From 4ea3cc9c19038b80238f6ab488c699e36fdfc8ea Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 28 Oct 2024 17:14:53 +0545
Subject: [PATCH] view owner

---
 views/002_seed.sql        |  6 ++++++
 views/034_rls_enable.sql  |  8 ++++++++
 views/035_rls-disable.sql |  8 --------
 views/035_rls_disable.sql | 16 ++++++++++++++++
 4 files changed, 30 insertions(+), 8 deletions(-)
 delete mode 100644 views/035_rls-disable.sql
 create mode 100644 views/035_rls_disable.sql

diff --git a/views/002_seed.sql b/views/002_seed.sql
index f54e84fe..6872d7f2 100644
--- a/views/002_seed.sql
+++ b/views/002_seed.sql
@@ -24,3 +24,9 @@ BEGIN
             (5, 'Low', 'info', ARRAY['P4']);
    END IF;
 END $$;
+
+-- CREATE a ROLE that will own all views where we need to enforce RLS.
+-- TODO: Don't create if exists
+CREATE ROLE IF NOT EXISTS api_views_owner NOSUPERUSER NOBYPASSRLS;
+
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql
index 8cfc02ca..f51c4f50 100644
--- a/views/034_rls_enable.sql
+++ b/views/034_rls_enable.sql
@@ -16,3 +16,11 @@ CREATE POLICY components_auth ON components
   FOR ALL TO postgrest_api, postgrest_anon
     USING (current_setting('request.jwt.claims', TRUE)::json ->> 'agent_id' = agent_id::text);
 
+-- View owners
+-- TODO: Add more
+ALTER VIEW config_detail OWNER TO api_views_owner;
+ALTER VIEW config_labels OWNER TO api_views_owner;
+ALTER VIEW config_names OWNER TO api_views_owner;
+ALTER VIEW config_statuses OWNER TO api_views_owner;
+ALTER VIEW config_summary OWNER TO api_views_owner;
+
diff --git a/views/035_rls-disable.sql b/views/035_rls-disable.sql
deleted file mode 100644
index 4dcd1564..00000000
--- a/views/035_rls-disable.sql
+++ /dev/null
@@ -1,8 +0,0 @@
-ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;
-
-ALTER TABLE components DISABLE ROW LEVEL SECURITY;
-
--- POLICIES
-DROP POLICY IF EXISTS config_items_auth ON config_items;
-
-DROP POLICY IF EXISTS components_auth ON components;
diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql
new file mode 100644
index 00000000..1471a1a0
--- /dev/null
+++ b/views/035_rls_disable.sql
@@ -0,0 +1,16 @@
+ALTER TABLE config_items DISABLE ROW LEVEL SECURITY;
+
+ALTER TABLE components DISABLE ROW LEVEL SECURITY;
+
+-- POLICIES
+DROP POLICY IF EXISTS config_items_auth ON config_items;
+
+DROP POLICY IF EXISTS components_auth ON components;
+
+-- View owners
+ALTER VIEW config_detail OWNER TO current_user;
+ALTER VIEW config_summary OWNER TO current_user;
+ALTER VIEW config_labels OWNER TO current_user;
+ALTER VIEW config_names OWNER TO current_user;
+ALTER VIEW config_statuses OWNER TO current_user;
+