kandimat/backend/sql/02_create-user_tables.sql

-- create table for users
create table kandimat_data.person
(
    row_id     serial primary key,
    first_name character varying(200) check (first_name <> ''),
    last_name  character varying(200) check (last_name <> ''),
    about      character varying(2000),
    created_at timestamp                   default now(),
    role       kandimat_data.role not null default 'kandimat_person'
);
grant select, update, delete on table kandimat_data.person to kandimat_person;
-- the following is only necessary as long as anonymous should be able to view candidates and editors
grant select on table kandimat_data.person to kandimat_anonymous;

-- create table for accounts
create table kandimat_data_privat.person_account
(
    person_row_id integer primary key references kandimat_data.person (row_id) on delete cascade,
    email         character varying(320) not null unique check (email ~* '^.+@.+\..+$'),
    password_hash character varying(256) not null
);

alter table kandimat_data.person
    enable row level security;
create policy update_person on kandimat_data.person for update to kandimat_person
    with check (row_id = nullif(current_setting('jwt.claims.person_row_id', true), '')::integer);
create policy delete_person on kandimat_data.person for delete to kandimat_person
    using (row_id = nullif(current_setting('jwt.claims.person_row_id', true), '')::integer);

-- The following enables viewing candidates and editors information for every person.
-- This may be changed to only enable registered (and verified) persons.
create policy select_person_public
    on kandimat_data.person
    for select
    to kandimat_anonymous, kandimat_person -- maybe change to kandimat_person only in the future
    using (role in ('kandimat_editor', 'kandimat_candidate'));

-- Editors can see all registered persons in order to elevate their privileges
create policy select_person_editor
    on kandimat_data.person
    for select
    to kandimat_editor
    using (true);