Move to new privileges - started now.

This commit is contained in:
Andrew McMillan 2009-10-17 17:59:53 +13:00
parent d0c23e594d
commit 2ca3ae7d44
9 changed files with 82 additions and 20 deletions

View File

@ -42,7 +42,6 @@ GRANT SELECT,UPDATE
ON usr_user_no_seq
ON roles_role_no_seq
ON session_session_id_seq
ON principal_principal_id_seq
ON principal_type_principal_type_id_seq
ON sync_tokens_sync_token_seq

View File

@ -20,13 +20,13 @@ SELECT setval('usr_user_no_seq', (SELECT 1000 UNION SELECT user_no FROM usr ORDE
INSERT INTO relationship_type ( rt_id, rt_name, confers, bit_confers )
VALUES( 1, 'Administers', 'A', privilege_to_bits('DAV::all') );
INSERT INTO relationship_type ( rt_id, rt_name, confers )
INSERT INTO relationship_type ( rt_id, rt_name, confers, bit_confers )
VALUES( 2, 'Can read/write to', 'RW', privilege_to_bits( ARRAY['DAV::read','DAV::write']) );
INSERT INTO relationship_type ( rt_id, rt_name, confers )
INSERT INTO relationship_type ( rt_id, rt_name, confers, bit_confers )
VALUES( 3, 'Can read from', 'R', privilege_to_bits( 'DAV::read') );
INSERT INTO relationship_type ( rt_id, rt_name, confers )
INSERT INTO relationship_type ( rt_id, rt_name, confers, bit_confers )
VALUES( 4, 'Can see free/busy time of', 'F', privilege_to_bits( 'caldav:read-free-busy') );
INSERT INTO principal_type (principal_type_id, principal_type_desc) VALUES( 1, 'Person' );

View File

@ -246,7 +246,7 @@ CREATE or REPLACE FUNCTION usr_is_role( INT, TEXT ) RETURNS BOOLEAN AS $$
SELECT EXISTS( SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_member.user_no=$1 AND roles.role_name=$2 )
$$ LANGUAGE 'sql' IMMUTABLE STRICT;
CREATE or REPLACE FUNCTION get_permissions( INT, INT ) RETURNS TEXT AS $$
CREATE or REPLACE FUNCTION legacy_get_permissions( INT, INT ) RETURNS TEXT AS $$
DECLARE
in_from ALIAS FOR $1;
in_to ALIAS FOR $2;

View File

@ -38,6 +38,31 @@ END
$$
LANGUAGE 'PlPgSQL' IMMUTABLE STRICT;
-- Given an array of verbose DAV: or CalDAV: privilege names return the bitmask
CREATE or REPLACE FUNCTION privilege_to_bits( TEXT[] ) RETURNS BIT(24) AS $$
DECLARE
raw_privs ALIAS FOR $1;
in_priv TEXT;
out_bits BIT(24);
i INT;
all BIT(24);
start INT;
finish INT;
BEGIN
out_bits := 0::BIT(24);
all := ~ out_bits;
SELECT array_lower(raw_privs,1) INTO start;
SELECT array_upper(raw_privs,1) INTO finish;
FOR i IN start .. finish LOOP
SELECT out_bits | privilege_to_bits(raw_privs[i]) INTO out_bits;
IF out_bits = all THEN
RETURN all;
END IF;
END LOOP;
RETURN out_bits;
END
$$
LANGUAGE 'PlPgSQL' IMMUTABLE STRICT;
-- This sequence is used in a number of places so that any DAV resource will have a unique ID
@ -139,7 +164,7 @@ CREATE TABLE relationship_type (
rt_togroup BOOLEAN,
confers TEXT DEFAULT 'RW',
rt_fromgroup BOOLEAN,
bit_confers BIT(24) DEFAULT legacy_privilege_to_bits('RW')
bit_confers BIT(24) DEFAULT privilege_to_bits(ARRAY['DAV::read','DAV::write'])
);
@ -147,7 +172,7 @@ CREATE TABLE relationship (
from_user INT REFERENCES usr (user_no) ON UPDATE CASCADE ON DELETE CASCADE,
to_user INT REFERENCES usr (user_no) ON UPDATE CASCADE ON DELETE CASCADE,
rt_id INT REFERENCES relationship_type (rt_id) ON UPDATE CASCADE ON DELETE CASCADE,
bit_confers BIT(24) DEFAULT legacy_privilege_to_bits('RW'),
confers BIT(24) DEFAULT privilege_to_bits(ARRAY['DAV::read','DAV::write']),
PRIMARY KEY ( from_user, to_user, rt_id )
);
@ -230,9 +255,8 @@ CREATE TABLE principal_type (
-- web needs SELECT,INSERT,UPDATE,DELETE
DROP TABLE principal CASCADE;
CREATE TABLE principal (
principal_id DEFAULT nextval('dav_id_seq') PRIMARY KEY,
principal_id INT8 DEFAULT nextval('dav_id_seq') PRIMARY KEY,
type_id INT8 NOT NULL REFERENCES principal_type(principal_type_id) ON UPDATE CASCADE ON DELETE RESTRICT DEFERRABLE,
user_no INT8 NULL REFERENCES usr(user_no) ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE,
displayname TEXT,

