow **/ /** This depends on: reservation-users.sql **/ start transaction; diff --git a/database/sql/standard/order.install b/database/sql/standard/order.install index f939c28..4d0dcd6 100644 --- a/database/sql/standard/order.install +++ b/database/sql/standard/order.install @@ -3,10 +3,12 @@ standard-main standard-users standard-groups standard-types +standard-files standard-paths standard-log_types standard-log_groups standard-log_problems standard-log_users standard-statistics +standard-permissions standard-last diff --git a/database/sql/standard/standard-files.sql b/database/sql/standard/standard-files.sql index 0ab9ab2..b0a290b 100644 --- a/database/sql/standard/standard-files.sql +++ b/database/sql/standard/standard-files.sql @@ -51,10 +51,6 @@ create table s_tables.t_files ( create sequence s_tables.se_files_id owned by s_tables.t_files.id; alter table s_tables.t_files alter column id set default nextval('s_tables.se_files_id'::regclass); -grant select,insert,update on s_tables.t_files to r_standard_administer; -grant select on s_tables.t_files to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_files_id to r_standard_administer; -grant usage on s_tables.se_files_id to r_standard, r_standard_system; create index i_files_deleted_not on s_tables.t_files (id) where not is_deleted; @@ -74,14 +70,10 @@ create view s_users.v_files with (security_barrier=true) as select id, id_type, id_group, name_machine, name_human, is_private, date_created, date_changed from s_tables.t_files where not is_deleted and (not is_locked or id_group in (select * from allowed_groups)) and (not is_private or (is_private and id_group in (select * from allowed_groups))); -grant select on s_users.v_files to r_standard, r_standard_system; - create view public.v_files with (security_barrier=true) as select id, id_type, NULL::bigint as id_group, name_machine, name_human, NULL::bool as is_private, NULL::bool as date_created, NULL::bool as date_changed from s_tables.t_files where not is_deleted and not is_locked and not is_private; -grant select on public.v_path_types to r_standard, r_standard_public, r_standard_system; - create trigger tr_files_date_changed_deleted_or_locked before update on s_tables.t_files diff --git a/database/sql/standard/standard-groups.sql b/database/sql/standard/standard-groups.sql index 38f2baf..a448816 100644 --- a/database/sql/standard/standard-groups.sql +++ b/database/sql/standard/standard-groups.sql @@ -61,10 +61,6 @@ create table s_tables.t_groups ( create sequence s_tables.se_groups_id owned by s_tables.t_groups.id; alter table s_tables.t_groups alter column id set default nextval('s_tables.se_groups_id'::regclass); -grant select,insert,update on s_tables.t_groups to r_standard_manager, u_standard_groups_handler; -grant select on s_tables.t_groups to r_standard_auditor; -grant select,usage on s_tables.se_groups_id to r_standard_manager; -grant usage on s_tables.se_groups_id to r_standard, r_standard_system, u_standard_groups_handler; /* Note: id_sort is not needed when directly validating against id or name_machine because both of those are already an index. */ create index i_groups_id_sort_a on s_tables.t_groups (id_sort) with (fillfactor = 100) where id_sort = 97; @@ -104,15 +100,11 @@ create view s_users.v_groups_manage_self with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked, is_composite, is_user, can_manage_paths, settings from s_tables.t_groups where not is_deleted and id_manager in (select * from this_user); -grant select on s_users.v_groups_manage_self to r_standard, r_standard_system; - create view s_users.v_groups_manage_update with (security_barrier=true) as select id, id_external, name_machine, name_human, is_locked, is_composite, is_user, can_manage_paths, settings from s_tables.t_groups where not is_deleted and id_manager in (select id from v_users_self_locked_not) with check option; -grant update on s_users.v_groups_manage_update to r_standard, r_standard_system; - /** each user shall have their own group. Note: this violates the naming standard where group name should be first, such as 'group_kday' instead of 'kday_group'. @@ -127,8 +119,6 @@ create function s_administers.f_groups_group_user_insert() returns trigger secur end; $$ language plpgsql; -alter function s_administers.f_groups_group_user_insert () owner to u_standard_groups_handler; - create function s_administers.f_groups_group_user_update() returns trigger security definer as $$ begin if (old.name_machine <> new.name_machine) then @@ -143,8 +133,6 @@ create function s_administers.f_groups_group_user_update() returns trigger secur end; $$ language plpgsql; -alter function s_administers.f_groups_group_user_update () owner to u_standard_groups_handler; - create trigger tr_groups_group_user_insert after insert on s_tables.t_users @@ -155,6 +143,7 @@ create trigger tr_groups_group_user_update for each row execute procedure s_administers.f_groups_group_user_update(); + /** Groups to Users Association **/ create table s_tables.t_group_users ( id_user bigint not null, @@ -175,9 +164,6 @@ create table s_tables.t_group_users ( constraint cf_group_users_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade ); -grant select,insert,update on s_tables.t_groups to r_standard_manager; -grant select on s_tables.t_groups to r_standard_auditor; - /*** provide current user access to their own information ***/ create view s_users.v_groups_self with (security_barrier=true) as @@ -185,8 +171,6 @@ create view s_users.v_groups_self with (security_barrier=true) as select id, id_external, id_manager, name_machine, name_human, is_locked, is_composite, date_created, date_changed, date_synced, can_manage_paths, settings from s_tables.t_groups where not is_deleted and id in (select * from allowed_groups); -grant select on s_users.v_groups_self to r_standard, r_standard_system; - /*** provide group managers access to manage users assigned to their groups (any user id less than 1000 is reserved/special case, prohibit those). ***/ create view s_users.v_group_users_manage with (security_barrier=true) as with managed_groups as (select id from s_tables.t_groups where not is_deleted and id_manager in (select id from v_users_self_locked_not)), @@ -194,22 +178,16 @@ create view s_users.v_group_users_manage with (security_barrier=true) as select id_user, id_group, is_locked from s_tables.t_group_users where not is_deleted and id_group in (select * from managed_groups) and id_user in (select * from available_users); -grant select on s_users.v_group_users_manage to r_standard, r_standard_system; - create view s_users.v_group_users_manage_insert with (security_barrier=true) as select id_user, id_group from s_tables.t_group_users where not is_deleted and id_group in (select id from s_users.v_groups_manage_self) and id_group in (select id_group from s_tables.t_group_users where not is_deleted and not is_locked and id_user in (select id from v_users_self_locked_not)) and id_user in (select id from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public) with check option; -grant insert on s_users.v_group_users_manage_insert to r_standard, r_standard_system; - create view s_users.v_group_users_manage_update with (security_barrier=true) as select id_user, id_group from s_tables.t_group_users where not is_deleted and id_group in (select id from s_users.v_groups_manage_self) and id_group in (select id_group from s_tables.t_group_users where not is_deleted and not is_locked and id_user in (select id from v_users_self_locked_not)) and id_user in (select id from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public) with check option; -grant update on s_users.v_group_users_manage_update to r_standard, r_standard_system; - create trigger tr_groups_users_date_changed_deleted_or_locked before update on s_tables.t_group_users @@ -236,9 +214,6 @@ create table s_tables.t_group_composites ( constraint cf_group_composites_group foreign key (id_group) references s_tables.t_groups (id) on delete restrict on update cascade ); -grant select,insert,update,delete on s_tables.t_groups to r_standard_manager; -grant select on s_tables.t_groups to r_standard_auditor; - /*** provide group managers access to manage composite groups. ***/ create view s_users.v_group_composites with (security_barrier=true) as @@ -247,22 +222,16 @@ create view s_users.v_group_composites with (security_barrier=true) as select id_composite, id_group, is_locked from s_tables.t_group_composites where not is_deleted and id_group in (select * from managed_groups) or id_group in (select * from allowed_groups); -grant select on s_users.v_group_composites to r_standard, r_standard_system; - create view s_users.v_group_composites_manage_insert with (security_barrier=true) as select id_user, id_group from s_tables.t_group_users where not is_deleted and id_group in (select id_group from s_users.v_group_users_manage where not is_locked) with check option; -grant insert on s_users.v_group_composites_manage_insert to r_standard, r_standard_system; - create view s_users.v_group_composites_manage_update with (security_barrier=true) as select id_user, id_group from s_tables.t_group_users where not is_deleted and id_group in (select id_group from s_users.v_group_users_manage where not is_locked) with check option; -grant update on s_users.v_group_composites_manage_update to r_standard, r_standard_system; - create trigger tr_groups_date_changed_deleted_or_locked before update on s_tables.t_group_composites diff --git a/database/sql/standard/standard-last.sql b/database/sql/standard/standard-last.sql index 9538bcf..b267487 100644 --- a/database/sql/standard/standard-last.sql +++ b/database/sql/standard/standard-last.sql @@ -373,6 +373,13 @@ alter sequence s_tables.se_users_id restart; /*** create hard-coded/internal user ids ***/ + +/** Special Cases: manually add the postgresql and public users first before with all triggers disabled (because some of the triggers depend on this table, recursively). **/ +alter table s_tables.t_users disable trigger all; +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_public) values (1, 'u_standard_public', (null, 'Unknown', null, null, null, 'Unknown'), false, true); +insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system) values (2, 