02845e65db
Added features: * register * authenticate * RLS as summarized in security_considerations.md Improve * Use enhanced graphiql version to be able to set authentication headers Remove: * docker-compose.prod.yml since it is not updated for now (and we do not have a production env)
35 lines
1.6 KiB
SQL
35 lines
1.6 KiB
SQL
-- create table for users
|
|
create table candymat_data.person
|
|
(
|
|
id serial primary key,
|
|
first_name character varying(200),
|
|
last_name character varying(200),
|
|
about character varying(2000),
|
|
created_at timestamp default now(),
|
|
role candymat_data.role not null default 'candymat_person'
|
|
);
|
|
grant select, update, delete on table candymat_data.person to candymat_person;
|
|
-- the following is only necessary as long as anonymous should be able to view candidates and editors
|
|
grant select on table candymat_data.person to candymat_anonymous;
|
|
|
|
-- create table for accounts
|
|
create table candymat_data_privat.person_account
|
|
(
|
|
person_id integer primary key references candymat_data.person (id) on delete cascade,
|
|
email character varying(320) not null unique check (email ~* '^.+@.+\..+$'),
|
|
password_hash character varying(256) not null
|
|
);
|
|
alter table candymat_data.person
|
|
enable row level security;
|
|
create policy update_person on candymat_data.person for update to candymat_person
|
|
with check (id = nullif(current_setting('jwt.claims.person_id', true), '')::integer);
|
|
create policy delete_person on candymat_data.person for delete to candymat_person
|
|
using (id = nullif(current_setting('jwt.claims.person_id', true), '')::integer);
|
|
-- The following enables viewing candidates and editors information for every person.
|
|
-- This may be changed to only enable registered (and verified) persons.
|
|
create policy select_person_public
|
|
on candymat_data.person
|
|
for select
|
|
to candymat_anonymous, candymat_person -- maybe change to candymat_person only in the future
|
|
using (role in ('candymat_editor', 'candymat_candidate'));
|