cartodb-postgresql/scripts-available/CDB_Groups.sql

----------------------------------
-- GROUP MANAGEMENT FUNCTIONS
--
-- Meant to be used by org admin. See CDB_Organization_AddAdmin.
----------------------------------

-- Creates a new group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_CreateGroup(group_name text)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE format('CREATE ROLE %I NOLOGIN;', group_role);
    PERFORM cartodb._CDB_Group_CreateGroup_API(group_name, group_role);
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Drops group and everything that role owns
-- TODO: LIMITATION: in order to drop a role all its owned objects must be dropped before.
-- Right now this is done with DROP OWNED, which can only be done by a superadmin.
-- Not even the role creator can drop the role and the objects it owns.
-- All group owned objects by the group are permissions.
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_DropGroup(group_name text)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE format('DROP OWNED BY %I', group_role);
    EXECUTE format('DROP ROLE IF EXISTS %I', group_role);
    PERFORM cartodb._CDB_Group_DropGroup_API(group_name);
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Renames a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_RenameGroup(old_group_name text, new_group_name text)
    RETURNS VOID AS $$
DECLARE
    old_group_role TEXT;
    new_group_role TEXT;
BEGIN
    old_group_role = cartodb._CDB_Group_GroupRole(old_group_name);
    new_group_role = cartodb._CDB_Group_GroupRole(new_group_name);
    EXECUTE format('ALTER ROLE %I RENAME TO %I', old_group_role, new_group_role);
    PERFORM cartodb._CDB_Group_RenameGroup_API(old_group_name, new_group_name, new_group_role);
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Adds users to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_AddUsers(group_name text, usernames text[])
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
    user_role TEXT;
    username TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    foreach username in array usernames
    loop
      user_role := cartodb._CDB_User_RoleFromUsername(username);
      IF(group_role IS NULL OR user_role IS NULL)
      THEN
        RAISE EXCEPTION 'Group role (%) and user role (%) must be already existing', group_role, user_role;
      END IF;
      EXECUTE format('GRANT %I TO %I', group_role, user_role);
    end loop;
    PERFORM cartodb._CDB_Group_AddUsers_API(group_name, usernames);
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Removes users from a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_RemoveUsers(group_name text, usernames text[])
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
    user_role TEXT;
    username TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    foreach username in array usernames
    loop
      user_role := cartodb._CDB_User_RoleFromUsername(username);
      EXECUTE format('REVOKE %I FROM %I', group_role, user_role);
    end loop;
    PERFORM cartodb._CDB_Group_RemoveUsers_API(group_name, usernames);
END
$$ LANGUAGE PLPGSQL VOLATILE;

----------------------------------
-- TABLE MANAGEMENT FUNCTIONS
--
-- Meant to be used by table owners.
----------------------------------

-- Grants table read permission to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_GrantRead(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    PERFORM cartodb._CDB_Group_Table_GrantRead(group_name, username, table_name, true);
END
$$ LANGUAGE PLPGSQL VOLATILE;

CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_Table_GrantRead(group_name text, username text, table_name text, sync boolean)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role);
    EXECUTE format('GRANT SELECT ON TABLE %I.%I TO %I', username, table_name, group_role );
    IF(sync) THEN
      PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'r');
    END IF;
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Grants table write permission to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    PERFORM cartodb._CDB_Group_Table_GrantReadWrite(group_name, username, table_name, true);
END
$$ LANGUAGE PLPGSQL VOLATILE;

CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text, sync boolean)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role);
    EXECUTE format('GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE %I.%I TO %I', username, table_name, group_role);
    PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, true);
    IF(sync) THEN
      PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'w');
    END IF;
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Granting and revoking permissions on sequences
CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_TableSequences_Permission(group_name text, username text, table_name text, do_grant bool)
    RETURNS VOID AS $$
DECLARE
    column_name TEXT;
    sequence_name TEXT;
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    FOR column_name IN EXECUTE 'SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_CATALOG = current_database() AND TABLE_SCHEMA = $1 AND TABLE_NAME = $2 AND COLUMN_DEFAULT LIKE ''nextval%''' USING username, table_name
    LOOP
        EXECUTE format('SELECT PG_GET_SERIAL_SEQUENCE(''%I.%I'', ''%I'')', username, table_name, column_name) INTO sequence_name;
        IF sequence_name IS NOT NULL THEN
          IF do_grant THEN
            -- Here %s is needed since sequence_name has quotes
            EXECUTE format('GRANT USAGE, SELECT, UPDATE ON SEQUENCE %s TO %I', sequence_name, group_role);
          ELSE
            EXECUTE format('REVOKE ALL ON SEQUENCE %s FROM %I', sequence_name, group_role);
          END IF;
        END IF;
    END LOOP;
    RETURN;
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Revokes all permissions on a table from a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_RevokeAll(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    PERFORM cartodb._CDB_Group_Table_RevokeAll(group_name, username, table_name, true);
END
$$ LANGUAGE PLPGSQL VOLATILE;

CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_Table_RevokeAll(group_name text, username text, table_name text, sync boolean)
    RETURNS VOID AS $$
DECLARE
    group_role TEXT;
BEGIN
    group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE format('REVOKE ALL ON TABLE %I.%I FROM %I', username, table_name, group_role);
    PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, false);
    IF(sync) THEN
      PERFORM cartodb._CDB_Group_Table_RevokeAllPermission_API(group_name, username, table_name);
    END IF;
END
$$ LANGUAGE PLPGSQL VOLATILE;

-----------------------
-- Helper functions
-----------------------
-- Given a group name returns a role. group_name must be a valid PostgreSQL idenfifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_GroupRole(group_name text)
    RETURNS TEXT AS $$
DECLARE
    group_role TEXT;
    prefix TEXT;
    max_length constant INTEGER := 63;
BEGIN
    prefix = format('%s_g_', cartodb._CDB_Group_ShortDatabaseName());
    group_role := format('%s%s', prefix, group_name);
    IF LENGTH(group_role) > max_length
    THEN
        RAISE EXCEPTION 'Group name must be shorter. It can''t have more than % characters, but it is longer (%): %', max_length - LENGTH(prefix), length(group_name), group_name;
    END IF;
    RETURN group_role;
END
$$ LANGUAGE PLPGSQL;

-- Returns the first owner of the schema matching username. Organization user schemas must have one only owner.
CREATE OR REPLACE
FUNCTION cartodb._CDB_User_RoleFromUsername(username text)
    RETURNS TEXT AS $$
DECLARE
    user_role TEXT;
BEGIN
    -- This was preferred, but non-superadmins won't get results
    -- SELECT SCHEMA_OWNER FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = $1 LIMIT 1'
    SELECT pg_get_userbyid(nspowner) FROM pg_namespace WHERE nspname = username INTO user_role;
    RETURN user_role;
END
$$ LANGUAGE PLPGSQL;

-- Database names are too long, we need a shorter version for composing role names
CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_ShortDatabaseName()
    RETURNS TEXT AS $$
DECLARE
    short_database_name TEXT;
BEGIN
    SELECT md5(current_database()) INTO short_database_name;
    RETURN short_database_name;
END
$$ LANGUAGE PLPGSQL;
Documentation about roles and functions 2015-08-19 17:03:07 +08:00			`----------------------------------`
			`-- GROUP MANAGEMENT FUNCTIONS`
			`--`
			`-- Meant to be used by org admin. See CDB_Organization_AddAdmin.`
			`----------------------------------`