'postgres', (null, 'Database', null, 'Administer', null, 'Database (Administer)'), true, true); +alter table s_tables.t_users enable trigger all; + insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_administer) values (3, 'u_standard_system_administer', (null, 'System', null, 'Administer', null, 'System (Administer)'), false, true, true); insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_manager) values (4, 'u_standard_system_manager', (null, 'System', null, 'Manager', null, 'System (Manager)'), false, true, true); insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system, is_auditor) values (5, 'u_standard_system_auditor', (null, 'System', null, 'Auditor', null, 'System (Auditor)'), false, true, true); diff --git a/database/sql/standard/standard-log_groups.sql b/database/sql/standard/standard-log_groups.sql index 39546e8..307a1b8 100644 --- a/database/sql/standard/standard-log_groups.sql +++ b/database/sql/standard/standard-log_groups.sql @@ -42,9 +42,6 @@ create table s_tables.t_log_groups ( create sequence s_tables.se_log_groups_id owned by s_tables.t_log_groups.id; alter table s_tables.t_log_groups alter column id set default nextval('s_tables.se_log_groups_id'::regclass); -grant select,usage on s_tables.se_log_groups_id to r_standard_manager, r_standard_auditor; -grant usage on s_tables.se_log_groups_id to r_standard, r_standard_system; - /** only allow select and insert for users when user id is current user **/ create view s_users.v_log_groups_self with (security_barrier=true) as @@ -52,15 +49,11 @@ create view s_users.v_log_groups_self with (security_barrier=true) as select id, id_user, id_group, log_type, log_type_sub, log_severity, log_facility, log_details, log_date from s_tables.t_log_groups where id_user in (select * from this_user); -grant select on s_users.v_log_groups_self to r_standard, r_standard_system; - create view s_users.v_log_groups_self_insert with (security_barrier=true) as select id_group, log_type, log_type_sub, log_severity, log_facility, log_details from s_tables.t_log_groups where id_user in (select id from v_users_self_locked_not) and id_group in (select id from s_users.v_groups_self where not is_locked) with check option; -grant insert on s_users.v_log_groups_self_insert to r_standard, r_standard_system; - create trigger tr_log_groups_date_changed_deleted_or_locked before update on s_tables.t_log_groups @@ -101,9 +94,6 @@ create table s_tables.t_log_group_users ( create sequence s_tables.se_log_group_users_id owned by s_tables.t_log_group_users.id; alter table s_tables.t_log_group_users alter column id set default nextval('s_tables.se_log_group_users_id'::regclass); -grant select,usage on s_tables.se_log_group_users_id to r_standard_manager, r_standard_auditor; -grant usage on s_tables.se_log_group_users_id to r_standard, r_standard_system; - /** only allow select and insert for users when user id is current user **/ create view s_users.v_log_group_users_self with (security_barrier=true) as @@ -112,15 +102,11 @@ create view s_users.v_log_group_users_self with (security_barrier=true) as select id, id_user, id_group, log_type, log_type_sub, log_severity, log_facility, log_date from s_tables.t_log_group_users where id_user in (select * from this_user) or id_group in (select * from allowed_groups); -grant select on s_users.v_log_group_users_self to r_standard, r_standard_system; - create view s_users.v_log_group_users_self_insert with (security_barrier=true) as select id_group, log_type, log_type_sub, log_severity, log_facility from s_tables.t_log_group_users where id_user in (select id from v_users_self_locked_not) and id_group in (select id from s_users.v_groups_self where not is_locked) with check option; -grant insert on s_users.v_log_group_users_self_insert to r_standard, r_standard_system; - create trigger tr_log_group_users_date_changed_deleted_or_locked before update on s_tables.t_log_group_users diff --git a/database/sql/standard/standard-log_problems.sql b/database/sql/standard/standard-log_problems.sql index b9ae5fa..2de9522 100644 --- a/database/sql/standard/standard-log_problems.sql +++ b/database/sql/standard/standard-log_problems.sql @@ -33,11 +33,6 @@ create table s_tables.t_log_problems ( create sequence s_tables.se_log_problems_id owned by s_tables.t_log_problems.id; alter table s_tables.t_log_problems alter column id set default nextval('s_tables.se_log_problems_id'::regclass); -grant select,insert,update,delete on s_tables.t_log_problems to r_standard_manager; -grant select on s_tables.t_log_problems to r_standard_auditor; -grant select,usage on s_tables.se_log_problems_id to r_standard_manager; -grant usage on s_tables.se_log_problems_id to r_standard, r_standard_system; - /** Provide a log of problems, associated with a given user. **/ @@ -58,9 +53,6 @@ create table s_tables.t_log_problems_users ( constraint cf_log_problems_users_id_user_session foreign key (id_user_session) references s_tables.t_users (id) on delete restrict on update cascade ); -grant select,insert,update,delete on s_tables.t_log_problems_users to r_standard_manager; -grant select on s_tables.t_log_problems_users to r_standard_auditor; - /** only allow select, insert, and delete for users when user id is current user **/ create view s_users.v_log_problems_users_self with (security_barrier=true) as @@ -68,24 +60,16 @@ create view s_users.v_log_problems_users_self with (security_barrier=true) as select id_problem, date_created, date_changed, log_details from s_tables.t_log_problems_users where id_user in (select * from this_user); -grant select on s_users.v_log_problems_users_self to r_standard, r_standard_system; - - create view s_users.v_log_problems_users_self_insert with (security_barrier=true) as select id_problem, date_changed, log_details from s_tables.t_log_problems_users where id_user in (select id from v_users_self_locked_not) with check option; -grant insert on s_users.v_log_problems_users_self_insert to r_standard, r_standard_system; - - create view s_users.v_log_problems_users_self_delete with (security_barrier=true) as select id_problem from s_tables.t_log_problems_users where id_user in (select id from v_users_self_locked_not) with check option; -grant delete on s_users.v_log_problems_users_self_delete to r_standard, r_standard_system; - /** automatically delete problems deleted from the table s_tables.t_log_problems_users **/ create function s_tables.f_log_problems_users_delete() returns trigger security definer as $$ @@ -99,7 +83,6 @@ create function s_tables.f_log_problems_users_delete() returns trigger security end; $$ language plpgsql; -alter function s_tables.f_log_problems_users_delete () owner to u_standard_logger; create trigger tr_log_problems_users_delete after delete on s_tables.t_log_problems_users diff --git a/database/sql/standard/standard-log_types.sql b/database/sql/standard/standard-log_types.sql index 8590b8a..e4a4b1a 100644 --- a/database/sql/standard/standard-log_types.sql +++ b/database/sql/standard/standard-log_types.sql @@ -36,9 +36,6 @@ create table s_tables.t_log_types ( create sequence s_tables.se_log_types_id owned by s_tables.t_log_types.id; alter table s_tables.t_log_types alter column id set default nextval('s_tables.se_log_types_id'::regclass); -grant select,insert,update on s_tables.t_log_types to r_standard_administer; -grant select on s_tables.t_log_types to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_types_id to r_standard_administer; create index i_log_types_deleted_not on s_tables.t_log_types (id) where not is_deleted; @@ -46,12 +43,11 @@ create index i_log_types_deleted_not on s_tables.t_log_types (id) create index i_log_types_public on s_tables.t_log_types (id) where not is_deleted and not is_locked; + create view public.v_log_types with (security_barrier=true) as select id, name_machine, name_human from s_tables.t_log_types where not is_deleted and not is_locked; -grant select on public.v_log_types to r_standard, r_standard_public, r_standard_system; - create trigger tr_log_types_date_changed_deleted_or_locked before update on s_tables.t_log_types @@ -83,16 +79,11 @@ create table s_tables.t_log_type_severitys ( create sequence s_tables.se_log_type_severitys_id owned by s_tables.t_log_type_severitys.id; alter table s_tables.t_log_type_severitys alter column id set default nextval('s_tables.se_log_type_severitys_id'::regclass); -grant select,insert,update on s_tables.t_log_type_severitys to r_standard_administer; -grant select on s_tables.t_log_type_severitys to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_type_severitys_id to r_standard_administer; create view s_users.v_log_type_severitys with (security_barrier=true) as select id, name_machine, name_human from s_tables.t_log_type_severitys where not is_deleted; -grant select on s_users.v_log_type_severitys to r_standard, r_standard_public, r_standard_system; - create trigger tr_log_type_severitys_date_changed_deleted_or_locked before update on s_tables.t_log_type_severitys @@ -124,16 +115,11 @@ create table s_tables.t_log_type_facilitys ( create sequence s_tables.se_log_type_facilitys_id owned by s_tables.t_log_type_facilitys.id; alter table s_tables.t_log_type_facilitys alter column id set default nextval('s_tables.se_log_type_facilitys_id'::regclass); -grant select,insert,update on s_tables.t_log_type_facilitys to r_standard_administer; -grant select on s_tables.t_log_type_facilitys to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_type_facilitys_id to r_standard_administer; create view s_users.v_log_type_facilitys with (security_barrier=true) as select id, name_machine, name_human from s_tables.t_log_type_facilitys where not is_deleted; -grant select on s_users.v_log_type_facilitys to r_standard, r_standard_public, r_standard_system; - create trigger tr_log_type_facilitys_date_changed_deleted_or_locked before update on s_tables.t_log_type_facilitys diff --git a/database/sql/standard/standard-log_users.sql b/database/sql/standard/standard-log_users.sql index 533c0c0..b98d4c8 100644 --- a/database/sql/standard/standard-log_users.sql +++ b/database/sql/standard/standard-log_users.sql @@ -46,10 +46,6 @@ create table s_tables.t_log_users ( create sequence s_tables.se_log_users_id owned by s_tables.t_log_users.id; alter table