View File

@ -498,7 +498,7 @@ ALTER TABLE relationship_type ADD COLUMN bit_confers BIT(24) DEFAULT privilege_t
UPDATE relationship_type SET bit_confers = legacy_privilege_to_bits(confers);
ALTER TABLE relationship ADD COLUMN confers BIT(24) DEFAULT privilege_to_bits('caldav:read-free-busy');
UPDATE relationship r SET confers = bit_confers FROM relationship_type rt WHERE rt.rt_id=r.rt_id;
UPDATE relationship r SET confers = (SELECT bit_confers FROM relationship_type rt WHERE rt.rt_id=r.rt_id);
ALTER TABLE collection ADD COLUMN default_privileges BIT(24) DEFAULT privilege_to_bits('caldav:read-free-busy');
@ -509,7 +509,7 @@ INSERT INTO principal_type (principal_type_id, principal_type_desc) VALUES( 3, '
-- web needs SELECT,INSERT,UPDATE,DELETE
DROP TABLE principal CASCADE;
CREATE TABLE principal (
principal_id DEFAULT nextval('dav_id_seq') PRIMARY KEY,
principal_id INT8 DEFAULT nextval('dav_id_seq') PRIMARY KEY,
type_id INT8 NOT NULL REFERENCES principal_type(principal_type_id) ON UPDATE CASCADE ON DELETE RESTRICT DEFERRABLE,
user_no INT8 NULL REFERENCES usr(user_no) ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE,
displayname TEXT,

View File

@ -28,8 +28,10 @@ INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullna
INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
VALUES( 100, TRUE, current_date, current_date, 'resource1', '*salt*unpossible', 'Resource 1', 'resource1@example.net' );
INSERT INTO role_member (user_no, role_no) VALUES( 100, 3);
INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
VALUES( 101, TRUE, current_date, current_date, 'resource2', '*salt*unpossible', 'Resource 2', 'resource2@example.net' );
INSERT INTO role_member (user_no, role_no) VALUES( 101, 3);
INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
VALUES( 200, TRUE, current_date, current_date, 'resmgr1', '*salt*unpossible', 'Resource Managers', 'resource-managers@example.net' );
@ -45,10 +47,24 @@ UPDATE usr SET joined = '2009-06-01', updated = '2009-06-02';
INSERT INTO collection (user_no, parent_container, dav_name, dav_etag,
dav_displayname, is_calendar, created, modified,
public_events_only, publicly_readable, collection_id)
public_events_only, publicly_readable, collection_id, resourcetypes )
SELECT user_no, '/' || username || '/', '/' || username || '/home/', md5(username),
username || ' home', TRUE, '2009-06-03', '2009-06-04',
FALSE, FALSE, user_no FROM usr;
FALSE, FALSE, user_no, '<DAV::collection/><urn:ietf:params:xml:ns:caldav:calendar/>'
FROM usr;
INSERT INTO principal (type_id, user_no, displayname, active, default_privileges)
SELECT 1, user_no, fullname, active, privilege_to_bits(ARRAY['read-free-busy','schedule-send','schedule-deliver']) FROM usr
WHERE NOT EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Group' AND role_member.user_no = usr.user_no)
AND NOT EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Resource' AND role_member.user_no = usr.user_no) ;
INSERT INTO principal (type_id, user_no, displayname, active, default_privileges)
SELECT 2, user_no, fullname, active, privilege_to_bits(ARRAY['read','schedule-send','schedule-deliver']) FROM usr
WHERE EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Resource' AND role_member.user_no = usr.user_no);
INSERT INTO principal (type_id, user_no, displayname, active, default_privileges)
SELECT 3, user_no, fullname, active, privilege_to_bits(ARRAY['read-free-busy','schedule-send','schedule-deliver']) FROM usr
WHERE EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Group' AND role_member.user_no = usr.user_no);
SELECT setval('dav_id_seq', 1000);
@ -68,11 +84,32 @@ INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 200, 1 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 20, 2 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 10, 2 );
-- Between a team
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 20, 300, 3 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 10, 300, 3 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 300, 3 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 20, 3 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 10, 3 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 30, 3 );
-- Granting explicit free/busy permission
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 11, 10, 4 );
INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 10, 11, 4 );
UPDATE relationship r SET confers = (SELECT bit_confers FROM relationship_type rt WHERE rt.rt_id=r.rt_id);
INSERT INTO group_member ( group_id, member_id)
SELECT g.principal_id, m.principal_id
FROM relationship JOIN principal g ON(to_user=g.user_no AND g.type_id = 3) -- Group
JOIN principal m ON(from_user=m.user_no AND m.type_id = 1); -- Person
INSERT INTO grants ( by_principal, dav_name, to_principal, privileges, is_group )
SELECT pby.principal_id AS by_principal, '/' ||t.username||'/' AS dav_name, pto.principal_id AS to_principal,
confers AS privileges, pto.type_id > 2 AS is_group
FROM relationship r JOIN usr f ON(f.user_no=r.from_user)
JOIN usr t ON(t.user_no=r.to_user)
JOIN principal pby ON(t.user_no=pby.user_no)
JOIN principal pto ON(pto.user_no=f.user_no)
WHERE rt_id < 4 AND pby.type_id < 3;

