Skip to content

Commit 57b50f9

Browse files
committed
Add grantee_permits_user sql function
This helps us consolidate common logic used across permission check queries. The resulting queries are cleaner and this also ensures grantee checks are consistent across permission queries.
1 parent b684222 commit 57b50f9

10 files changed

Lines changed: 75 additions & 171 deletions
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
SELECT drop_function('grantee_permits_user');
2+
3+
-- Returns TRUE when the grant's grantee covers `user_keycloak_user_id` —
4+
-- either because the grant is to all authenticated users, directly to that
5+
-- user, or to a user group the user currently belongs to.
6+
CREATE FUNCTION grantee_permits_user(
7+
grantee_type permission_grant_grantee_type_t,
8+
grantee_user_keycloak_user_id uuid,
9+
grantee_keycloak_organization_id uuid,
10+
user_keycloak_user_id uuid
11+
) RETURNS boolean AS $$
12+
SELECT grantee_type = 'authenticatedUsers'
13+
OR (
14+
grantee_type = 'user'
15+
AND grantee_user_keycloak_user_id
16+
= grantee_permits_user.user_keycloak_user_id
17+
)
18+
OR (
19+
grantee_type = 'userGroup'
20+
AND EXISTS (
21+
SELECT 1
22+
FROM ephemeral_user_group_associations euga
23+
WHERE euga.user_keycloak_user_id
24+
= grantee_permits_user.user_keycloak_user_id
25+
AND euga.user_group_keycloak_organization_id
26+
= grantee_permits_user.grantee_keycloak_organization_id
27+
AND NOT is_expired(euga.not_after)
28+
)
29+
);
30+
$$ LANGUAGE sql STABLE;

src/database/initialization/has_application_form_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -46,25 +46,11 @@ BEGIN
4646
AND scope_set_permits_scope(
4747
pg.scope, has_application_form_permission.scope
4848
)
49-
AND (
50-
pg.grantee_type = 'authenticatedUsers'
51-
OR (
52-
pg.grantee_type = 'user'
53-
AND pg.grantee_user_keycloak_user_id
54-
= has_application_form_permission.user_keycloak_user_id
55-
)
56-
OR (
57-
pg.grantee_type = 'userGroup'
58-
AND EXISTS (
59-
SELECT 1
60-
FROM ephemeral_user_group_associations euga
61-
WHERE euga.user_keycloak_user_id
62-
= has_application_form_permission.user_keycloak_user_id
63-
AND euga.user_group_keycloak_organization_id
64-
= pg.grantee_keycloak_organization_id
65-
AND NOT is_expired(euga.not_after)
66-
)
67-
)
49+
AND grantee_permits_user(
50+
pg.grantee_type,
51+
pg.grantee_user_keycloak_user_id,
52+
pg.grantee_keycloak_organization_id,
53+
has_application_form_permission.user_keycloak_user_id
6854
)
6955
) INTO has_permission;
7056

src/database/initialization/has_changemaker_field_value_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -57,25 +57,11 @@ BEGIN
5757
AND verb_set_permits_verb(
5858
pg.verbs, has_changemaker_field_value_permission.verb
5959
)
60-
AND (
61-
pg.grantee_type = 'authenticatedUsers'
62-
OR (
63-
pg.grantee_type = 'user'
64-
AND pg.grantee_user_keycloak_user_id
65-
= has_changemaker_field_value_permission.user_keycloak_user_id
66-
)
67-
OR (
68-
pg.grantee_type = 'userGroup'
69-
AND EXISTS (
70-
SELECT 1
71-
FROM ephemeral_user_group_associations euga
72-
WHERE euga.user_keycloak_user_id
73-
= has_changemaker_field_value_permission.user_keycloak_user_id
74-
AND euga.user_group_keycloak_organization_id
75-
= pg.grantee_keycloak_organization_id
76-
AND NOT is_expired(euga.not_after)
77-
)
78-
)
60+
AND grantee_permits_user(
61+
pg.grantee_type,
62+
pg.grantee_user_keycloak_user_id,
63+
pg.grantee_keycloak_organization_id,
64+
has_changemaker_field_value_permission.user_keycloak_user_id
7965
)
8066
) INTO has_permission;
8167