s_tables.t_log_users alter column id set default nextval('s_tables.se_log_users_id'::regclass); -grant select on s_tables.t_log_users to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_users_id to r_standard_administer; -grant usage on s_tables.se_log_users_id to r_standard, r_standard_public, r_standard_system; - create index i_log_users_response_code_200 on s_tables.t_log_users (id) where response_code = 200; @@ -91,15 +87,11 @@ create view s_users.v_log_users_self with (security_barrier=true) as select id, id_user, log_title, log_type, log_type_sub, log_severity, log_facility, log_details, log_date, request_client, response_code from s_tables.t_log_users where id_user in (select * from this_user); -grant select on s_users.v_log_users_self to r_standard, r_standard_system; - create view s_users.v_log_users_self_insert with (security_barrier=true) as select log_title, log_type, log_type_sub, log_severity, log_facility, log_details, request_client, response_code from s_tables.t_log_users where id_user in (select id from v_users_self_locked_not) with check option; -grant insert on s_users.v_log_users_self_insert to r_standard, r_standard_system; - /** public users should be able to insert, but should never be able to view the logs that they insert. **/ create view public.v_log_users_self_insert with (security_barrier=true) as @@ -107,8 +99,6 @@ create view public.v_log_users_self_insert with (security_barrier=true) as where 'r_standard_public' in (select pr.rolname from pg_auth_members pam inner join pg_roles pr on (pam.roleid = pr.oid) inner join pg_roles pr_u on (pam.member = pr_u.oid) where pr_u.rolname = current_user and pr.rolname = 'r_standard_public') with check option; -grant insert on public.v_log_users_self_insert to r_standard_public; - create trigger tr_log_users_enforce_user_and_session_ids before insert on s_tables.t_log_users @@ -143,9 +133,6 @@ create table s_tables.t_log_user_activity ( create sequence s_tables.se_log_user_activity_id owned by s_tables.t_log_user_activity.id; alter table s_tables.t_log_user_activity alter column id set default nextval('s_tables.se_log_user_activity_id'::regclass); -grant select on s_tables.t_log_user_activity to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_user_activity_id to r_standard_administer; -grant usage on s_tables.se_log_user_activity_id to r_standard, r_standard_public, r_standard_system; create index i_log_user_activity_response_code_4xx on s_tables.t_log_user_activity (id) where response_code >= 400 and response_code < 500; @@ -182,15 +169,11 @@ create view s_users.v_log_user_activity_self with (security_barrier=true) as select id, id_user, request_path, request_arguments, request_date, request_client, request_headers, response_headers, response_code from s_tables.t_log_user_activity where id_user in (select * from this_user); -grant select on s_users.v_log_user_activity_self to r_standard, r_standard_system; - create view s_users.v_log_user_activity_self_insert with (security_barrier=true) as select request_path, request_arguments, request_client, request_headers, response_headers, response_code from s_tables.t_log_user_activity where id_user in (select id from v_users_self_locked_not) with check option; -grant insert on s_users.v_log_user_activity_self_insert to r_standard, r_standard_system; - /** public users should be able to insert, but should never be able to view the logs that they insert. **/ create view public.v_log_user_activity_self_insert with (security_barrier=true) as @@ -198,8 +181,6 @@ create view public.v_log_user_activity_self_insert with (security_barrier=true) where id_user in (select id from v_users_self_locked_not) with check option; -grant insert on public.v_log_user_activity_self_insert to r_standard_public; - create trigger tr_log_user_activity_enforce_user_and_session_ids before insert on s_tables.t_log_user_activity diff --git a/database/sql/standard/standard-main.sql b/database/sql/standard/standard-main.sql index 54df364..002f70c 100644 --- a/database/sql/standard/standard-main.sql +++ b/database/sql/standard/standard-main.sql @@ -30,19 +30,6 @@ create schema s_requesters authorization postgres; create schema s_users authorization postgres; create schema s_tables authorization postgres; -grant usage on schema s_administers to r_standard_administer; -grant usage on schema s_managers to r_standard_manager; -grant usage on schema s_auditors to r_standard_auditor; -grant usage on schema s_publishers to r_standard_publisher; -grant usage on schema s_insurers to r_standard_insurer; -grant usage on schema s_financers to r_standard_financer; -grant usage on schema s_reviewers to r_standard_reviewer; -grant usage on schema s_editors to r_standard_editor; -grant usage on schema s_drafters to r_standard_drafter; -grant usage on schema s_requesters to r_standard_requester; -grant usage on schema s_users to r_standard; - -grant usage on schema s_tables to u_standard_revision_requests, u_standard_statistics_update, u_standard_logger, u_standard_groups_handler; /** Composite Types **/ diff --git a/database/sql/standard/standard-paths.sql b/database/sql/standard/standard-paths.sql index 37b8afb..9abd4e8 100644 --- a/database/sql/standard/standard-paths.sql +++ b/database/sql/standard/standard-paths.sql @@ -61,10 +61,6 @@ create table s_tables.t_paths ( create sequence s_tables.se_paths_id owned by s_tables.t_paths.id; alter table s_tables.t_paths alter column id set default nextval('s_tables.se_paths_id'::regclass); -grant select,insert,update on s_tables.t_paths to r_standard_administer; -grant select on s_tables.t_paths to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_paths_id to r_standard_administer; -grant usage on s_tables.se_paths_id to r_standard, r_standard_system; create index i_paths_deleted_not on s_tables.t_paths (id) where not is_deleted; @@ -134,14 +130,10 @@ create view s_users.v_paths with (security_barrier=true) as select id, id_group, name_machine, name_human, is_content, is_alias, is_redirect, is_coded, is_dynamic, is_locked, is_private, field_path, field_destination, field_response_code, date_created, date_changed, date_locked from s_tables.t_paths where not is_deleted and (not is_locked or not is_private or id_group in (select * from allowed_groups)); -grant select on s_users.v_paths to r_standard, r_standard_system; - create view public.v_paths with (security_barrier=true) as select id, NULL::bigint as id_group, name_machine, name_human, is_content, is_alias, is_redirect, is_coded, is_dynamic, FALSE as is_locked, FALSE as is_private, field_path, field_destination, field_response_code, NULL::bool as date_created, NULL::bool as date_changed, NULL::bool as date_locked from s_tables.t_paths where not is_deleted and not is_locked and not is_private; -grant select on public.v_paths to r_standard_public; - create trigger tr_paths_date_changed_deleted_or_locked before update on s_tables.t_paths diff --git a/database/sql/standard/standard-permissions.sql b/database/sql/standard/standard-permissions.sql new file mode 100644 index 0000000..b32ddd2 --- /dev/null +++ b/database/sql/standard/standard-permissions.sql @@ -0,0 +1,571 @@ +/** Standardized SQL Structure - Permissions */ +/** This depends on: everything in standard, do this after everything but before standard-last.sql **/ +start transaction; + + + +/* standard-main.sql permissions */ +grant usage on schema s_administers to r_standard_administer; +grant usage on schema s_managers to r_standard_manager; +grant usage on schema s_auditors to r_standard_auditor; +grant usage on schema s_publishers to r_standard_publisher; +grant usage on schema s_insurers to r_standard_insurer; +grant usage on schema s_financers to r_standard_financer; +grant usage on schema s_reviewers to r_standard_reviewer; +grant usage on schema s_editors to r_standard_editor; +grant usage on schema s_drafters to r_standard_drafter; +grant usage on schema s_requesters to r_standard_requester; +grant usage on schema s_users to r_standard; + +grant usage on schema s_tables to u_standard_revision_requests, u_standard_statistics_update, u_standard_logger, u_standard_groups_handler; + + +/* standard-users.sql permissions */ +grant select,insert,update on s_tables.t_users to r_standard_administer; +grant select on s_tables.t_users to r_standard_auditor; + +grant select,usage on s_tables.se_users_id to r_standard_administer; +grant usage on s_tables.se_users_id to r_standard, r_standard_system; + +grant select on s_users.v_users_self to r_standard, r_standard_system; + +grant select on public.v_users_self_session to r_standard, r_standard_system, r_standard_public; +grant select on public.v_users_self_locked_not to r_standard, r_standard_system, r_standard_public; +grant select on public.v_users_self_exists to r_standard, r_standard_system, r_standard_public; + +grant insert on s_users.v_users_self_insert to r_standard, r_standard_system; +grant update on s_users.v_users_self_update to r_standard, r_standard_system; + +grant select on public.v_users_self to r_standard_public, r_standard, r_standard_system; +grant select on public.v_users to r_standard, r_standard_public, r_standard_system; +grant select on public.v_users_email to r_standard, r_standard_public, r_standard_system; + +grant select on s_managers.v_users to r_standard_manager; +grant insert on s_managers.v_users_insert to r_standard_manager; +grant update on s_managers.v_users_update to r_standard_manager; +grant select on s_managers.v_users to r_standard_manager; + +alter materialized view s_administers.m_users_date_created_this_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_created_previous_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_created_previous_month owner to r_standard_administer; +alter materialized view s_administers.m_users_date_created_previous_year owner to r_standard_administer; + +alter materialized view s_administers.m_users_date_changed_this_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_changed_previous_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_changed_previous_month owner to r_standard_administer; +alter materialized view s_administers.m_users_date_changed_previous_year owner to r_standard_administer; + +alter materialized view