View File

@ -1,8 +1,8 @@
HTTP/1.1 207 Multi-Status
Date: Dow, 01 Jan 2000 00:00:00 GMT
DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule, extended-mkcol
ETag: "432aa6b31d8dbe82651aef6bac55ea55"
Content-Length: 3515
ETag: "cc705bcb25130c21378d93e32747c072"
Content-Length: 3601
Content-Type: text/xml; charset="utf-8"
<?xml version="1.0" encoding="utf-8" ?>
@ -75,6 +75,7 @@ Content-Type: text/xml; charset="utf-8"
</C:calendar-proxy-read-for>
<group-member-set>
<href>/caldav.php/user1/</href>
<href>/caldav.php/teamclient1/</href>
</group-member-set>
<group-membership>
<href>/caldav.php/teamclient1/</href>
@ -82,9 +83,10 @@ Content-Type: text/xml; charset="utf-8"
<href>/caldav.php/assistant1/calendar-proxy-read/</href>
</group-membership>
<displayname>/manager1/calendar-proxy-read/</displayname>
<C:getctag>"d6996992ae401eb02ed8fed0bfb22895"</C:getctag>
<C:getctag>"81833b8410a85c2e86dd32ae4470e72b"</C:getctag>
<group-member-set>
<href>/caldav.php/user1/</href>
<href>/caldav.php/teamclient1/</href>
</group-member-set>
</prop>
<status>HTTP/1.1 200 OK</status>

View File

@ -1,7 +1,7 @@
HTTP/1.1 207 Multi-Status
Date: Dow, 01 Jan 2000 00:00:00 GMT
DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule, extended-mkcol
ETag: "67c73d7155944138de99f14a0872e727"
ETag: "5771fd61ef8348f364c7fc69c578028a"
Transfer-Encoding: chunked
Content-Type: text/xml; charset="utf-8"
@ -285,7 +285,7 @@ Content-Type: text/xml; charset="utf-8"
<C:calendar-proxy-read/>
</resourcetype>
<displayname>/user1/calendar-proxy-read/</displayname>
<C:getctag>"3646538a5bdbcc9a144ee36f36000214"</C:getctag>
<C:getctag>"c26fa324d66fa84a0da8e1ec8c4566fd"</C:getctag>
<current-user-privilege-set>
<privilege>
<all/>

View File

@ -1,7 +1,7 @@
HTTP/1.1 207 Multi-Status
Date: Dow, 01 Jan 2000 00:00:00 GMT
DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule, extended-mkcol
ETag: "67c73d7155944138de99f14a0872e727"
ETag: "5771fd61ef8348f364c7fc69c578028a"
Transfer-Encoding: chunked
Content-Type: text/xml; charset="utf-8"
@ -285,7 +285,7 @@ Content-Type: text/xml; charset="utf-8"
<C:calendar-proxy-read/>
</resourcetype>
<displayname>/user1/calendar-proxy-read/</displayname>
<C:getctag>"3646538a5bdbcc9a144ee36f36000214"</C:getctag>
<C:getctag>"c26fa324d66fa84a0da8e1ec8c4566fd"</C:getctag>
<current-user-privilege-set>
<privilege>
<all/>