src/database/initialization/has_changemaker_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -29,25 +29,11 @@ BEGIN
2929
AND scope_set_permits_scope(
3030
pg.scope, has_changemaker_permission.scope
3131
)
32-
AND (
33-
pg.grantee_type = 'authenticatedUsers'
34-
OR (
35-
pg.grantee_type = 'user'
36-
AND pg.grantee_user_keycloak_user_id
37-
= has_changemaker_permission.user_keycloak_user_id
38-
)
39-
OR (
40-
pg.grantee_type = 'userGroup'
41-
AND EXISTS (
42-
SELECT 1
43-
FROM ephemeral_user_group_associations euga
44-
WHERE euga.user_keycloak_user_id
45-
= has_changemaker_permission.user_keycloak_user_id
46-
AND euga.user_group_keycloak_organization_id
47-
= pg.grantee_keycloak_organization_id
48-
AND NOT is_expired(euga.not_after)
49-
)
50-
)
32+
AND grantee_permits_user(
33+
pg.grantee_type,
34+
pg.grantee_user_keycloak_user_id,
35+
pg.grantee_keycloak_organization_id,
36+
has_changemaker_permission.user_keycloak_user_id
5137
)
5238
) INTO has_permission;
5339

src/database/initialization/has_data_provider_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -29,25 +29,11 @@ BEGIN
2929
AND scope_set_permits_scope(
3030
pg.scope, has_data_provider_permission.scope
3131
)
32-
AND (
33-
pg.grantee_type = 'authenticatedUsers'
34-
OR (
35-
pg.grantee_type = 'user'
36-
AND pg.grantee_user_keycloak_user_id
37-
= has_data_provider_permission.user_keycloak_user_id
38-
)
39-
OR (
40-
pg.grantee_type = 'userGroup'
41-
AND EXISTS (
42-
SELECT 1
43-
FROM ephemeral_user_group_associations euga
44-
WHERE euga.user_keycloak_user_id
45-
= has_data_provider_permission.user_keycloak_user_id
46-
AND euga.user_group_keycloak_organization_id
47-
= pg.grantee_keycloak_organization_id
48-
AND NOT is_expired(euga.not_after)
49-
)
50-
)
32+
AND grantee_permits_user(
33+
pg.grantee_type,
34+
pg.grantee_user_keycloak_user_id,
35+
pg.grantee_keycloak_organization_id,
36+
has_data_provider_permission.user_keycloak_user_id
5137
)
5238
) INTO has_permission;
5339

src/database/initialization/has_funder_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -29,25 +29,11 @@ BEGIN
2929
AND scope_set_permits_scope(
3030
pg.scope, has_funder_permission.scope
3131
)
32-
AND (
33-
pg.grantee_type = 'authenticatedUsers'
34-
OR (
35-
pg.grantee_type = 'user'
36-
AND pg.grantee_user_keycloak_user_id
37-
= has_funder_permission.user_keycloak_user_id
38-
)
39-
OR (
40-
pg.grantee_type = 'userGroup'
41-
AND EXISTS (
42-
SELECT 1
43-
FROM ephemeral_user_group_associations euga
44-
WHERE euga.user_keycloak_user_id
45-
= has_funder_permission.user_keycloak_user_id
46-
AND euga.user_group_keycloak_organization_id
47-
= pg.grantee_keycloak_organization_id
48-
AND NOT is_expired(euga.not_after)
49-
)
50-
)
32+
AND grantee_permits_user(
33+
pg.grantee_type,
34+
pg.grantee_user_keycloak_user_id,
35+
pg.grantee_keycloak_organization_id,
36+
has_funder_permission.user_keycloak_user_id
5137
)
5238
) INTO has_permission;
5339

src/database/initialization/has_opportunity_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -39,25 +39,11 @@ BEGIN
3939
AND scope_set_permits_scope(
4040
pg.scope, has_opportunity_permission.scope
4141
)
42-
AND (
43-
pg.grantee_type = 'authenticatedUsers'
44-
OR (
45-
pg.grantee_type = 'user'
46-
AND pg.grantee_user_keycloak_user_id
47-
= has_opportunity_permission.user_keycloak_user_id
48-
)
49-
OR (
50-
pg.grantee_type = 'userGroup'
51-
AND EXISTS (
52-
SELECT 1
53-
FROM ephemeral_user_group_associations euga
54-
WHERE euga.user_keycloak_user_id
55-
= has_opportunity_permission.user_keycloak_user_id
56-
AND euga.user_group_keycloak_organization_id
57-
= pg.grantee_keycloak_organization_id
58-
AND NOT is_expired(euga.not_after)
59-
)
60-
)
42+
AND grantee_permits_user(
43+
pg.grantee_type,
44+
pg.grantee_user_keycloak_user_id,
45+
pg.grantee_keycloak_organization_id,
46+
has_opportunity_permission.user_keycloak_user_id
6147
)
6248
) INTO has_permission;
6349