s_administers.m_users_date_synced_this_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_synced_previous_day owner to r_standard_administer; +alter materialized view s_administers.m_users_date_synced_previous_month owner to r_standard_administer; +alter materialized view s_administers.m_users_date_synced_previous_year owner to r_standard_administer; + +grant select on s_administers.m_users_date_created_this_day to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_day to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_month to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_year to r_standard_manager; + +grant select on s_administers.m_users_date_changed_this_day to r_standard_manager; +grant select on s_administers.m_users_date_changed_previous_day to r_standard_manager; +grant select on s_administers.m_users_date_changed_previous_month to r_standard_manager; +grant select on s_administers.m_users_date_changed_previous_year to r_standard_manager; + +grant select on s_administers.m_users_date_synced_this_day to r_standard_manager; +grant select on s_administers.m_users_date_synced_previous_day to r_standard_manager; +grant select on s_administers.m_users_date_synced_previous_month to r_standard_manager; +grant select on s_administers.m_users_date_synced_previous_year to r_standard_manager; + +grant select on s_administers.m_users_date_created_this_day to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_day to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_month to r_standard_manager; +grant select on s_administers.m_users_date_created_previous_year to r_standard_manager; + +alter function s_administers.f_users_insert_as_administer() owner to u_standard_grant_roles; +alter function s_administers.f_users_update_as_administer() owner to u_standard_grant_roles; +alter function s_administers.f_users_update_materialized_views() owner to r_standard_administer; + + +/* attempt to auto-manage postgresql standard roles with the standard database user roles. */ +/* user ids 1 and 2 are explicitly reserved for anonymous/public and the database postgresql accounts. */ +/* postgresql does not seem to support variables for the user with grant and revoke, therefore the execute statement is used to perform the query. */ +/* @fixme: the name_machine must be forcibly sanitized to be alphanumeric, -, or _ in all cases. */ +create or replace function s_administers.f_users_insert_as_administer() returns trigger security definer as $$ + declare + name_machine constant text default quote_ident(new.name_machine); + begin + if (new.id = 1 or new.id = 2) then + return null; + end if; + + set client_min_messages to error; + + if (new.is_locked or new.is_deleted) then + if (new.is_deleted) then + execute 'revoke r_standard from ' || name_machine; + execute 'revoke r_standard_system from ' || name_machine; + execute 'revoke r_standard_public from ' || name_machine; + elseif (new.is_public) then + execute 'grant r_standard_public to ' || name_machine; + elseif (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then + execute 'grant r_standard to ' || name_machine; + end if; + + execute 'revoke r_standard_administer from ' || name_machine; + execute 'revoke r_standard_manager from ' || name_machine; + execute 'revoke r_standard_auditor from ' || name_machine; + execute 'revoke r_standard_publisher from ' || name_machine; + execute 'revoke r_standard_financer from ' || name_machine; + execute 'revoke r_standard_insurer from ' || name_machine; + execute 'revoke r_standard_reviewer from ' || name_machine; + execute 'revoke r_standard_editor from ' || name_machine; + execute 'revoke r_standard_drafter from ' || name_machine; + execute 'revoke r_standard_requester from ' || name_machine; + elseif (new.is_public) then + execute 'grant r_standard_public to ' || name_machine; + execute 'revoke r_standard from ' || name_machine; + + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + else + execute 'revoke r_standard_system from ' || name_machine; + end if; + + execute 'revoke r_standard_administer from ' || name_machine; + execute 'revoke r_standard_manager from ' || name_machine; + execute 'revoke r_standard_auditor from ' || name_machine; + execute 'revoke r_standard_publisher from ' || name_machine; + execute 'revoke r_standard_financer from ' || name_machine; + execute 'revoke r_standard_insurer from ' || name_machine; + execute 'revoke r_standard_reviewer from ' || name_machine; + execute 'revoke r_standard_editor from ' || name_machine; + execute 'revoke r_standard_drafter from ' || name_machine; + execute 'revoke r_standard_requester from ' || name_machine; + else + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + + execute 'revoke r_standard from ' || name_machine; + execute 'revoke r_standard_public from ' || name_machine; + elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then + execute 'grant r_standard to ' || name_machine; + + execute 'revoke r_standard_system from ' || name_machine; + execute 'revoke r_standard_public from ' || name_machine; + end if; + + if (new.is_administer) then + execute 'grant r_standard_administer to ' || name_machine; + end if; + + if (new.is_manager) then + execute 'grant r_standard_manager to ' || name_machine; + end if; + + if (new.is_auditor) then + execute 'grant r_standard_auditor to ' || name_machine; + end if; + + if (new.is_publisher) then + execute 'grant r_standard_publisher to ' || name_machine; + end if; + + if (new.is_insurer) then + execute 'grant r_standard_insurer to ' || name_machine; + end if; + + if (new.is_financer) then + execute 'grant r_standard_financer to ' || name_machine; + end if; + + if (new.is_reviewer) then + execute 'grant r_standard_reviewer to ' || name_machine; + end if; + + if (new.is_editor) then + execute 'grant r_standard_editor to ' || name_machine; + end if; + + if (new.is_drafter) then + execute 'grant r_standard_drafter to ' || name_machine; + end if; + + if (new.is_requester) then + execute 'grant r_standard_requester to ' || name_machine; + end if; + end if; + + reset client_min_messages; + + return null; + end; +$$ language plpgsql; + +create or replace function s_administers.f_users_update_as_administer() returns trigger security definer as $$ + declare + name_machine constant text default quote_ident(new.name_machine); + begin + if (new.id = 1 or new.id = 2) then + return null; + end if; + + set client_min_messages to error; + + if (old.is_locked <> new.is_locked or old.is_deleted <> new.is_deleted) then + if (old.is_deleted <> new.is_deleted) then + if (new.is_deleted) then + execute 'revoke r_standard from ' || name_machine; + execute 'revoke r_standard_system from ' || name_machine; + execute 'revoke r_standard_public from ' || name_machine; + else + if (new.is_public) then + execute 'grant r_standard_public to ' || name_machine; + elseif (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then + execute 'grant r_standard to ' || name_machine; + end if; + end if; + end if; + + if (new.is_locked or new.is_deleted) then + execute 'revoke r_standard_administer from ' || name_machine; + execute 'revoke r_standard_manager from ' || name_machine; + execute 'revoke r_standard_auditor from ' || name_machine; + execute 'revoke r_standard_publisher from ' || name_machine; + execute 'revoke r_standard_financer from ' || name_machine; + execute 'revoke r_standard_insurer from ' || name_machine; + execute 'revoke r_standard_reviewer from ' || name_machine; + execute 'revoke r_standard_editor from ' || name_machine; + execute 'revoke r_standard_drafter from ' || name_machine; + execute 'revoke r_standard_requester from ' || name_machine; + execute 'revoke r_standard_system from ' || name_machine; + execute 'revoke r_standard_public from ' || name_machine; + elseif (new.is_public) then + execute 'grant r_standard_public to ' || name_machine; + + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + end if; + else + if (new.is_administer) then + execute 'grant r_standard_administer to ' || name_machine; + end if; + + if (new.is_manager) then + execute 'grant r_standard_manager to ' || name_machine; + end if; + + if (new.is_auditor) then + execute 'grant r_standard_auditor to ' || name_machine; + end if; + + if (new.is_publisher) then + execute 'grant r_standard_publisher to ' || name_machine; + end if; + + if (new.is_financer) then + execute 'grant r_standard_financer to ' || name_machine; + end if; + + if (new.is_insurer) then + execute 'grant r_standard_insurer to ' || name_machine; + end if; + + if (new.is_reviewer) then + execute 'grant r_standard_reviewer to ' || name_machine; + end if; + + if (new.is_editor) then + execute 'grant r_standard_editor to ' || name_machine; + end if; + + if (new.is_drafter) then + execute 'grant r_standard_drafter to ' || name_machine; + end if; + + if (new.is_requester) then + execute 'grant r_standard_requester to ' || name_machine; + end if; + + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + end if; + end if; + elseif (old.is_public <> new.is_public and new.is_public) then + execute 'grant r_standard_public to ' || name_machine; + + execute 'revoke r_standard_administer from ' || name_machine; + execute 'revoke r_standard_manager from ' || name_machine; + execute 'revoke r_standard_auditor from ' || name_machine; + execute 'revoke r_standard_publisher from ' || name_machine; + execute 'revoke r_standard_financer from ' || name_machine; + execute 'revoke r_standard_insurer from ' || name_machine; + execute 'revoke r_standard_reviewer from ' || name_machine; + execute 'revoke r_standard_editor from ' || name_machine; + execute 'revoke r_standard_drafter from ' || name_machine; + execute 'revoke r_standard_requester from ' || name_machine; + + if (old.is_system <> new.is_system) then + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + else + execute 'revoke r_standard_system from ' || name_machine; + end if; + end if; + else + if (old.is_public <> new.is_public) then + execute 'revoke r_standard_public from ' || name_machine; + end if; + + if (old.is_system <> new.is_system) then + if (new.is_system) then + execute 'grant r_standard_system to ' || name_machine; + else + execute 'revoke r_standard_system from ' || name_machine; + end if; + elseif (not new.is_system) then + if (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then + execute 'grant r_standard to ' || name_machine; + end if; + end if; + + if (old.is_administer <> new.is_administer) then + if (new.is_administer) then + execute 'grant r_standard_administer to ' || name_machine; + else + execute 'revoke r_standard_administer from ' || name_machine; + end if; + end if; + + if (old.is_manager <> new.is_manager) then + if (new.is_manager) then + execute 'grant r_standard_manager to ' || name_machine; + else + execute 'revoke r_standard_manager from ' || name_machine; + end if; + end if; + + if (old.is_auditor <> new.is_auditor) then + if (new.is_auditor) then + execute 'grant r_standard_auditor to ' || name_machine; + else + execute 'revoke r_standard_auditor from ' || name_machine; + end if; + end if; + + if (old.is_publisher <> new.is_publisher) then + if (new.is_publisher) then + execute 'grant r_standard_publisher to ' || name_machine; + else + execute 'revoke r_standard_publisher from ' || name_machine; + end if; + end if; + + if (old.is_insurer <> new.is_insurer) then + if (new.is_insurer) then + execute 'grant r_standard_insurer to ' || name_machine; + else + execute 'revoke r_standard_insurer from ' || name_machine; + end if; + end if; + + if (old.is_financer <> new.is_financer) then + if (new.is_financer) then + execute 'grant r_standard_financer to ' || name_machine; + else + execute 'revoke r_standard_financer from ' || name_machine; + end if; + end if; + + if (old.is_reviewer <> new.is_reviewer) then + if (new.is_reviewer) then + execute 'grant r_standard_reviewer to ' || name_machine; + else + execute 'revoke r_standard_reviewer from ' || name_machine; + end if; + end if; + + if (old.is_editor <> new.is_editor) then + if (new.is_editor) then + execute 'grant r_standard_editor to ' || name_machine; + else + execute 'revoke r_standard_editor from ' || name_machine; + end if; + end if; + + if (old.is_drafter <> new.is_drafter) then + if (new.is_drafter) then + execute 'grant r_standard_drafter to ' || name_machine; + else + execute 'revoke r_standard_drafter from ' || name_machine; + end if; + end if; + + if (old.is_requester <> new.is_requester) then + if (new.is_requester) then + execute 'grant r_standard_requester to ' || name_machine; + else + execute 'revoke r_standard_requester from ' || name_machine; + end if; + end if; + end if; + + reset client_min_messages; + + return null; + end; +$$ language plpgsql; + + +/* standard-groups.sql permissions */ +grant select,insert,update on s_tables.t_groups to r_standard_manager, u_standard_groups_handler; +grant select on s_tables.t_groups to r_standard_auditor; +grant select,usage on s_tables.se_groups_id to r_standard_manager; +grant usage on s_tables.se_groups_id to r_standard, r_standard_system, u_standard_groups_handler; + +grant select on s_users.v_groups_manage_self to r_standard, r_standard_system; +grant update on s_users.v_groups_manage_update to r_standard, r_standard_system; + +alter function s_administers.f_groups_group_user_insert () owner to u_standard_groups_handler; +alter function s_administers.f_groups_group_user_update () owner to u_standard_groups_handler; + +grant select,insert,update on s_tables.t_groups to r_standard_manager; +grant select on s_tables.t_groups to r_standard_auditor; + +grant select on s_users.v_groups_self to r_standard, r_standard_system; +grant select on s_users.v_group_users_manage to r_standard, r_standard_system; +grant insert on s_users.v_group_users_manage_insert to r_standard, r_standard_system; +grant update on s_users.v_group_users_manage_update to r_standard, r_standard_system; + +grant select,insert,update,delete on s_tables.t_groups to r_standard_manager; +grant select on s_tables.t_groups to r_standard_auditor; + +grant select on s_users.v_group_composites to r_standard, r_standard_system; +grant insert on s_users.v_group_composites_manage_insert to r_standard, r_standard_system; +grant update on s_users.v_group_composites_manage_update to r_standard, r_standard_system; + + +/* standard-types.sql permissions */ +grant select,insert,update on s_tables.t_type_http_status_codes to r_standard_administer; +grant select on s_tables.t_type_http_status_codes to r_standard_manager, r_standard_auditor; + +grant select,usage on s_tables.se_log_type_http_status_codes_id to r_standard_administer; +grant select on public.v_log_type_http_status_codes to r_standard, r_standard_public, r_standard_system; +grant select,insert,update on s_tables.t_type_mime_categorys to r_standard_administer; +grant select on public.v_types_mime_categorys to r_standard, r_standard_public, r_standard_system; +grant select,insert,update on s_tables.t_type_mime_categorys to r_standard_administer; +grant select on public.v_types_mime_categorys_locked_not to r_standard, r_standard_public, r_standard_system; +grant select,insert,update on s_tables.t_type_mime_types to r_standard_administer; + +grant select on public.v_types_mime_types to r_standard, r_standard_public, r_standard_system; +grant select on public.v_types_mime_types to r_standard, r_standard_public, r_standard_system; + + +/* standard-files.sql permissions */ +grant select,insert,update on s_tables.t_files to r_standard_administer; +grant select on s_tables.t_files to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_files_id to r_standard_administer; +grant usage on s_tables.se_files_id to r_standard, r_standard_system; + +grant select on s_users.v_files to r_standard, r_standard_system; +grant select on public.v_path_types to r_standard, r_standard_public, r_standard_system; + + +/* standard-paths.sql permissions */ +grant select,insert,update on s_tables.t_paths to r_standard_administer; +grant select on s_tables.t_paths to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_paths_id to r_standard_administer; + +grant usage on s_tables.se_paths_id to r_standard, r_standard_system; + +grant select on s_users.v_paths to r_standard, r_standard_system; +grant select on public.v_paths to r_standard_public; + + +/* standard-log_types.sql permissions */ +grant select,insert,update on s_tables.t_log_types to r_standard_administer; +grant select on s_tables.t_log_types to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_log_types_id to r_standard_administer; + +grant select on public.v_log_types to r_standard, r_standard_public, r_standard_system; + +grant select,insert,update on s_tables.t_log_type_severitys to r_standard_administer; +grant select on s_tables.t_log_type_severitys to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_log_type_severitys_id to r_standard_administer; + +grant select on s_users.v_log_type_severitys to r_standard, r_standard_public, r_standard_system; + +grant select,insert,update on s_tables.t_log_type_facilitys to r_standard_administer; +grant select on s_tables.t_log_type_facilitys to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_log_type_facilitys_id to r_standard_administer; + +grant select on s_users.v_log_type_facilitys to r_standard, r_standard_public, r_standard_system; + + +/* standard-log_groups.sql permissions */ +grant select,usage on s_tables.se_log_groups_id to r_standard_manager, r_standard_auditor; +grant usage on s_tables.se_log_groups_id to r_standard, r_standard_system; + +grant select on s_users.v_log_groups_self to r_standard, r_standard_system; + +grant insert on s_users.v_log_groups_self_insert to r_standard, r_standard_system; + +grant select,usage on s_tables.se_log_group_users_id to r_standard_manager, r_standard_auditor; +grant usage on s_tables.se_log_group_users_id to r_standard, r_standard_system; + +grant select on s_users.v_log_group_users_self to r_standard, r_standard_system; + +grant insert on s_users.v_log_group_users_self_insert to r_standard, r_standard_system; + + +/* standard-log_problems.sql permissions */ +grant select,insert,update,delete on s_tables.t_log_problems to r_standard_manager; +grant select on s_tables.t_log_problems to r_standard_auditor; +grant select,usage on s_tables.se_log_problems_id to r_standard_manager; +grant usage on s_tables.se_log_problems_id to r_standard, r_standard_system; + +grant select,insert,update,delete on s_tables.t_log_problems_users to r_standard_manager; +grant select on s_tables.t_log_problems_users to r_standard_auditor; + +grant select on s_users.v_log_problems_users_self to r_standard, r_standard_system; + +grant insert on s_users.v_log_problems_users_self_insert to r_standard, r_standard_system; + +grant delete on s_users.v_log_problems_users_self_delete to r_standard, r_standard_system; + +alter function s_tables.f_log_problems_users_delete () owner to u_standard_logger; + + +/* standard-log_users.sql permissions */ +grant select on s_tables.t_log_users to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_log_users_id to r_standard_administer; +grant usage on s_tables.se_log_users_id to r_standard, r_standard_public, r_standard_system; + +grant select on s_users.v_log_users_self to r_standard, r_standard_system; +grant insert on s_users.v_log_users_self_insert to r_standard, r_standard_system; +grant insert on public.v_log_users_self_insert to r_standard_public; + +grant select on s_tables.t_log_user_activity to r_standard_manager, r_standard_auditor; +grant select,usage on s_tables.se_log_user_activity_id to r_standard_administer; +grant usage on s_tables.se_log_user_activity_id to r_standard, r_standard_public, r_standard_system; + +grant select on s_users.v_log_user_activity_self to r_standard, r_standard_system; +grant insert on s_users.v_log_user_activity_self_insert to r_standard, r_standard_system; +grant insert on public.v_log_user_activity_self_insert to r_standard_public; + + +/* standard-statistics.sql permissions */ +grant select,insert,update on s_tables.t_statistics_http_status_codes to r_standard_manager, u_standard_statistics_update; +grant select on s_tables.t_statistics_http_status_codes to r_standard_auditor; +grant select on s_tables.t_statistics_request_path to r_standard_manager, r_standard_auditor; + +grant select,insert,update on s_users.v_statistics_request_path to r_standard, r_standard_system; +grant select,insert,update on public.v_statistics_request_path to r_standard_public; + +alter function