W.I.P

FUNCTIONS/api/create_user.sql

@@ -1,12 +1,24 @@
 CREATE OR REPLACE FUNCTION api.create_user(username text)
 RETURNS bigint
-LANGUAGE sql
+LANGUAGE plpgsql
 SECURITY DEFINER
 SET search_path TO public, pg_temp
 AS $$
+DECLARE
+_user_id bigint;
+BEGIN
 INSERT INTO users
   (username, parent_user_id)
 VALUES
   (username, user_id())
 RETURNING user_id
+INTO STRICT _user_id;
+
+PERFORM api.grant_role_to_user(
+  role_id := (SELECT role_id FROM roles WHERE role_name = 'signed-in'),
+  user_id := _user_id
+);
+
+RETURN _user_id;
+END
 $$;

FUNCTIONS/api/grant_role_to_user.sql

@@ -7,7 +7,7 @@ LANGUAGE sql
 SECURITY DEFINER
 SET search_path TO public, pg_temp
 AS $$
-INSERT INTO user_roles
+INSERT INTO role_memberships
   (user_id, role_id)
 VALUES
   (user_id, role_id)

FUNCTIONS/api/sign_up.sql

@@ -7,12 +7,8 @@ AS $$
 DECLARE
 _user_id bigint;
 BEGIN
-INSERT INTO users
-  (username)
-VALUES
-  (username)
-RETURNING user_id
-INTO STRICT _user_id;
+
+_user_id := api.create_user(username);
 
 --
 -- The first user who signs-up
@@ -32,5 +28,5 @@ IF _user_id = 2 THEN
 END IF;
 
 RETURN issue_access_token(_user_id);
-END;
+END
 $$;

FUNCTIONS/api/store_credential.sql

@@ -57,5 +57,5 @@ END IF;
 -- tell the user the credential has to be marked as valid
 -- before it can be used to sign-in
 RETURN FALSE;
-END;
+END
 $$;

FUNCTIONS/api/update_credential_validity.sql

@@ -8,30 +8,25 @@ SECURITY DEFINER
 SET search_path TO public, pg_temp
 AS $$
 DECLARE
-_credential_id constant bigint := update_credential_validity.credential_id;
-_valid constant boolean := update_credential_validity.valid;
-_user_id constant bigint := user_id();
 _ok boolean;
 BEGIN
-IF _user_id IS NULL THEN
-  RAISE EXCEPTION 'not logged in';
-END IF;
 
-IF (
-  SELECT users.super_user OR credentials.user_id = _user_id
-  FROM users
-  CROSS JOIN credentials
-  WHERE users.user_id = _user_id
-  AND credentials.credential_id = _credential_id
-) THEN
+IF EXISTS (
+  SELECT 1
+  FROM credentials
+  WHERE credentials.credential_id = update_credential_validity.credential_id
+  AND credentials.user_id = user_id()
+)
+OR has_role('admin')
+THEN
   UPDATE credentials
-  SET valid = _valid
-  WHERE credentials.credential_id = _credential_id
+  SET valid = update_credential_validity.valid
+  WHERE credentials.credential_id = update_credential_validity.credential_id
   RETURNING TRUE
   INTO STRICT _ok;
 END IF;
 
 RETURN _ok;
 
-END;
+END
 $$;

FUNCTIONS/auth.sql

@@ -15,5 +15,5 @@ IF NOT check_resource_access(_resource_id) THEN
   RAISE insufficient_privilege;
 END IF;
 RETURN;
-END;
+END
 $$;

FUNCTIONS/check_resource_access.sql

@@ -7,9 +7,9 @@ SET search_path TO public, pg_temp
 AS $$
 SELECT EXISTS (
   SELECT 1
-  FROM user_roles
-  JOIN permissions ON permissions.role_id = user_roles.role_id
-  WHERE user_roles.user_id = user_id()
+  FROM role_memberships
+  JOIN permissions ON permissions.role_id = role_memberships.role_id
+  WHERE role_memberships.user_id = user_id()
   AND permissions.resource_id = _resource_id
 )
 $$;

FUNCTIONS/has_role.sql

@@ -0,0 +1,16 @@
+CREATE OR REPLACE FUNCTION has_role(role_name text)
+RETURNS boolean
+STABLE
+LANGUAGE sql
+SECURITY DEFINER
+SET search_path TO public, pg_temp
+AS $$
+SELECT EXISTS (
+  SELECT 1
+  FROM role_memberships
+  JOIN roles
+    ON roles.role_id = role_memberships.role_id
+  WHERE role_memberships.user_id = user_id()
+  AND roles.role_name = has_role.role_name
+)
+$$;

FUNCTIONS/register_resource.sql

@@ -41,5 +41,5 @@ INTO STRICT _resource_id;
 
 RETURN _resource_id;
 
-END;
+END
 $$;

