Skip to content

Commit

Permalink
fix: fix infinite recusrion for row level security to select unpublis…
Browse files Browse the repository at this point in the history 
…hed related items
  • Loading branch information
@ewan-escience @dmijatovic
ewan-escience authored and dmijatovic committed Jun 21, 2022
1 parent 34e7b4f commit 4418a5e
Showing 1 changed file with 24 additions and 7 deletions.
31 changes: 24 additions & 7 deletions database/020-row-level-security.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@ BEGIN
END
$$;

CREATE FUNCTION related_software() RETURNS SETOF UUID STABLE LANGUAGE plpgsql SECURITY DEFINER AS
$$
BEGIN
RETURN QUERY SELECT software FROM software_for_organisation WHERE organisation IN (SELECT * FROM organisations_of_current_maintainer());
RETURN QUERY SELECT software FROM software_for_project WHERE project IN (SELECT * FROM projects_of_current_maintainer());
RETURN;
END
$$;

CREATE POLICY maintainer_select ON maintainer_for_software FOR SELECT TO rsd_user
USING (software IN (SELECT * FROM software_of_current_maintainer()));

Expand All @@ -40,6 +49,15 @@ BEGIN
END
$$;

CREATE FUNCTION related_projects() RETURNS SETOF UUID STABLE LANGUAGE plpgsql SECURITY DEFINER AS
$$
BEGIN
RETURN QUERY SELECT project FROM project_for_organisation WHERE organisation IN (SELECT * FROM organisations_of_current_maintainer());
RETURN QUERY SELECT project FROM software_for_project WHERE software IN (SELECT * FROM software_of_current_maintainer());
RETURN;
END
$$;

CREATE POLICY maintainer_select ON maintainer_for_project FOR SELECT TO rsd_user
USING (project IN (SELECT * FROM projects_of_current_maintainer()));

Expand Down Expand Up @@ -131,12 +149,11 @@ CREATE POLICY admin_all_rights ON invite_maintainer_for_organisation TO rsd_admi
-- software
ALTER TABLE software ENABLE ROW LEVEL SECURITY;

CREATE POLICY anyone_can_read ON software FOR SELECT TO web_anon
CREATE POLICY anyone_can_read ON software FOR SELECT TO web_anon, rsd_user
USING (is_published);

-- RSD user can read all software incl. not published ones
CREATE POLICY rsd_user_can_read ON software FOR SELECT TO rsd_user
USING (TRUE);
CREATE POLICY maintainer_select_related ON software FOR SELECT TO rsd_user
USING (id IN (SELECT * FROM related_software()));

CREATE POLICY maintainer_all_rights ON software TO rsd_user
USING (id IN (SELECT * FROM software_of_current_maintainer()))
Expand Down Expand Up @@ -247,11 +264,11 @@ CREATE POLICY admin_all_rights ON keyword_for_software TO rsd_admin
-- projects
ALTER TABLE project ENABLE ROW LEVEL SECURITY;

CREATE POLICY anyone_read_published ON project FOR SELECT TO web_anon
CREATE POLICY anyone_can_read ON project FOR SELECT TO web_anon, rsd_user
USING (is_published);

CREATE POLICY rsd_user_read_all ON project FOR SELECT TO rsd_user
USING (TRUE);
CREATE POLICY maintainer_select_related ON project FOR SELECT TO rsd_user
USING (id IN (SELECT * FROM related_projects()));

CREATE POLICY maintainer_all_rights ON project TO rsd_user
USING (id IN (SELECT * FROM projects_of_current_maintainer()))
Expand Down

0 comments on commit 4418a5e

Please sign in to comment.