s_tables.f_statistics_http_status_codes_insert () owner to u_standard_statistics_update; + + + +commit transaction; diff --git a/database/sql/standard/standard-statistics.sql b/database/sql/standard/standard-statistics.sql index 2ef9788..afa9748 100644 --- a/database/sql/standard/standard-statistics.sql +++ b/database/sql/standard/standard-statistics.sql @@ -30,9 +30,6 @@ create table s_tables.t_statistics_http_status_codes ( constraint cf_statistics_http_status_codes_code foreign key (code) references s_tables.t_type_http_status_codes (id) on delete restrict on update cascade ); -grant select,insert,update on s_tables.t_statistics_http_status_codes to r_standard_manager, u_standard_statistics_update; -grant select on s_tables.t_statistics_http_status_codes to r_standard_auditor; - /** create an auto-update trigger. set the role to r_standard_manager so that the function runs as that role when using "SECURITY DEFINER". The r_standard_manager must also have the appropriate create privileges. **/ create function s_tables.f_statistics_http_status_codes_insert() returns trigger security definer as $$ @@ -51,7 +48,6 @@ create function s_tables.f_statistics_http_status_codes_insert() returns trigger end; $$ language plpgsql; -alter function s_tables.f_statistics_http_status_codes_insert () owner to u_standard_statistics_update; create trigger tr_log_user_activity_insert_statistics_http_status_codes after insert on s_tables.t_log_user_activity @@ -67,66 +63,4 @@ create trigger tr_statistics_http_status_codes_date_deleted -/** Provide request path statistics **/ -create table s_tables.t_statistics_request_path ( - path varchar(512) not null, - count bigint not null default 0, - - is_deleted boolean default false not null, - - date_created timestamp with time zone default current_timestamp not null, - date_changed timestamp with time zone default current_timestamp not null, - date_deleted timestamp with time zone, - - constraint cp_statistics_request_path primary key (path), - - constraint cc_statistics_request_path_count check (count >= 0) -); - -grant select on s_tables.t_statistics_request_path to r_standard_manager, r_standard_auditor; - - -/** permissions prevent this from working as desired, so for now open up these stats to the following users (via a view) **/ -/* @todo: review this and try to restrict what accounts can access and set request_path in the same way s_tables.f_statistics_http_status_codes_insert() is handled. */ -create view s_users.v_statistics_request_path with (security_barrier=true) as - select path, count from s_tables.t_statistics_request_path - with check option; - -grant select,insert,update on s_users.v_statistics_request_path to r_standard, r_standard_system; - - -create view public.v_statistics_request_path with (security_barrier=true) as - select path, count from s_tables.t_statistics_request_path - with check option; - -grant select,insert,update on public.v_statistics_request_path to r_standard_public; - - -/** create an auto-update trigger **/ -create function s_tables.f_statistics_request_path_insert() returns trigger as $$ - begin - if (tg_op = 'INSERT') then - update v_statistics_request_path set count = (select count + 1 as count from v_statistics_request_path where path = new.request_path) where path = new.request_path; - if not found then - insert into v_statistics_request_path (path, count) values (new.request_path, 1); - if not found then return null; end if; - end if; - - return new; - end if; - - return null; - end; -$$ language plpgsql; - -create trigger tr_statistics_request_path_insert - after insert on s_tables.t_statistics_request_path - for each row execute procedure s_tables.f_statistics_request_path_insert(); - -create trigger tr_statistics_request_path_date_deleted - before update on s_tables.t_statistics_request_path - for each row execute procedure s_administers.f_common_update_date_deleted(); - - - commit transaction; diff --git a/database/sql/standard/standard-types.sql b/database/sql/standard/standard-types.sql index d7e4fa2..894604d 100644 --- a/database/sql/standard/standard-types.sql +++ b/database/sql/standard/standard-types.sql @@ -37,15 +37,10 @@ create table s_tables.t_type_http_status_codes ( create sequence s_tables.se_log_type_http_status_codes_id owned by s_tables.t_type_http_status_codes.id; alter table s_tables.t_type_http_status_codes alter column id set default nextval('s_tables.se_log_type_http_status_codes_id'::regclass); -grant select,insert,update on s_tables.t_type_http_status_codes to r_standard_administer; -grant select on s_tables.t_type_http_status_codes to r_standard_manager, r_standard_auditor; -grant select,usage on s_tables.se_log_type_http_status_codes_id to r_standard_administer; create view public.v_log_type_http_status_codes with (security_barrier=true) as select id, name_machine, name_human from s_tables.t_type_http_status_codes; -grant select on public.v_log_type_http_status_codes to r_standard, r_standard_public, r_standard_system; - create trigger tr_log_type_http_status_codes_date_changed_deleted_or_locked before update on s_tables.t_type_http_status_codes @@ -78,23 +73,15 @@ create table s_tables.t_type_mime_categorys ( constraint cc_types_mime_categorys_name_machine check (name_machine ~ '[A-Za-z]\w*') ); -grant select,insert,update on s_tables.t_type_mime_categorys to r_standard_administer; create view public.v_types_mime_categorys with (security_barrier=true) as select id, name_machine, name_human, is_locked from s_tables.t_type_mime_categorys where not is_deleted; -grant select on public.v_types_mime_categorys to r_standard, r_standard_public, r_standard_system; - -grant select,insert,update on s_tables.t_type_mime_categorys to r_standard_administer; - - create view public.v_types_mime_categorys_locked_not with (security_barrier=true) as select id, name_machine, name_human, field_category from s_tables.t_type_mime_categorys where not is_deleted and not is_locked; -grant select on public.v_types_mime_categorys_locked_not to r_standard, r_standard_public, r_standard_system; - create trigger tr_types_mime_categorys_date_changed_deleted_or_locked before update on s_tables.t_type_mime_categorys @@ -128,20 +115,15 @@ create table s_tables.t_type_mime_types ( constraint cf_types_mime_types_id foreign key (id_category) references s_tables.t_type_mime_categorys (id) on delete restrict on update cascade ); -grant select,insert,update on s_tables.t_type_mime_types to r_standard_administer; create view public.v_types_mime_types with (security_barrier=true) as select id, id_category, name_machine, name_human, field_extension, field_mime, is_locked from s_tables.t_type_mime_types where not is_deleted; -grant select on public.v_types_mime_types to r_standard, r_standard_public, r_standard_system; - create view public.v_types_mime_types_locked_not with (security_barrier=true) as select id, id_category, name_machine, name_human, field_extension, field_mime, is_locked from s_tables.t_type_mime_types where not is_deleted and not is_locked; -grant select on public.v_types_mime_types to r_standard, r_standard_public, r_standard_system; - create trigger tr_types_mime_types_date_changed_deleted_or_locked before update on s_tables.t_type_mime_types diff --git a/database/sql/standard/standard-users.sql b/database/sql/standard/standard-users.sql index 0f6353d..b727b6e 100644 --- a/database/sql/standard/standard-users.sql +++ b/database/sql/standard/standard-users.sql @@ -63,10 +63,6 @@ create table s_tables.t_users ( create sequence s_tables.se_users_id owned by s_tables.t_users.id; alter table s_tables.t_users alter column id set default nextval('s_tables.se_users_id'::regclass); -grant select,insert,update on s_tables.t_users to r_standard_administer; -grant select on s_tables.t_users to r_standard_auditor; -grant select,usage on s_tables.se_users_id to r_standard_administer; -grant usage on s_tables.se_users_id to r_standard, r_standard_system; create index i_users_deleted_not on s_tables.t_users (id) where not is_deleted; @@ -80,7 +76,6 @@ create index i_users_locked_not on s_tables.t_users (id) create index i_users_private_email_not on s_tables.t_users (id) where not is_deleted and not is_private and not (address_email).private; - /* Note: id_sort is not needed when directly validating against id or name_machine because both of those are already an index. */ create index i_users_id_sort_a on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 97; create index i_users_id_sort_b on s_tables.t_users (id_sort) with (fillfactor = 100) where id_sort = 98; @@ -116,91 +111,65 @@ create view s_users.v_users_self with (security_barrier=true) as select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users where not is_deleted and (name_machine)::text = (current_user)::text; -grant select on s_users.v_users_self to r_standard, r_standard_system; - create view public.v_users_self_session with (security_barrier=true) as select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users where not is_deleted and (name_machine)::text = (session_user)::text; -grant select on public.v_users_self_session to r_standard, r_standard_system, r_standard_public; - create view public.v_users_self_locked_not with (security_barrier=true) as select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, can_manage_roles, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users where not is_deleted and not is_locked and (name_machine)::text = (current_user)::text; -grant select on public.v_users_self_locked_not to r_standard, r_standard_system, r_standard_public; - create view public.v_users_self_exists with (security_barrier=true) as select id, name_machine, is_system, is_public, is_locked, is_deleted from s_tables.t_users where (name_machine)::text = (current_user)::text; -grant select on public.v_users_self_exists to r_standard, r_standard_system, r_standard_public; - create view s_users.v_users_self_insert with (security_barrier=true) as select id_external, name_human, address_email, is_private, settings from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public and (name_machine)::text = (current_user)::text with check option; -grant insert on s_users.v_users_self_insert to r_standard, r_standard_system; - create view