CDB_Group_CreateGroup should not return role, since it's an internal implementation detail 2015-08-10 19:44:06 +08:00			`-- Creates a new group`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_CreateGroup(group_name text)`
CDB_Group_CreateGroup should not return role, since it's an internal implementation detail 2015-08-10 19:44:06 +08:00			`RETURNS VOID AS $$`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`DECLARE`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00			`group_role TEXT;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`BEGIN`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('CREATE ROLE %I NOLOGIN;', group_role);`
Don't allow users to pick database name, keeping group operations inside their org 2015-08-19 16:37:52 +08:00			`PERFORM cartodb._CDB_Group_CreateGroup_API(group_name, group_role);`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00
Permission granting 2015-08-10 19:40:59 +08:00			`-- Drops group and everything that role owns`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-- TODO: LIMITATION: in order to drop a role all its owned objects must be dropped before.`
			`-- Right now this is done with DROP OWNED, which can only be done by a superadmin.`
			`-- Not even the role creator can drop the role and the objects it owns.`
			`-- All group owned objects by the group are permissions.`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_DropGroup(group_name text)`
			`RETURNS VOID AS $$`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`DECLARE`
format instead of string concatenation 2015-08-14 21:22:00 +08:00			`group_role TEXT;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`BEGIN`
format instead of string concatenation 2015-08-14 21:22:00 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('DROP OWNED BY %I', group_role);`
			`EXECUTE format('DROP ROLE IF EXISTS %I', group_role);`
Don't allow users to pick database name, keeping group operations inside their org 2015-08-19 16:37:52 +08:00			`PERFORM cartodb._CDB_Group_DropGroup_API(group_name);`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Rename group 2015-08-10 17:21:57 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Renames a group`
Rename group 2015-08-10 17:21:57 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_RenameGroup(old_group_name text, new_group_name text)`
			`RETURNS VOID AS $$`
CDB_Group_RenameGroup_API 2015-08-17 19:37:34 +08:00			`DECLARE`
			`old_group_role TEXT;`
			`new_group_role TEXT;`
Rename group 2015-08-10 17:21:57 +08:00			`BEGIN`
CDB_Group_RenameGroup_API 2015-08-17 19:37:34 +08:00			`old_group_role = cartodb._CDB_Group_GroupRole(old_group_name);`
			`new_group_role = cartodb._CDB_Group_GroupRole(new_group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('ALTER ROLE %I RENAME TO %I', old_group_role, new_group_role);`
Don't allow users to pick database name, keeping group operations inside their org 2015-08-19 16:52:07 +08:00			`PERFORM cartodb._CDB_Group_RenameGroup_API(old_group_name, new_group_name, new_group_role);`
Rename group 2015-08-10 17:21:57 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Rename group 2015-08-10 17:21:57 +08:00
Fixed comment 2015-09-07 17:48:18 +08:00			`-- Adds users to a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
Array notation for batch group functions 2015-09-07 17:43:46 +08:00			`FUNCTION cartodb.CDB_Group_AddUsers(group_name text, usernames text[])`
Permission granting 2015-08-10 19:40:59 +08:00			`RETURNS VOID AS $$`
			`DECLARE`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role TEXT;`
			`user_role TEXT;`
Batch add/remove users support 2015-09-07 16:35:04 +08:00			`username TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
Array notation for batch group functions 2015-09-07 17:43:46 +08:00			`foreach username in array usernames`
Batch add/remove users support 2015-09-07 16:35:04 +08:00			`loop`
			`user_role := cartodb._CDB_User_RoleFromUsername(username);`
			`IF(group_role IS NULL OR user_role IS NULL)`
			`THEN`
			`RAISE EXCEPTION 'Group role (%) and user role (%) must be already existing', group_role, user_role;`
			`END IF;`
			`EXECUTE format('GRANT %I TO %I', group_role, user_role);`
			`end loop;`
			`PERFORM cartodb._CDB_Group_AddUsers_API(group_name, usernames);`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Fixed comment 2015-09-07 17:48:18 +08:00			`-- Removes users from a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
Array notation for batch group functions 2015-09-07 17:43:46 +08:00			`FUNCTION cartodb.CDB_Group_RemoveUsers(group_name text, usernames text[])`
Permission granting 2015-08-10 19:40:59 +08:00			`RETURNS VOID AS $$`
			`DECLARE`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role TEXT;`
			`user_role TEXT;`
Batch add/remove users support 2015-09-07 16:35:04 +08:00			`username TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
Array notation for batch group functions 2015-09-07 17:43:46 +08:00			`foreach username in array usernames`
Batch add/remove users support 2015-09-07 16:35:04 +08:00			`loop`
			`user_role := cartodb._CDB_User_RoleFromUsername(username);`
			`EXECUTE format('REVOKE %I FROM %I', group_role, user_role);`
			`end loop;`
			`PERFORM cartodb._CDB_Group_RemoveUsers_API(group_name, usernames);`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Documentation about roles and functions 2015-08-19 17:03:07 +08:00			`----------------------------------`
			`-- TABLE MANAGEMENT FUNCTIONS`
			`--`
			`-- Meant to be used by table owners.`
			`----------------------------------`

