diff --git a/views/002_seed.sql b/views/002_seed.sql index f54e84fe..6872d7f2 100644 --- a/views/002_seed.sql +++ b/views/002_seed.sql @@ -24,3 +24,9 @@ BEGIN (5, 'Low', 'info', ARRAY['P4']); END IF; END $$; + +-- CREATE a ROLE that will own all views where we need to enforce RLS. +-- TODO: Don't create if exists +CREATE ROLE IF NOT EXISTS api_views_owner NOSUPERUSER NOBYPASSRLS; + +GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql index 8cfc02ca..f51c4f50 100644 --- a/views/034_rls_enable.sql +++ b/views/034_rls_enable.sql @@ -16,3 +16,11 @@ CREATE POLICY components_auth ON components FOR ALL TO postgrest_api, postgrest_anon USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text); +-- View owners +-- TODO: Add more +ALTER VIEW config_detail OWNER TO api_views_owner; +ALTER VIEW config_labels OWNER TO api_views_owner; +ALTER VIEW config_names OWNER TO api_views_owner; +ALTER VIEW config_statuses OWNER TO api_views_owner; +ALTER VIEW config_summary OWNER TO api_views_owner; + diff --git a/views/035_rls-disable.sql b/views/035_rls-disable.sql deleted file mode 100644 index 4dcd1564..00000000 --- a/views/035_rls-disable.sql +++ /dev/null @@ -1,8 +0,0 @@ -ALTER TABLE config_items DISABLE ROW LEVEL SECURITY; - -ALTER TABLE components DISABLE ROW LEVEL SECURITY; - --- POLICIES -DROP POLICY IF EXISTS config_items_auth ON config_items; - -DROP POLICY IF EXISTS components_auth ON components; diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql new file mode 100644 index 00000000..1471a1a0 --- /dev/null +++ b/views/035_rls_disable.sql @@ -0,0 +1,16 @@ +ALTER TABLE config_items DISABLE ROW LEVEL SECURITY; + +ALTER TABLE components DISABLE ROW LEVEL SECURITY; + +-- POLICIES +DROP POLICY IF EXISTS config_items_auth ON config_items; + +DROP POLICY IF EXISTS components_auth ON components; + +-- View owners +ALTER VIEW config_detail OWNER TO current_user; +ALTER VIEW config_summary OWNER TO current_user; +ALTER VIEW config_labels OWNER TO current_user; +ALTER VIEW config_names OWNER TO current_user; +ALTER VIEW config_statuses OWNER TO current_user; +