dataset set permissions

FuhuXia · FuhuXia · commit 4546d2f79478 · 2025-01-31T16:21:40.000-05:00
diff --git a/set_permissions.sql b/set_permissions.sql
@@ -1,20 +1,25 @@
 /*
 This script configures the permissions for the datastore.
+
 It ensures that the datastore read-only user will only be able to select from
 the datastore database but has no create/write/edit permission or any
 permissions on other databases. You must execute this script as a database
 superuser on the PostgreSQL server that hosts your datastore database.
+
 For example, if PostgreSQL is running locally and the "postgres" user has the
 appropriate permissions (as in the default Ubuntu PostgreSQL install), you can
 run:
-    paster datastore set-permissions | sudo -u postgres psql
+
+    ckan -c /etc/ckan/default/ckan.ini datastore set-permissions | sudo -u postgres psql
+
 Or, if your PostgreSQL server is remote, you can pipe the permissions script
 over SSH:
-    paster datastore set-permissions | ssh dbserver sudo -u postgres psql
+
+    ckan -c /etc/ckan/default/ckan.ini datastore set-permissions | ssh dbserver sudo -u postgres psql
+
 */
 
 -- create the read-only user
-
 DO $$
 BEGIN
     CREATE USER {readuser} WITH ENCRYPTED PASSWORD {readpassword};
@@ -39,4 +44,61 @@ GRANT SELECT ON ALL TABLES IN SCHEMA public TO {readuser};
 
 -- grant access to new tables and views by default
 ALTER DEFAULT PRIVILEGES FOR USER {writeuser} IN SCHEMA public
-   GRANT SELECT ON TABLES TO {readuser};
+   GRANT SELECT ON TABLES TO {readuser};
+
+-- a view for listing valid table (resource id) and view names
+CREATE OR REPLACE VIEW "_table_metadata" AS
+    SELECT DISTINCT
+        substr(md5(dependee.relname || COALESCE(dependent.relname, '')), 0, 17) AS "_id",
+        dependee.relname AS name,
+        dependee.oid AS oid,
+        dependent.relname AS alias_of
+    FROM
+        pg_class AS dependee
+        LEFT OUTER JOIN pg_rewrite AS r ON r.ev_class = dependee.oid
+        LEFT OUTER JOIN pg_depend AS d ON d.objid = r.oid
+        LEFT OUTER JOIN pg_class AS dependent ON d.refobjid = dependent.oid
+    WHERE
+        (dependee.oid != dependent.oid OR dependent.oid IS NULL) AND
+        -- is a table (from pg_tables view definition)
+        -- or is a view (from pg_views view definition)
+        (dependee.relkind = 'r'::"char" OR dependee.relkind = 'v'::"char")
+        AND dependee.relnamespace = (
+            SELECT oid FROM pg_namespace WHERE nspname='public')
+    ORDER BY dependee.oid DESC;
+ALTER VIEW "_table_metadata" OWNER TO {writeuser};
+GRANT SELECT ON "_table_metadata" TO {readuser};
+
+-- _full_text fields are now updated by a trigger when set to NULL
+CREATE OR REPLACE FUNCTION populate_full_text_trigger() RETURNS trigger
+AS $body$
+    BEGIN
+        IF NEW._full_text IS NOT NULL THEN
+            RETURN NEW;
+        END IF;
+        NEW._full_text := (
+            SELECT to_tsvector(string_agg(value, ' '))
+            FROM json_each_text(row_to_json(NEW.*))
+            WHERE key NOT LIKE '\_%');
+        RETURN NEW;
+    END;
+$body$ LANGUAGE plpgsql;
+ALTER FUNCTION populate_full_text_trigger() OWNER TO {writeuser};
+
+-- migrate existing tables that don't have full text trigger applied
+DO $body$
+    BEGIN
+        EXECUTE coalesce(
+            (SELECT string_agg(
+                'CREATE TRIGGER zfulltext BEFORE INSERT OR UPDATE ON ' ||
+                quote_ident(relname) || ' FOR EACH ROW EXECUTE PROCEDURE ' ||
+                'populate_full_text_trigger();', ' ')
+            FROM pg_class
+            LEFT OUTER JOIN pg_trigger AS t
+                ON t.tgrelid = relname::regclass AND t.tgname = 'zfulltext'
+            WHERE relkind = 'r'::"char" AND t.tgname IS NULL
+                AND relnamespace = (
+                    SELECT oid FROM pg_namespace WHERE nspname='public')),
+            'SELECT 1;');
+    END;
+$body$;
