Conditional grants

[pixelspark]

In the grants table, add an expression column that optionally contains an expression that restricts any action performed using the grant, so you can:

• Grant a user to only DELETE/UPDATE rows that adhere to a condition (when the grant is used to perform a DELETE/UPDATE query, the restricting expression should be ANDed to the original WHERE statement)
• Grant a user the right to only INSERT rows with certain values
• Grant a user to only CREATE tables with a certain name

The expression should be able to contain special variables to check certain things, e.g.:

• $invoker: the public key of the user invoking the transaction. A grant with expression "$invoker=owner" would only allow modifications to rows that have the public key of the invoker in the 'owner' column. This could be made more complex, e.g. (CASE WHEN $owner=x THEN ... WHEN $owner=y THEN ... ELSE 0 END).
• $index: the index of the block this transaction is part of (useful for allowing transactions only after a certain amount of time)

[pixelspark]

See also #8, the expression could be a hash of an allowed statement template instead.

[pixelspark]

Needs top-level 'CASE WHEN' support, e.g.:

CASE WHEN (?amount > 0) AND (?from <> ?to) THEN 
UPDATE balances SET balance = balance + (CASE WHEN account = ?from THEN -amount ELSE amount END) WHERE account = ?from OR account = ?to
ELSE FAIL END;

(Note the above does not check whether the from account has the required funds; it only guarantees that the total amount of funds is constant over the execution of this query as long as account is a unique key for the table).