kandimat/backend/sql/02_create-user_tables.sql

-- create table for users
create table candymat_data.person
(
    row_id     serial primary key,
    first_name character varying(200) check (first_name <> ''),
    last_name  character varying(200) check (last_name <> ''),
    about      character varying(2000),
    created_at timestamp                   default now(),
    role       candymat_data.role not null default 'candymat_person'
);
grant select, update, delete on table candymat_data.person to candymat_person;
-- the following is only necessary as long as anonymous should be able to view candidates and editors
grant select on table candymat_data.person to candymat_anonymous;

-- create table for accounts
create table candymat_data_privat.person_account
(
    person_row_id integer primary key references candymat_data.person (row_id) on delete cascade,
    email         character varying(320) not null unique check (email ~* '^.+@.+\..+$'),
    password_hash character varying(256) not null
);

alter table candymat_data.person
    enable row level security;
create policy update_person on candymat_data.person for update to candymat_person
    with check (row_id = nullif(current_setting('jwt.claims.person_row_id', true), '')::integer);
create policy delete_person on candymat_data.person for delete to candymat_person
    using (row_id = nullif(current_setting('jwt.claims.person_row_id', true), '')::integer);

-- The following enables viewing candidates and editors information for every person.
-- This may be changed to only enable registered (and verified) persons.
create policy select_person_public
    on candymat_data.person
    for select
    to candymat_anonymous, candymat_person -- maybe change to candymat_person only in the future
    using (role in ('candymat_editor', 'candymat_candidate'));

-- Editors can see all registered persons in order to elevate their privileges
create policy select_person_editor
    on candymat_data.person
    for select
    to candymat_editor
    using (true);