Makefile

@@ -20,18 +20,22 @@ SQL_SRC = \
   TABLES/settings.sql \
   TABLES/users.sql \
 	TABLES/credentials.sql \
-	TABLES/user_roles.sql \
+	TABLES/role_memberships.sql \
 	TABLES/access_tokens.sql \
 	FUNCTIONS/check_resource_access.sql \
   FUNCTIONS/auth.sql \
 	FUNCTIONS/user_id.sql \
+	FUNCTIONS/has_role.sql \
 	VIEWS/api/users.sql \
 	VIEWS/api/current_user.sql \
 	VIEWS/api/resources.sql \
 	VIEWS/api/roles.sql \
-	VIEWS/api/user_roles.sql \
+	VIEWS/api/user_credentials.sql \
+	VIEWS/api/user_resources.sql \
+	VIEWS/api/user_role_memberships.sql \
 	VIEWS/api/permissions.sql \
 	VIEWS/api/credentials.sql \
+	VIEWS/api/role_memberships.sql \
 	FUNCTIONS/register_resource.sql \
 	FUNCTIONS/issue_access_token.sql \
 	FUNCTIONS/api/init_credential.sql \
@@ -58,18 +62,22 @@ SQL_SRC = \
   TABLES/resources.sql \
   TABLES/permissions.sql \
 	TABLES/credentials.sql \
-	TABLES/user_roles.sql \
+	TABLES/role_memberships.sql \
 	VIEWS/api/users.sql \
 	VIEWS/api/current_user.sql \
 	VIEWS/api/users.sql \
 	VIEWS/api/resources.sql \
 	VIEWS/api/roles.sql \
-	VIEWS/api/user_roles.sql \
+	VIEWS/api/user_credentials.sql \
+	VIEWS/api/user_resources.sql \
+	VIEWS/api/user_role_memberships.sql \
 	VIEWS/api/permissions.sql \
 	VIEWS/api/credentials.sql \
+	VIEWS/api/role_memberships.sql \
 	FUNCTIONS/register_resource.sql \
 	FUNCTIONS/check_resource_access.sql \
   FUNCTIONS/auth.sql \
+	FUNCTIONS/has_role.sql \
  	FUNCTIONS/api/sign_in.sql \
  	FUNCTIONS/api/sign_up.sql \
 	FUNCTIONS/api/create_role.sql \

TABLES/permissions.sql

@@ -1,7 +1,9 @@
 CREATE TABLE permissions (
+permission_id integer NOT NULL GENERATED ALWAYS AS IDENTITY,
 role_id integer NOT NULL REFERENCES roles,
 resource_id integer NOT NULL REFERENCES resources,
-PRIMARY KEY (role_id, resource_id)
+PRIMARY KEY (permission_id),
+UNIQUE (role_id, resource_id)
 );
 
 SELECT pg_catalog.pg_extension_config_dump('permissions', '');

TABLES/role_memberships.sql

@@ -0,0 +1,9 @@
+CREATE TABLE role_memberships (
+role_membership_id bigint NOT NULL GENERATED ALWAYS AS IDENTITY,
+user_id bigint NOT NULL REFERENCES users,
+role_id integer NOT NULL REFERENCES roles,
+PRIMARY KEY (role_membership_id),
+UNIQUE (user_id, role_id)
+);
+
+SELECT pg_catalog.pg_extension_config_dump('role_memberships', '');

VIEWS/api/credentials.sql

@@ -1,11 +1,7 @@
-CREATE OR REPLACE VIEW api.credentials WITH (security_barrier) AS
+CREATE OR REPLACE VIEW api.credentials AS
 SELECT
-credentials.credential_id,
-credentials.device_name,
-users.username,
-credentials.user_id,
-credentials.valid
-FROM credentials
-JOIN users
-  ON users.user_id = credentials.user_id
-WHERE credentials.user_id = user_id();
+credential_id,
+device_name,
+user_id,
+valid
+FROM credentials;

VIEWS/api/permissions.sql

@@ -1,5 +1,6 @@
 CREATE OR REPLACE VIEW api.permissions AS
 SELECT
+permissions.permission_id,
 roles.role_name,
 resources.resource_name
 FROM permissions

VIEWS/api/resources.sql

@@ -1,8 +1,7 @@
-CREATE OR REPLACE VIEW api.resources WITH (security_barrier) AS
+CREATE OR REPLACE VIEW api.resources AS
 SELECT
 resource_id,
 resource_type,
 resource_name,
 resource_path
-FROM resources
-WHERE check_resource_access(resource_id);
+FROM resources;

VIEWS/api/role_memberships.sql

@@ -0,0 +1,8 @@
+CREATE OR REPLACE VIEW api.role_memberships AS
+SELECT
+role_memberships.role_membership_id,
+role_memberships.user_id,
+roles.role_name
+FROM role_memberships
+JOIN roles
+  ON roles.role_id = role_memberships.role_id;

VIEWS/api/user_credentials.sql

@@ -0,0 +1,7 @@
+CREATE OR REPLACE VIEW api.user_credentials WITH (security_barrier) AS
+SELECT
+credential_id,
+device_name,
+valid
+FROM credentials
+WHERE user_id = user_id();

VIEWS/api/user_resources.sql

@@ -0,0 +1,8 @@
+CREATE OR REPLACE VIEW api.user_resources WITH (security_barrier) AS
+SELECT
+resource_id,
+resource_type,
+resource_name,
+resource_path
+FROM resources
+WHERE check_resource_access(resource_id);

VIEWS/api/user_role_memberships.sql

@@ -0,0 +1,7 @@
+CREATE OR REPLACE VIEW api.user_role_memberships AS
+SELECT
+roles.role_name
+FROM role_memberships
+JOIN roles
+  ON roles.role_id = role_memberships.role_id
+WHERE role_memberships.user_id = user_id();