Methods doc 2015-08-10 19:46:35 +08:00			`-- Grants table read permission to a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_GrantRead(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role TEXT;`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`BEGIN`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`PERFORM cartodb._CDB_Group_Table_GrantRead(group_name, username, table_name, true);`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`END`
			`$$ LANGUAGE PLPGSQL VOLATILE;`

			`CREATE OR REPLACE`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`FUNCTION cartodb._CDB_Group_Table_GrantRead(group_name text, username text, table_name text, sync boolean)`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`RETURNS VOID AS $$`
			`DECLARE`
			`group_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role);`
			`EXECUTE format('GRANT SELECT ON TABLE %I.%I TO %I', username, table_name, group_role );`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`IF(sync) THEN`
			`PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'r');`
			`END IF;`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00			`-- Grants table write permission to a group`
			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role TEXT;`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`BEGIN`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`PERFORM cartodb._CDB_Group_Table_GrantReadWrite(group_name, username, table_name, true);`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`END`
			`$$ LANGUAGE PLPGSQL VOLATILE;`

			`CREATE OR REPLACE`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`FUNCTION cartodb._CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text, sync boolean)`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`RETURNS VOID AS $$`
			`DECLARE`
			`group_role TEXT;`
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00			`BEGIN`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role);`
			`EXECUTE format('GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE %I.%I TO %I', username, table_name, group_role);`
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, true);`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`IF(sync) THEN`
			`PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'w');`
			`END IF;`
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`-- Granting and revoking permissions on sequences`
			`CREATE OR REPLACE`
			`FUNCTION cartodb._CDB_Group_TableSequences_Permission(group_name text, username text, table_name text, do_grant bool)`
			`RETURNS VOID AS $$`
			`DECLARE`
			`column_name TEXT;`
			`sequence_name TEXT;`
			`group_role TEXT;`
			`BEGIN`
			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
			`FOR column_name IN EXECUTE 'SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_CATALOG = current_database() AND TABLE_SCHEMA = $1 AND TABLE_NAME = $2 AND COLUMN_DEFAULT LIKE ''nextval%''' USING username, table_name`
			`LOOP`
Fix schema not being specified on pg_get_serial_sequence 2015-10-07 00:09:37 +08:00			`EXECUTE format('SELECT PG_GET_SERIAL_SEQUENCE(''%I.%I'', ''%I'')', username, table_name, column_name) INTO sequence_name;`
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`IF sequence_name IS NOT NULL THEN`
			`IF do_grant THEN`
Use %s for sequence name, which is already quoted 2015-08-27 23:02:05 +08:00			`-- Here %s is needed since sequence_name has quotes`
			`EXECUTE format('GRANT USAGE, SELECT, UPDATE ON SEQUENCE %s TO %I', sequence_name, group_role);`
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`ELSE`
Use %s for sequence name, which is already quoted 2015-08-27 23:03:13 +08:00			`EXECUTE format('REVOKE ALL ON SEQUENCE %s FROM %I', sequence_name, group_role);`
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`END IF;`
			`END IF;`
			`END LOOP;`
			`RETURN;`
			`END`
			`$$ LANGUAGE PLPGSQL VOLATILE;`

Methods doc 2015-08-10 19:46:35 +08:00			`-- Revokes all permissions on a table from a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_RevokeAll(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role TEXT;`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`BEGIN`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`PERFORM cartodb._CDB_Group_Table_RevokeAll(group_name, username, table_name, true);`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`END`
			`$$ LANGUAGE PLPGSQL VOLATILE;`

