You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CREATE POLICY group_membership_select_policy ONpublic.group_membership FOR SELECT USING (public.in_group(group_id));
61
+
CREATE POLICY group_membership_delete_policy ONpublic.group_membership FOR DELETE USING (member_id =auth.uid() ORpublic.is_group_admin(group_id));
62
+
CREATE POLICY group_membership_insert_policy ONpublic.group_membership FOR INSERT WITH CHECK (public.is_group_admin(group_id) OR NOT public.group_exists(group_id));
63
+
CREATE POLICY group_membership_update_policy ONpublic.group_membership FOR UPDATE WITH CHECK (public.is_group_admin(group_id));
64
+
65
+
66
+
CREATE OR REPLACEFUNCTIONpublic.my_user_accounts() RETURNS SETOF UUID
67
+
STABLE SECURITY DEFINER
68
+
SET search_path =''
69
+
LANGUAGE sql
70
+
AS $$
71
+
SELECTauth.uid() WHEREauth.uid() IS NOT NULLUNION
72
+
SELECT group_id FROMpublic.group_membership
73
+
WHERE member_id =auth.uid();
74
+
$$;
75
+
76
+
COMMENT ON FUNCTION public.my_user_accounts IS 'security utility: The uids which give me access, either as myself or as a group member.';
77
+
78
+
CREATE OR REPLACEFUNCTIONpublic.my_space_ids() RETURNS BIGINT []
79
+
STABLE SECURITY DEFINER
80
+
SET search_path =''
81
+
LANGUAGE sql
82
+
AS $$
83
+
SELECT COALESCE(array_agg(distinct space_id), '{}') AS ids
84
+
FROM public."SpaceAccess"
85
+
JOINpublic.my_user_accounts() ON (account_uid = my_user_accounts);
86
+
$$;
87
+
88
+
CREATE OR REPLACEFUNCTIONpublic.in_space(space_id BIGINT) RETURNS boolean
89
+
STABLE SECURITY DEFINER
90
+
SET search_path =''
91
+
LANGUAGE sql
92
+
AS $$
93
+
SELECT EXISTS (SELECT1FROM public."SpaceAccess"AS sa
94
+
JOINpublic.my_user_accounts() ON (sa.account_uid= my_user_accounts)
95
+
WHEREsa.space_id=in_space.space_id);
96
+
$$;
97
+
98
+
CREATE OR REPLACEFUNCTIONpublic.account_in_shared_space(p_account_id BIGINT) RETURNS boolean
99
+
STABLE SECURITY DEFINER
100
+
SET search_path =''
101
+
LANGUAGE sql AS $$
102
+
SELECT EXISTS (
103
+
SELECT1
104
+
FROM public."LocalAccess"AS la
105
+
JOIN public."SpaceAccess"AS sa USING (space_id)
106
+
JOINpublic.my_user_accounts() ON (sa.account_uid= my_user_accounts)
107
+
WHEREla.account_id= p_account_id
108
+
);
109
+
$$;
110
+
111
+
CREATE OR REPLACEFUNCTIONpublic.unowned_account_in_shared_space(p_account_id BIGINT) RETURNS boolean
112
+
STABLE SECURITY DEFINER
113
+
SET search_path =''
114
+
LANGUAGE sql AS $$
115
+
SELECT EXISTS (
116
+
SELECT1
117
+
FROM public."SpaceAccess"AS sa
118
+
JOINpublic.my_user_accounts() ON (sa.account_uid= my_user_accounts)
119
+
JOIN public."LocalAccess"AS la USING (space_id)
120
+
JOIN public."PlatformAccount"AS pa ON (pa.id=la.account_id)
121
+
WHEREla.account_id= p_account_id
122
+
ANDpa.dg_account IS NULL
123
+
);
124
+
$$;
125
+
126
+
CREATE OR REPLACEVIEWpublic.my_accounts AS
127
+
SELECT
128
+
id,
129
+
name,
130
+
platform,
131
+
account_local_id,
132
+
write_permission,
133
+
active,
134
+
agent_type,
135
+
metadata,
136
+
dg_account
137
+
FROM public."PlatformAccount"
138
+
WHERE id IN (
139
+
SELECT"LocalAccess".account_id FROM public."LocalAccess"
140
+
JOIN public."SpaceAccess" USING (space_id)
141
+
JOINpublic.my_user_accounts() ON (account_uid = my_user_accounts)
CREATE OR REPLACEFUNCTIONpublic.my_space_ids() RETURNS BIGINT []
236
305
STABLE SECURITY DEFINER
237
306
SET search_path =''
238
307
