---------------------------------- -- GROUP MANAGEMENT FUNCTIONS -- -- Meant to be used by org admin. See CDB_Organization_AddAdmin. ---------------------------------- -- Creates a new group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_CreateGroup(group_name text) RETURNS VOID AS $$ DECLARE group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); EXECUTE format('CREATE ROLE %I NOLOGIN;', group_role); PERFORM cartodb._CDB_Group_CreateGroup_API(group_name, group_role); END $$ LANGUAGE PLPGSQL VOLATILE; -- Drops group and everything that role owns -- TODO: LIMITATION: in order to drop a role all its owned objects must be dropped before. -- Right now this is done with DROP OWNED, which can only be done by a superadmin. -- Not even the role creator can drop the role and the objects it owns. -- All group owned objects by the group are permissions. CREATE OR REPLACE FUNCTION cartodb.CDB_Group_DropGroup(group_name text) RETURNS VOID AS $$ DECLARE group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); EXECUTE format('DROP OWNED BY %I', group_role); EXECUTE format('DROP ROLE IF EXISTS %I', group_role); PERFORM cartodb._CDB_Group_DropGroup_API(group_name); END $$ LANGUAGE PLPGSQL VOLATILE; -- Renames a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_RenameGroup(old_group_name text, new_group_name text) RETURNS VOID AS $$ DECLARE old_group_role TEXT; new_group_role TEXT; BEGIN old_group_role = cartodb._CDB_Group_GroupRole(old_group_name); new_group_role = cartodb._CDB_Group_GroupRole(new_group_name); EXECUTE format('ALTER ROLE %I RENAME TO %I', old_group_role, new_group_role); PERFORM cartodb._CDB_Group_RenameGroup_API(old_group_name, new_group_name, new_group_role); END $$ LANGUAGE PLPGSQL VOLATILE; -- Adds users to a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_AddUsers(group_name text, usernames text[]) RETURNS VOID AS $$ DECLARE group_role TEXT; user_role TEXT; username TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); foreach username in array usernames loop user_role := cartodb._CDB_User_RoleFromUsername(username); IF(group_role IS NULL OR user_role IS NULL) THEN RAISE EXCEPTION 'Group role (%) and user role (%) must be already existing', group_role, user_role; END IF; EXECUTE format('GRANT %I TO %I', group_role, user_role); end loop; PERFORM cartodb._CDB_Group_AddUsers_API(group_name, usernames); END $$ LANGUAGE PLPGSQL VOLATILE; -- Removes users from a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_RemoveUsers(group_name text, usernames text[]) RETURNS VOID AS $$ DECLARE group_role TEXT; user_role TEXT; username TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); foreach username in array usernames loop user_role := cartodb._CDB_User_RoleFromUsername(username); EXECUTE format('REVOKE %I FROM %I', group_role, user_role); end loop; PERFORM cartodb._CDB_Group_RemoveUsers_API(group_name, usernames); END $$ LANGUAGE PLPGSQL VOLATILE; ---------------------------------- -- TABLE MANAGEMENT FUNCTIONS -- -- Meant to be used by table owners. ---------------------------------- -- Grants table read permission to a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_Table_GrantRead(group_name text, username text, table_name text) RETURNS VOID AS $$ DECLARE group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role); EXECUTE format('GRANT SELECT ON TABLE %I.%I TO %I', username, table_name, group_role ); PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'r'); END $$ LANGUAGE PLPGSQL VOLATILE; -- Grants table write permission to a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text) RETURNS VOID AS $$ DECLARE group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', username, group_role); EXECUTE format('GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE %I.%I TO %I', username, table_name, group_role); PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, true); PERFORM cartodb._CDB_Group_Table_GrantPermission_API(group_name, username, table_name, 'w'); END $$ LANGUAGE PLPGSQL VOLATILE; -- Granting and revoking permissions on sequences CREATE OR REPLACE FUNCTION cartodb._CDB_Group_TableSequences_Permission(group_name text, username text, table_name text, do_grant bool) RETURNS VOID AS $$ DECLARE column_name TEXT; sequence_name TEXT; group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); FOR column_name IN EXECUTE 'SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_CATALOG = current_database() AND TABLE_SCHEMA = $1 AND TABLE_NAME = $2 AND COLUMN_DEFAULT LIKE ''nextval%''' USING username, table_name LOOP EXECUTE 'SELECT PG_GET_SERIAL_SEQUENCE($1, $2)' USING table_name, column_name INTO sequence_name; IF sequence_name IS NOT NULL THEN IF do_grant THEN -- Here %s is needed since sequence_name has quotes EXECUTE format('GRANT USAGE, SELECT, UPDATE ON SEQUENCE %s TO %I', sequence_name, group_role); ELSE EXECUTE format('REVOKE ALL ON SEQUENCE %s FROM %I', sequence_name, group_role); END IF; END IF; END LOOP; RETURN; END $$ LANGUAGE PLPGSQL VOLATILE; -- Revokes all permissions on a table from a group CREATE OR REPLACE FUNCTION cartodb.CDB_Group_Table_RevokeAll(group_name text, username text, table_name text) RETURNS VOID AS $$ DECLARE group_role TEXT; BEGIN group_role := cartodb._CDB_Group_GroupRole(group_name); EXECUTE format('REVOKE ALL ON TABLE %I.%I FROM %I', username, table_name, group_role); PERFORM cartodb._CDB_Group_TableSequences_Permission(group_name, username, table_name, false); PERFORM cartodb._CDB_Group_Table_RevokeAllPermission_API(group_name, username, table_name); END $$ LANGUAGE PLPGSQL VOLATILE; ----------------------- -- Helper functions ----------------------- -- Given a group name returns a role. group_name must be a valid PostgreSQL idenfifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS CREATE OR REPLACE FUNCTION cartodb._CDB_Group_GroupRole(group_name text) RETURNS TEXT AS $$ DECLARE group_role TEXT; prefix TEXT; max_length constant INTEGER := 63; BEGIN prefix = format('%s_g_', cartodb._CDB_Group_ShortDatabaseName()); group_role := format('%s%s', prefix, group_name); IF LENGTH(group_role) > max_length THEN RAISE EXCEPTION 'Group name must be shorter. It can''t have more than % characters, but it is longer (%): %', max_length - LENGTH(prefix), length(group_name), group_name; END IF; RETURN group_role; END $$ LANGUAGE PLPGSQL IMMUTABLE; -- Returns the first owner of the schema matching username. Organization user schemas must have one only owner. CREATE OR REPLACE FUNCTION cartodb._CDB_User_RoleFromUsername(username text) RETURNS TEXT AS $$ DECLARE user_role TEXT; BEGIN -- This was preferred, but non-superadmins won't get results -- SELECT SCHEMA_OWNER FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = $1 LIMIT 1' EXECUTE 'SELECT pg_get_userbyid(nspowner) FROM pg_namespace WHERE nspname = $1;' INTO user_role USING username; RETURN user_role; END $$ LANGUAGE PLPGSQL IMMUTABLE; -- Database names are too long, we need a shorter version for composing role names CREATE OR REPLACE FUNCTION cartodb._CDB_Group_ShortDatabaseName() RETURNS TEXT AS $$ DECLARE short_database_name TEXT; BEGIN EXECUTE 'SELECT md5(current_database())' INTO short_database_name; RETURN short_database_name; END $$ LANGUAGE PLPGSQL IMMUTABLE;