s_users.v_users_self_update with (security_barrier=true) as select address_email, is_private, settings from s_tables.t_users where not is_deleted and not is_locked and not is_system and not is_public and (name_machine)::text = (current_user)::text with check option; -grant update on s_users.v_users_self_update to r_standard, r_standard_system; - /**** anonymous user has uid = 1 ****/ create view public.v_users_self with (security_barrier=true) as select id, id_external, id_sort, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_system, is_public, is_locked, is_private, is_deleted, date_created, date_changed, date_synced, date_locked, null::timestamp as date_deleted, settings from s_tables.t_users where not is_deleted and id = 1; -grant select on public.v_users_self to r_standard_public, r_standard, r_standard_system; - /*** provide public user information ***/ create view public.v_users with (security_barrier=true) as select id, null::bigint as id_external, id_sort, name_machine, name_human, null::public.ct_email as address_email, null::bool as is_administer, null::bool as is_manager, null::bool as is_auditor, null::bool as is_publisher, null::bool as is_insurer, null::bool as is_financer, null::bool as is_reviewer, null::bool as is_editor, null::bool as is_drafter, null::bool as is_requester, is_system, is_public, null::bool as is_locked, is_private, is_deleted, null::bool as can_manage_roles, null::timestamp as date_created, null::timestamp as date_changed, null::timestamp as date_synced, null::timestamp as date_locked, null::timestamp as date_deleted, null::json as settings from s_tables.t_users where (not is_deleted and not is_private) or (not is_deleted and (name_machine)::text = (current_user)::text); -grant select on public.v_users to r_standard, r_standard_public, r_standard_system; - /*** provide e-mail address as public information only if it is explicitly allowed ***/ create view public.v_users_email with (security_barrier=true) as select id, null::bigint as id_external, id_sort, name_machine, name_human, address_email, null::bool as is_administer, null::bool as is_manager, null::bool as is_auditor, null::bool as is_publisher, null::bool as is_insurer, null::bool as is_financer, null::bool as is_reviewer, null::bool as is_editor, null::bool as is_drafter, null::bool as is_requester, is_system, is_public, null::bool as is_locked, is_private, is_deleted, null::bool as can_manage_roles, null::timestamp as date_created, null::timestamp as date_changed, null::timestamp as date_synced, null::timestamp as date_locked, null::timestamp as date_deleted, null::json as settings from s_tables.t_users where (not is_deleted and not is_private and not (address_email).private) or (not is_deleted and (name_machine)::text = (current_user)::text); -grant select on public.v_users_email to r_standard, r_standard_public, r_standard_system; - /*** provide managers with the ability to modify accounts ***/ create view s_managers.v_users with (security_barrier=true) as select * from s_tables.t_users where not is_deleted; -grant select on s_managers.v_users to r_standard_manager; - create view s_managers.v_users_insert with (security_barrier=true) as select id, id_external, name_machine, name_human, address_email, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, settings from s_tables.t_users with check option; -grant insert on s_managers.v_users_insert to r_standard_manager; - create view s_managers.v_users_update with (security_barrier=true) as select id, id_external, name_machine, name_human, address_email, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, settings from s_tables.t_users where not is_deleted with check option; -grant update on s_managers.v_users_update to r_standard_manager; - create view s_managers.v_users_deleted with (security_barrier=true) as select id, id_external, name_machine, name_human, address_email, is_administer, is_manager, is_auditor, is_publisher, is_insurer, is_financer, is_reviewer, is_editor, is_drafter, is_requester, is_locked, is_private, can_manage_roles, date_created, date_changed, date_synced, date_locked, settings from s_tables.t_users where is_deleted; -grant select on s_managers.v_users to r_standard_manager; - /** Create Materialized views for table based on history (maybe current day should be a view and previous days should be a materialized view that is updated by cron?) **/ create materialized view s_administers.m_users_date_created_this_day as select * from s_tables.t_users where date_trunc('day', date_created) = date_trunc('day', current_timestamp); @@ -218,41 +187,6 @@ create materialized view s_administers.m_users_date_synced_previous_day as selec create materialized view s_administers.m_users_date_synced_previous_month as select * from s_tables.t_users where date_trunc('month', date_synced) = date_trunc('month', current_timestamp) - interval '1 month'; create materialized view s_administers.m_users_date_synced_previous_year as select * from s_tables.t_users where date_trunc('year', date_synced) = date_trunc('year', current_timestamp) - interval '1 year'; -alter materialized view s_administers.m_users_date_created_this_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_created_previous_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_created_previous_month owner to r_standard_administer; -alter materialized view s_administers.m_users_date_created_previous_year owner to r_standard_administer; - -alter materialized view s_administers.m_users_date_changed_this_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_changed_previous_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_changed_previous_month owner to r_standard_administer; -alter materialized view s_administers.m_users_date_changed_previous_year owner to r_standard_administer; - -alter materialized view s_administers.m_users_date_synced_this_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_synced_previous_day owner to r_standard_administer; -alter materialized view s_administers.m_users_date_synced_previous_month owner to r_standard_administer; -alter materialized view s_administers.m_users_date_synced_previous_year owner to r_standard_administer; - -grant select on s_administers.m_users_date_created_this_day to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_day to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_month to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_year to r_standard_manager; - -grant select on s_administers.m_users_date_changed_this_day to r_standard_manager; -grant select on s_administers.m_users_date_changed_previous_day to r_standard_manager; -grant select on s_administers.m_users_date_changed_previous_month to r_standard_manager; -grant select on s_administers.m_users_date_changed_previous_year to r_standard_manager; - -grant select on s_administers.m_users_date_synced_this_day to r_standard_manager; -grant select on s_administers.m_users_date_synced_previous_day to r_standard_manager; -grant select on s_administers.m_users_date_synced_previous_month to r_standard_manager; -grant select on s_administers.m_users_date_synced_previous_year to r_standard_manager; - -grant select on s_administers.m_users_date_created_this_day to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_day to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_month to r_standard_manager; -grant select on s_administers.m_users_date_created_previous_year to r_standard_manager; - create function s_administers.f_users_insert_actions() returns trigger as $$ begin @@ -291,116 +225,9 @@ create function s_administers.f_users_update_actions() returns trigger as $$ $$ language plpgsql; -/* attempt to auto-manage postgresql standard roles with the standard database user roles. */ -/* user ids 1 and 2 are explicitly reserved for anonymous/public and the database postgresql accounts. */ -/* postgresql does not seem to support variables for the user with grant and revoke, therefore the execute statement is used to perform the query. */ -/* @fixme: the name_machine must be forcibly sanitized to be alphanumeric, -, or _ in all cases. */ +/* This is a stub function intended to be replaced with site-specific content in standard-permissions.sql (and therefore the site-specific one, such as reservation-permission.sql).. */ create function s_administers.f_users_insert_as_administer() returns trigger security definer as $$ - declare - name_machine constant text default quote_ident(new.name_machine); begin - if (new.id = 1 or new.id = 2) then - return null; - end if; - - set client_min_messages to error; - - if (new.is_locked or new.is_deleted) then - if (new.is_deleted) then - execute 'revoke r_standard from ' || name_machine; - execute 'revoke r_standard_system from ' || name_machine; - execute 'revoke r_standard_public from ' || name_machine; - elseif (new.is_public) then - execute 'grant r_standard_public to ' || name_machine; - elseif (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then - execute 'grant r_standard to ' || name_machine; - end if; - - execute 'revoke r_standard_administer from ' || name_machine; - execute 'revoke r_standard_manager from ' || name_machine; - execute 'revoke r_standard_auditor from ' || name_machine; - execute 'revoke r_standard_publisher from ' || name_machine; - execute 'revoke r_standard_financer from ' || name_machine; - execute 'revoke r_standard_insurer from ' || name_machine; - execute 'revoke r_standard_reviewer from ' || name_machine; - execute 'revoke r_standard_editor from ' || name_machine; - execute 'revoke r_standard_drafter from ' || name_machine; - execute 'revoke r_standard_requester from ' || name_machine; - elseif (new.is_public) then - execute 'grant r_standard_public to ' || name_machine; - execute 'revoke r_standard from ' || name_machine; - - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - else - execute 'revoke r_standard_system from ' || name_machine; - end if; - - execute 'revoke r_standard_administer from ' || name_machine; - execute 'revoke r_standard_manager from ' || name_machine; - execute 'revoke r_standard_auditor from ' || name_machine; - execute 'revoke r_standard_publisher from ' || name_machine; - execute 'revoke r_standard_financer from ' || name_machine; - execute 'revoke r_standard_insurer