-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
- Loading branch information
Showing
23 changed files
with
645 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
src/database/initialization/user_changemaker_permission_to_json.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
SELECT drop_function('user_changemaker_permission_to_json'); | ||
|
||
CREATE FUNCTION user_changemaker_permission_to_json(user_changemaker_permission user_changemaker_permissions) | ||
RETURNS JSONB AS $$ | ||
BEGIN | ||
RETURN jsonb_build_object( | ||
'userKeycloakUserId', user_changemaker_permission.user_keycloak_user_id, | ||
'permission', user_changemaker_permission.permission, | ||
'changemakerId', user_changemaker_permission.changemaker_id, | ||
'createdBy', user_changemaker_permission.created_by, | ||
'createdAt', user_changemaker_permission.created_at | ||
); | ||
END; | ||
$$ LANGUAGE plpgsql; |
14 changes: 14 additions & 0 deletions
14
src/database/initialization/user_data_provider_permission_to_json.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
SELECT drop_function('user_data_provider_permission_to_json'); | ||
|
||
CREATE FUNCTION user_data_provider_permission_to_json(user_data_provider_permission user_data_provider_permissions) | ||
RETURNS JSONB AS $$ | ||
BEGIN | ||
RETURN jsonb_build_object( | ||
'userKeycloakUserId', user_data_provider_permission.user_keycloak_user_id, | ||
'permission', user_data_provider_permission.permission, | ||
'dataProviderShortCode', user_data_provider_permission.data_provider_short_code, | ||
'createdBy', user_data_provider_permission.created_by, | ||
'createdAt', user_data_provider_permission.created_at | ||
); | ||
END; | ||
$$ LANGUAGE plpgsql; |
14 changes: 14 additions & 0 deletions
14
src/database/initialization/user_funder_permission_to_json.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
SELECT drop_function('user_funder_permission_to_json'); | ||
|
||
CREATE FUNCTION user_funder_permission_to_json(user_funder_permission user_funder_permissions) | ||
RETURNS JSONB AS $$ | ||
BEGIN | ||
RETURN jsonb_build_object( | ||
'userKeycloakUserId', user_funder_permission.user_keycloak_user_id, | ||
'permission', user_funder_permission.permission, | ||
'funderShortCode', user_funder_permission.funder_short_code, | ||
'createdBy', user_funder_permission.created_by, | ||
'createdAt', user_funder_permission.created_at | ||
); | ||
END; | ||
$$ LANGUAGE plpgsql; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
CREATE TYPE permission_t AS ENUM ( | ||
'manage', | ||
'edit', | ||
'view' | ||
); | ||
|
||
CREATE TABLE user_changemaker_permissions ( | ||
user_keycloak_user_id UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
permission permission_t NOT NULL, | ||
changemaker_id INT NOT NULL REFERENCES changemakers(id) ON DELETE CASCADE, | ||
created_by UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(), | ||
PRIMARY KEY (user_keycloak_user_id, permission, changemaker_id) | ||
); | ||
|
||
CREATE TABLE user_funder_permissions ( | ||
user_keycloak_user_id UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
permission permission_t NOT NULL, | ||
funder_short_code short_code_t NOT NULL REFERENCES funders(short_code) ON DELETE CASCADE, | ||
created_by UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(), | ||
PRIMARY KEY (user_keycloak_user_id, permission, funder_short_code) | ||
); | ||
|
||
CREATE TABLE user_data_provider_permissions ( | ||
user_keycloak_user_id UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
permission permission_t NOT NULL, | ||
data_provider_short_code short_code_t NOT NULL REFERENCES data_providers(short_code) ON DELETE CASCADE, | ||
created_by UUID NOT NULL REFERENCES users(keycloak_user_id) ON DELETE CASCADE, | ||
created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(), | ||
PRIMARY KEY (user_keycloak_user_id, permission, data_provider_short_code) | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
...database/operations/userChangemakerPermissions/createOrUpdateUserChangemakerPermission.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
import { db } from '../../db'; | ||
import type { | ||
InternallyWritableUserChangemakerPermission, | ||
JsonResultSet, | ||
UserChangemakerPermission, | ||
} from '../../../types'; | ||
|
||
const createOrUpdateUserChangemakerPermission = async ( | ||
createValues: InternallyWritableUserChangemakerPermission, | ||
): Promise<UserChangemakerPermission> => { | ||
const { userKeycloakUserId, changemakerId, permission, createdBy } = | ||
createValues; | ||
const result = await db.sql<JsonResultSet<UserChangemakerPermission>>( | ||
'userChangemakerPermissions.insertOrUpdateOne', | ||
{ | ||
userKeycloakUserId, | ||
permission, | ||
changemakerId, | ||
createdBy, | ||
}, | ||
); | ||
|
||
const { object } = result.rows[0] ?? {}; | ||
if (object === undefined) { | ||
throw new Error( | ||
'The entity creation did not appear to fail, but no data was returned by the operation.', | ||
); | ||
} | ||
return object; | ||
}; | ||
|
||
export { createOrUpdateUserChangemakerPermission }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export * from './createOrUpdateUserChangemakerPermission'; |
32 changes: 32 additions & 0 deletions
32
...tabase/operations/userDataProviderPermissions/createOrUpdateUserDataProviderPermission.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
import { db } from '../../db'; | ||
import type { | ||
UserDataProviderPermission, | ||
InternallyWritableUserDataProviderPermission, | ||
JsonResultSet, | ||
} from '../../../types'; | ||
|
||
const createOrUpdateUserDataProviderPermission = async ( | ||
createValues: InternallyWritableUserDataProviderPermission, | ||
): Promise<UserDataProviderPermission> => { | ||
const { userKeycloakUserId, dataProviderShortCode, permission, createdBy } = | ||
createValues; | ||
const result = await db.sql<JsonResultSet<UserDataProviderPermission>>( | ||
'userDataProviderPermissions.insertOrUpdateOne', | ||
{ | ||
userKeycloakUserId, | ||
permission, | ||
dataProviderShortCode, | ||
createdBy, | ||
}, | ||
); | ||
|
||
const { object } = result.rows[0] ?? {}; | ||
if (object === undefined) { | ||
throw new Error( | ||
'The entity creation did not appear to fail, but no data was returned by the operation.', | ||
); | ||
} | ||
return object; | ||
}; | ||
|
||
export { createOrUpdateUserDataProviderPermission }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export * from './createOrUpdateUserDataProviderPermission'; |
Oops, something went wrong.