From f9312888f0d4d4b0fd17d4a99d0d363af8ffecf1 Mon Sep 17 00:00:00 2001
From: trogers1884 <trogers1884@gmail.com>
Date: Wed, 26 Mar 2025 17:19:35 -0500
Subject: [PATCH] Add note in README.md and enhancements to sql and functions.

---
 README.md  |  9 ++++++++-
 schema.sql | 37 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6141a82..e32004a 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,9 @@
 # c77_rbac
-A PostgreSQL extension for role-based access control (RBAC).
\ No newline at end of file
+A PostgreSQL extension for role-based access control (RBAC).
+
+## Setup for Cross-Schema Usage
+If applying `c77_rbac_apply_policy` to a table in a non-public schema, ensure the schema has `USAGE` permissions for the roles that will access it:
+
+```sql
+GRANT USAGE ON SCHEMA your_schema TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON your_schema.your_table TO PUBLIC;
\ No newline at end of file
diff --git a/schema.sql b/schema.sql
index b94213b..b44e015 100644
--- a/schema.sql
+++ b/schema.sql
@@ -97,4 +97,39 @@ BEGIN
     VALUES (v_role_id, v_feature_id)
     ON CONFLICT DO NOTHING;
 END;
-$$ LANGUAGE plpgsql;
\ No newline at end of file
+$$ LANGUAGE plpgsql;
+
+
+CREATE FUNCTION c77_rbac_can_access(
+    p_feature_name TEXT,
+    p_scope_type TEXT DEFAULT NULL,
+    p_scope_id TEXT DEFAULT NULL
+) RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM c77_rbac_users u
+                 JOIN c77_rbac_user_roles ur ON u.user_id = ur.user_id
+                 JOIN c77_rbac_roles r ON ur.role_id = r.role_id
+                 JOIN c77_rbac_role_features rf ON r.role_id = rf.role_id
+                 JOIN c77_rbac_features f ON rf.feature_id = f.feature_id
+        WHERE u.username = current_user
+          AND f.name = p_feature_name
+          AND (p_scope_type IS NULL OR u.scope_type = p_scope_type)
+          AND (p_scope_id IS NULL OR u.scope_id = p_scope_id)
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_users TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_roles TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_user_roles TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_features TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_role_features TO PUBLIC;
+GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_entities TO PUBLIC;
+
+-- Grant permissions on functions
+GRANT EXECUTE ON FUNCTION c77_rbac_assign_user TO PUBLIC;
+GRANT EXECUTE ON FUNCTION c77_rbac_grant_feature TO PUBLIC;
+GRANT EXECUTE ON FUNCTION c77_rbac_can_access TO PUBLIC;
+