2023-02-08 18:58:45 +08:00
|
|
|
/* This SQL will run after all other queries. */
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
---- Grant CRUD access to the group ----
|
2023-02-08 18:58:45 +08:00
|
|
|
grant select, insert, update, delete
|
|
|
|
on all tables
|
|
|
|
in schema public
|
|
|
|
to logto_tenant_${database};
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
---- Security policies for tenants table ----
|
2023-02-09 18:31:14 +08:00
|
|
|
|
2023-02-08 18:58:45 +08:00
|
|
|
revoke all privileges
|
|
|
|
on table tenants
|
|
|
|
from logto_tenant_${database};
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
-- Allow limited select to perform the RLS policy query in `after_each` (using select ... from tenants ...)
|
2024-02-19 10:45:57 +08:00
|
|
|
grant select (id, db_user, is_suspended)
|
2023-02-09 18:31:14 +08:00
|
|
|
on table tenants
|
|
|
|
to logto_tenant_${database};
|
|
|
|
|
|
|
|
alter table tenants enable row level security;
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
-- Create RLS policy to minimize the privilege
|
2023-02-09 18:31:14 +08:00
|
|
|
create policy tenants_tenant_id on tenants
|
|
|
|
using (db_user = current_user);
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
---- Revoke all privileges on systems table for tenant roles ----
|
2023-02-08 18:58:45 +08:00
|
|
|
revoke all privileges
|
|
|
|
on table systems
|
|
|
|
from logto_tenant_${database};
|
2023-03-09 00:07:33 +08:00
|
|
|
|
2023-03-14 15:15:45 +08:00
|
|
|
---- Revoke all privileges on service_logs table for tenant roles ----
|
|
|
|
revoke all privileges
|
|
|
|
on table service_logs
|
|
|
|
from logto_tenant_${database};
|
|
|
|
|
2023-03-09 00:07:33 +08:00
|
|
|
---- Create policies to make internal roles read-only ----
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Note:
|
|
|
|
*
|
|
|
|
* Internal roles have scope preset and they are read-only, but we do not
|
|
|
|
* limit user or application assignment since it's business logic.
|
|
|
|
*/
|
|
|
|
|
|
|
|
-- Restrict direct role modification
|
|
|
|
create policy roles_select on roles
|
|
|
|
for select using (true);
|
|
|
|
|
|
|
|
drop policy roles_modification on roles;
|
|
|
|
create policy roles_modification on roles
|
|
|
|
using (not starts_with(name, '#internal:'));
|
|
|
|
|
|
|
|
-- Restrict role - scope modification
|
|
|
|
create policy roles_scopes_select on roles_scopes
|
|
|
|
for select using (true);
|
|
|
|
|
|
|
|
drop policy roles_scopes_modification on roles_scopes;
|
|
|
|
create policy roles_scopes_modification on roles_scopes
|
|
|
|
using (not starts_with((select roles.name from roles where roles.id = role_id), '#internal:'));
|
|
|
|
|
|
|
|
---- TODO: Make internal API Resources read-only ----
|