aclitem (Access Control List Item) type and aclexplode() function. This is in no way optimized for performance.
aclitem is "internal", so may change at any time.
create table protected.shareable_docs (
id int primary key,
name text not null,
owner name not null default current_user,
row_acl aclitem[]
);
/* No joins in updateable views */
create view shareable_docs with ( security_barrier ) as
select
*
from protected.shareable_docs
where
owner = current_user
or exists (select 1 from aclexplode(row_acl) where privilege_type = 'SELECT' and pg_has_role(grantee, 'member') )
with check option;
grant delete, insert, select, update on shareable_docs to alice, bob;
set role alice;
/* alice creates a doc and shares it with bob */
insert into shareable_docs (id, name, row_acl) values (1, 'shared doc 1', '{bob=r/alice}');
set role bob;
select count(*) from shareable_docs; --result = 1
You'd need to write triggers to prevent users from deleting shared items though.An ACL Item is structured like this: grantee=privileges/grantor . Grantee is the role (a user or group) that gets the privileges, and grantor is the role that gives the privileges. Here are some of the privilege codes:
r = SELECT (read) w = UPDATE (write) d = DELETE * = WITH GRANT OPTIONSo if alice wanted to grant
SELECT (WITH GRANT OPTION), UPDATE, and DELETE privileges to role editors, your aclitem would look like this: editors=r*wd/alice
No comments:
Post a Comment