trogers1884/c77_rbac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add note in README.md and enhancements to sql and functions.

Browse Source
This commit is contained in:
trogers1884 2025-03-26 17:19:35 -05:00
parent a8f98d6c8b
commit f9312888f0
2 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -1,2 +1,9 @@
# c77_rbac # c77_rbac
A PostgreSQL extension for role-based access control (RBAC). A PostgreSQL extension for role-based access control (RBAC).
## Setup for Cross-Schema Usage
If applying `c77_rbac_apply_policy` to a table in a non-public schema, ensure the schema has `USAGE` permissions for the roles that will access it:
```sql
GRANT USAGE ON SCHEMA your_schema TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON your_schema.your_table TO PUBLIC;

37
schema.sql
View File

@ -97,4 +97,39 @@ BEGIN
VALUES (v_role_id, v_feature_id) VALUES (v_role_id, v_feature_id)
ON CONFLICT DO NOTHING; ON CONFLICT DO NOTHING;
END; END;
$$ LANGUAGE plpgsql; $$ LANGUAGE plpgsql;
CREATE FUNCTION c77_rbac_can_access(
p_feature_name TEXT,
p_scope_type TEXT DEFAULT NULL,
p_scope_id TEXT DEFAULT NULL
) RETURNS BOOLEAN AS $$
BEGIN
RETURN EXISTS (
SELECT 1
FROM c77_rbac_users u
JOIN c77_rbac_user_roles ur ON u.user_id = ur.user_id
JOIN c77_rbac_roles r ON ur.role_id = r.role_id
JOIN c77_rbac_role_features rf ON r.role_id = rf.role_id
JOIN c77_rbac_features f ON rf.feature_id = f.feature_id
WHERE u.username = current_user
AND f.name = p_feature_name
AND (p_scope_type IS NULL OR u.scope_type = p_scope_type)
AND (p_scope_id IS NULL OR u.scope_id = p_scope_id)
);
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_users TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_roles TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_user_roles TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_features TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_role_features TO PUBLIC;
GRANT SELECT, INSERT, UPDATE, DELETE ON c77_rbac_entities TO PUBLIC;
-- Grant permissions on functions
GRANT EXECUTE ON FUNCTION c77_rbac_assign_user TO PUBLIC;
GRANT EXECUTE ON FUNCTION c77_rbac_grant_feature TO PUBLIC;
GRANT EXECUTE ON FUNCTION c77_rbac_can_access TO PUBLIC;