src/database/initialization/has_proposal_field_value_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -78,25 +78,11 @@ BEGIN
7878
AND verb_set_permits_verb(
7979
pg.verbs, has_proposal_field_value_permission.verb
8080
)
81-
AND (
82-
pg.grantee_type = 'authenticatedUsers'
83-
OR (
84-
pg.grantee_type = 'user'
85-
AND pg.grantee_user_keycloak_user_id
86-
= has_proposal_field_value_permission.user_keycloak_user_id
87-
)
88-
OR (
89-
pg.grantee_type = 'userGroup'
90-
AND EXISTS (
91-
SELECT 1
92-
FROM ephemeral_user_group_associations euga
93-
WHERE euga.user_keycloak_user_id
94-
= has_proposal_field_value_permission.user_keycloak_user_id
95-
AND euga.user_group_keycloak_organization_id
96-
= pg.grantee_keycloak_organization_id
97-
AND NOT is_expired(euga.not_after)
98-
)
99-
)
81+
AND grantee_permits_user(
82+
pg.grantee_type,
83+
pg.grantee_user_keycloak_user_id,
84+
pg.grantee_keycloak_organization_id,
85+
has_proposal_field_value_permission.user_keycloak_user_id
10086
)
10187
AND (
10288
pg.conditions IS NULL

src/database/initialization/has_proposal_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -51,25 +51,11 @@ BEGIN
5151
AND verb_set_permits_verb(
5252
pg.verbs, has_proposal_permission.verb
5353
)
54-
AND (
55-
pg.grantee_type = 'authenticatedUsers'
56-
OR (
57-
pg.grantee_type = 'user'
58-
AND pg.grantee_user_keycloak_user_id
59-
= has_proposal_permission.user_keycloak_user_id
60-
)
61-
OR (
62-
pg.grantee_type = 'userGroup'
63-
AND EXISTS (
64-
SELECT 1
65-
FROM ephemeral_user_group_associations euga
66-
WHERE euga.user_keycloak_user_id
67-
= has_proposal_permission.user_keycloak_user_id
68-
AND euga.user_group_keycloak_organization_id
69-
= pg.grantee_keycloak_organization_id
70-
AND NOT is_expired(euga.not_after)
71-
)
72-
)
54+
AND grantee_permits_user(
55+
pg.grantee_type,
56+
pg.grantee_user_keycloak_user_id,
57+
pg.grantee_keycloak_organization_id,
58+
has_proposal_permission.user_keycloak_user_id
7359
)
7460
) INTO has_permission;
7561

src/database/initialization/has_source_permission.sql

Lines changed: 5 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -51,25 +51,11 @@ BEGIN
5151
AND scope_set_permits_scope(
5252
pg.scope, has_source_permission.scope
5353
)
54-
AND (
55-
pg.grantee_type = 'authenticatedUsers'
56-
OR (
57-
pg.grantee_type = 'user'
58-
AND pg.grantee_user_keycloak_user_id
59-
= has_source_permission.user_keycloak_user_id
60-
)
61-
OR (
62-
pg.grantee_type = 'userGroup'
63-
AND EXISTS (
64-
SELECT 1
65-
FROM ephemeral_user_group_associations euga
66-
WHERE euga.user_keycloak_user_id
67-
= has_source_permission.user_keycloak_user_id
68-
AND euga.user_group_keycloak_organization_id
69-
= pg.grantee_keycloak_organization_id
70-
AND NOT is_expired(euga.not_after)
71-
)
72-
)
54+
AND grantee_permits_user(
55+
pg.grantee_type,
56+
pg.grantee_user_keycloak_user_id,
57+
pg.grantee_keycloak_organization_id,
58+
has_source_permission.user_keycloak_user_id
7359
)
7460
) INTO has_permission;
7561

0 commit comments

Comments
 (0)