LANGUAGE sql
239
308
AS $$
240
309
SELECT COALESCE(array_agg(distinct space_id), '{}') AS ids
241
310
FROM public."SpaceAccess"
242
-
WHEREaccount_uid =auth.uid();
311
+
JOINpublic.my_user_accounts() ON (account_uid =my_user_accounts);
243
312
$$;
244
313
COMMENT ON FUNCTION public.my_space_ids IS 'security utility: all spaces the user has access to';
245
314
@@ -250,8 +319,8 @@ SET search_path = ''
250
319
LANGUAGE sql
251
320
AS $$
252
321
SELECT EXISTS (SELECT1FROM public."SpaceAccess"AS sa
253
-
WHEREsa.space_id=in_space.space_id
254
-
ANDsa.account_uid=auth.uid());
322
+
JOINpublic.my_user_accounts() ON (sa.account_uid=my_user_accounts)
323
+
WHEREsa.space_id=in_space.space_id);
255
324
$$;
256
325
257
326
COMMENT ON FUNCTION public.in_space IS 'security utility: does current user have access to this space?';
@@ -265,8 +334,8 @@ LANGUAGE sql AS $$
265
334
SELECT1
266
335
FROM public."LocalAccess"AS la
267
336
JOIN public."SpaceAccess"AS sa USING (space_id)
337
+
JOINpublic.my_user_accounts() ON (sa.account_uid= my_user_accounts)
268
338
WHEREla.account_id= p_account_id
269
-
ANDsa.account_uid=auth.uid()
270
339
);
271
340
$$;
272
341
@@ -279,10 +348,10 @@ LANGUAGE sql AS $$
279
348
SELECT EXISTS (
280
349
SELECT1
281
350
FROM public."SpaceAccess"AS sa
351
+
JOINpublic.my_user_accounts() ON (sa.account_uid= my_user_accounts)
282
352
JOIN public."LocalAccess"AS la USING (space_id)
283
353
JOIN public."PlatformAccount"AS pa ON (pa.id=la.account_id)
284
354
WHEREla.account_id= p_account_id
285
-
ANDsa.account_uid=auth.uid()
286
355
ANDpa.dg_account IS NULL
287
356
);
288
357
$$;
@@ -328,7 +397,7 @@ FROM public."PlatformAccount"
328
397
WHERE id IN (
329
398
SELECT"LocalAccess".account_id FROM public."LocalAccess"
330
399
JOIN public."SpaceAccess" USING (space_id)
331
-
WHERE"SpaceAccess".account_uid =auth.uid()
400
+
JOINpublic.my_user_accounts() ON (account_uid =my_user_accounts)
332
401
);
333
402
334
403
DROP POLICY IF EXISTS platform_account_policy ON public."PlatformAccount";
@@ -399,3 +468,17 @@ CREATE POLICY agent_identifier_insert_policy ON public."AgentIdentifier" FOR INS
399
468
400
469
DROP POLICY IF EXISTS agent_identifier_update_policy ON public."AgentIdentifier";
401
470
CREATE POLICY agent_identifier_update_policy ON public."AgentIdentifier" FOR UPDATE WITH CHECK (public.unowned_account_in_shared_space(account_id) ORpublic.is_my_account(account_id));
DROP POLICY IF EXISTS group_membership_select_policy ONpublic.group_membership;
475
+
CREATE POLICY group_membership_select_policy ONpublic.group_membership FOR SELECT USING (public.in_group(group_id));
476
+
477
+
DROP POLICY IF EXISTS group_membership_delete_policy ONpublic.group_membership;
478
+
CREATE POLICY group_membership_delete_policy ONpublic.group_membership FOR DELETE USING (member_id =auth.uid() ORpublic.is_group_admin(group_id));
479
+
480
+
DROP POLICY IF EXISTS group_membership_insert_policy ONpublic.group_membership;
481
+
CREATE POLICY group_membership_insert_policy ONpublic.group_membership FOR INSERT WITH CHECK (public.is_group_admin(group_id) OR NOT public.group_exists(group_id));
482
+
483
+
DROP POLICY IF EXISTS group_membership_update_policy ONpublic.group_membership;
484
+
CREATE POLICY group_membership_update_policy ONpublic.group_membership FOR UPDATE WITH CHECK (public.is_group_admin(group_id));
0 commit comments