from ' || name_machine; - execute 'revoke r_standard_reviewer from ' || name_machine; - execute 'revoke r_standard_editor from ' || name_machine; - execute 'revoke r_standard_drafter from ' || name_machine; - execute 'revoke r_standard_requester from ' || name_machine; - else - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - - execute 'revoke r_standard from ' || name_machine; - execute 'revoke r_standard_public from ' || name_machine; - elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then - execute 'grant r_standard to ' || name_machine; - - execute 'revoke r_standard_system from ' || name_machine; - execute 'revoke r_standard_public from ' || name_machine; - end if; - - if (new.is_administer) then - execute 'grant r_standard_administer to ' || name_machine; - end if; - - if (new.is_manager) then - execute 'grant r_standard_manager to ' || name_machine; - end if; - - if (new.is_auditor) then - execute 'grant r_standard_auditor to ' || name_machine; - end if; - - if (new.is_publisher) then - execute 'grant r_standard_publisher to ' || name_machine; - end if; - - if (new.is_insurer) then - execute 'grant r_standard_insurer to ' || name_machine; - end if; - - if (new.is_financer) then - execute 'grant r_standard_financer to ' || name_machine; - end if; - - if (new.is_reviewer) then - execute 'grant r_standard_reviewer to ' || name_machine; - end if; - - if (new.is_editor) then - execute 'grant r_standard_editor to ' || name_machine; - end if; - - if (new.is_drafter) then - execute 'grant r_standard_drafter to ' || name_machine; - end if; - - if (new.is_requester) then - execute 'grant r_standard_requester to ' || name_machine; - end if; - end if; reset client_min_messages; @@ -408,218 +235,9 @@ create function s_administers.f_users_insert_as_administer() returns trigger sec end; $$ language plpgsql; -alter function s_administers.f_users_insert_as_administer() owner to u_standard_grant_roles; - - +/* This is a stub function intended to be replaced with site-specific content in standard-permissions.sql (and therefore the site-specific one, such as reservation-permission.sql).. */ create function s_administers.f_users_update_as_administer() returns trigger security definer as $$ - declare - name_machine constant text default quote_ident(new.name_machine); begin - if (new.id = 1 or new.id = 2) then - return null; - end if; - - set client_min_messages to error; - - if (old.is_locked <> new.is_locked or old.is_deleted <> new.is_deleted) then - if (old.is_deleted <> new.is_deleted) then - if (new.is_deleted) then - execute 'revoke r_standard from ' || name_machine; - execute 'revoke r_standard_system from ' || name_machine; - execute 'revoke r_standard_public from ' || name_machine; - else - if (new.is_public) then - execute 'grant r_standard_public to ' || name_machine; - elseif (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - elseif (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then - execute 'grant r_standard to ' || name_machine; - end if; - end if; - end if; - - if (new.is_locked or new.is_deleted) then - execute 'revoke r_standard_administer from ' || name_machine; - execute 'revoke r_standard_manager from ' || name_machine; - execute 'revoke r_standard_auditor from ' || name_machine; - execute 'revoke r_standard_publisher from ' || name_machine; - execute 'revoke r_standard_financer from ' || name_machine; - execute 'revoke r_standard_insurer from ' || name_machine; - execute 'revoke r_standard_reviewer from ' || name_machine; - execute 'revoke r_standard_editor from ' || name_machine; - execute 'revoke r_standard_drafter from ' || name_machine; - execute 'revoke r_standard_requester from ' || name_machine; - execute 'revoke r_standard_system from ' || name_machine; - execute 'revoke r_standard_public from ' || name_machine; - elseif (new.is_public) then - execute 'grant r_standard_public to ' || name_machine; - - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - end if; - else - if (new.is_administer) then - execute 'grant r_standard_administer to ' || name_machine; - end if; - - if (new.is_manager) then - execute 'grant r_standard_manager to ' || name_machine; - end if; - - if (new.is_auditor) then - execute 'grant r_standard_auditor to ' || name_machine; - end if; - - if (new.is_publisher) then - execute 'grant r_standard_publisher to ' || name_machine; - end if; - - if (new.is_financer) then - execute 'grant r_standard_financer to ' || name_machine; - end if; - - if (new.is_insurer) then - execute 'grant r_standard_insurer to ' || name_machine; - end if; - - if (new.is_reviewer) then - execute 'grant r_standard_reviewer to ' || name_machine; - end if; - - if (new.is_editor) then - execute 'grant r_standard_editor to ' || name_machine; - end if; - - if (new.is_drafter) then - execute 'grant r_standard_drafter to ' || name_machine; - end if; - - if (new.is_requester) then - execute 'grant r_standard_requester to ' || name_machine; - end if; - - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - end if; - end if; - elseif (old.is_public <> new.is_public and new.is_public) then - execute 'grant r_standard_public to ' || name_machine; - - execute 'revoke r_standard_administer from ' || name_machine; - execute 'revoke r_standard_manager from ' || name_machine; - execute 'revoke r_standard_auditor from ' || name_machine; - execute 'revoke r_standard_publisher from ' || name_machine; - execute 'revoke r_standard_financer from ' || name_machine; - execute 'revoke r_standard_insurer from ' || name_machine; - execute 'revoke r_standard_reviewer from ' || name_machine; - execute 'revoke r_standard_editor from ' || name_machine; - execute 'revoke r_standard_drafter from ' || name_machine; - execute 'revoke r_standard_requester from ' || name_machine; - - if (old.is_system <> new.is_system) then - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - else - execute 'revoke r_standard_system from ' || name_machine; - end if; - end if; - else - if (old.is_public <> new.is_public) then - execute 'revoke r_standard_public from ' || name_machine; - end if; - - if (old.is_system <> new.is_system) then - if (new.is_system) then - execute 'grant r_standard_system to ' || name_machine; - else - execute 'revoke r_standard_system from ' || name_machine; - end if; - elseif (not new.is_system) then - if (new.is_requester or new.is_drafter or new.is_editor or new.is_reviewer or new.is_financer or new.is_insurer or new.is_publisher or new.is_auditor or new.is_manager or new.is_administer) then - execute 'grant r_standard to ' || name_machine; - end if; - end if; - - if (old.is_administer <> new.is_administer) then - if (new.is_administer) then - execute 'grant r_standard_administer to ' || name_machine; - else - execute 'revoke r_standard_administer from ' || name_machine; - end if; - end if; - - if (old.is_manager <> new.is_manager) then - if (new.is_manager) then - execute 'grant r_standard_manager to ' || name_machine; - else - execute 'revoke r_standard_manager from ' || name_machine; - end if; - end if; - - if (old.is_auditor <> new.is_auditor) then - if (new.is_auditor) then - execute 'grant r_standard_auditor to ' || name_machine; - else - execute 'revoke r_standard_auditor from ' || name_machine; - end if; - end if; - - if (old.is_publisher <> new.is_publisher) then - if (new.is_publisher) then - execute 'grant r_standard_publisher to ' || name_machine; - else - execute 'revoke r_standard_publisher from ' || name_machine; - end if; - end if; - - if (old.is_insurer <> new.is_insurer) then - if (new.is_insurer) then - execute 'grant r_standard_insurer to ' || name_machine; - else - execute 'revoke r_standard_insurer from ' || name_machine; - end if; - end if; - - if (old.is_financer <> new.is_financer) then - if (new.is_financer) then - execute 'grant r_standard_financer to ' || name_machine; - else - execute 'revoke r_standard_financer from ' || name_machine; - end if; - end if; - - if (old.is_reviewer <> new.is_reviewer) then - if (new.is_reviewer) then - execute 'grant r_standard_reviewer to ' || name_machine; - else - execute 'revoke r_standard_reviewer from ' || name_machine; - end if; - end if; - - if (old.is_editor <> new.is_editor) then - if (new.is_editor) then - execute 'grant r_standard_editor to ' || name_machine; - else - execute 'revoke r_standard_editor from ' || name_machine; - end if; - end if; - - if (old.is_drafter <> new.is_drafter) then - if (new.is_drafter) then - execute 'grant r_standard_drafter to ' || name_machine; - else - execute 'revoke r_standard_drafter from ' || name_machine; - end if; - end if; - - if (old.is_requester <> new.is_requester) then - if (new.is_requester) then - execute 'grant r_standard_requester to ' || name_machine; - else - execute 'revoke r_standard_requester from ' || name_machine; - end if; - end if; - end if; reset client_min_messages; @@ -627,8 +245,6 @@ create function s_administers.f_users_update_as_administer() returns trigger sec end; $$ language plpgsql; -alter function s_administers.f_users_update_as_administer() owner to u_standard_grant_roles; - create function s_administers.f_users_update_materialized_views() returns trigger security definer as $$ begin @@ -640,7 +256,6 @@ create function s_administers.f_users_update_materialized_views() returns trigge end; $$ language plpgsql; -alter function s_administers.f_users_update_materialized_views() owner to r_standard_administer; create trigger tr_users_insert_actions before insert on s_tables.t_users @@ -662,10 +277,6 @@ create trigger tr_users_update_materialized_views after insert or update on s_tables.t_users for each statement execute procedure s_administers.f_users_update_materialized_views(); -/** Special Cases: manually add the postgresql and public users first before any logging triggers are defined (because some of them depend on this table recursively! **/ -insert into s_tables.t_users (id, name_machine, name_human, is_private, is_public) values (1, 'u_standard_public', (null, 'Unknown', null, null, null, 'Unknown'), false, true); -insert into s_tables.t_users (id, name_machine, name_human, is_private, is_system) values (2, 'postgres', (null, 'Database', null, 'Administer', null, 'Database (Administer)'), true, true); - commit transaction; -- 1.8.3.1