			`CREATE OR REPLACE`
Sync-flag functions should be private 2015-09-28 00:42:24 +08:00			`FUNCTION cartodb._CDB_Group_Table_RevokeAll(group_name text, username text, table_name text, sync boolean)`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`RETURNS VOID AS $$`
			`DECLARE`
			`group_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Removed cdb_ prefix from local variables 2015-08-17 21:23:39 +08:00			`group_role := cartodb._CDB_Group_GroupRole(group_name);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('REVOKE ALL ON TABLE %I.%I FROM %I', username, table_name, group_role);`
Granting RW permission on a table should also grant permission on default values sequences 2015-08-26 19:33:01 +08:00			`PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, false);`
sync parameter at group functions closes #162 2015-09-26 01:02:39 +08:00			`IF(sync) THEN`
			`PERFORM cartodb._CDB_Group_Table_RevokeAllPermission_API(group_name, username, table_name);`
			`END IF;`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Rename group 2015-08-10 17:21:57 +08:00			`-----------------------`
Documentation about roles and functions 2015-08-19 17:03:07 +08:00			`-- Helper functions`
Rename group 2015-08-10 17:21:57 +08:00			`-----------------------`
test_valid_group_names and test_not_valid_group_names 2015-08-11 20:49:12 +08:00			`-- Given a group name returns a role. group_name must be a valid PostgreSQL idenfifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS`
Rename group 2015-08-10 17:21:57 +08:00			`CREATE OR REPLACE`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`FUNCTION cartodb._CDB_Group_GroupRole(group_name text)`
Rename group 2015-08-10 17:21:57 +08:00			`RETURNS TEXT AS $$`
_CDB_Group_GroupRole based on current database m5 2015-08-10 22:15:04 +08:00			`DECLARE`
			`group_role TEXT;`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00			`prefix TEXT;`
			`max_length constant INTEGER := 63;`
Rename group 2015-08-10 17:21:57 +08:00			`BEGIN`
format instead of string concatenation 2015-08-14 21:22:00 +08:00			`prefix = format('%s_g_', cartodb._CDB_Group_ShortDatabaseName());`
			`group_role := format('%s%s', prefix, group_name);`
Roles simplification, without md5 and prepending database name 2015-08-13 02:01:07 +08:00			`IF LENGTH(group_role) > max_length`
			`THEN`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00			`RAISE EXCEPTION 'Group name must be shorter. It can''t have more than % characters, but it is longer (%): %', max_length - LENGTH(prefix), length(group_name), group_name;`
Roles simplification, without md5 and prepending database name 2015-08-13 02:01:07 +08:00			`END IF;`
			`RETURN group_role;`
Rename group 2015-08-10 17:21:57 +08:00			`END`
Removed IMMUTABLE for functions depending on current database 2015-09-21 20:35:28 +08:00			`$$ LANGUAGE PLPGSQL;`
Permission granting 2015-08-10 19:40:59 +08:00
			`-- Returns the first owner of the schema matching username. Organization user schemas must have one only owner.`
			`CREATE OR REPLACE`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`FUNCTION cartodb._CDB_User_RoleFromUsername(username text)`
Permission granting 2015-08-10 19:40:59 +08:00			`RETURNS TEXT AS $$`
			`DECLARE`
Fix spacing 2015-08-11 20:08:55 +08:00			`user_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-- This was preferred, but non-superadmins won't get results`
Grant and revoking permissions API sync 2015-08-20 00:43:25 +08:00			`-- SELECT SCHEMA_OWNER FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = $1 LIMIT 1'`
Removed unnecessary EXECUTEs 2015-09-21 21:47:52 +08:00			`SELECT pg_get_userbyid(nspowner) FROM pg_namespace WHERE nspname = username INTO user_role;`
Fix spacing 2015-08-11 20:08:55 +08:00			`RETURN user_role;`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
Removed IMMUTABLE for functions depending on current database 2015-09-21 20:35:28 +08:00			`$$ LANGUAGE PLPGSQL;`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00
			`-- Database names are too long, we need a shorter version for composing role names`
			`CREATE OR REPLACE`
			`FUNCTION cartodb._CDB_Group_ShortDatabaseName()`
			`RETURNS TEXT AS $$`
			`DECLARE`
			`short_database_name TEXT;`
			`BEGIN`
Removed unnecessary EXECUTEs 2015-09-21 21:47:52 +08:00			`SELECT md5(current_database()) INTO short_database_name;`
CDB_CONF and create and drop group api calls 2015-08-14 19:55:52 +08:00			`RETURN short_database_name;`
			`END`
Removed IMMUTABLE for functions depending on current database 2015-09-21 20:35:28 +08:00			`$$ LANGUAGE PLPGSQL;`