forked from jimafisk/self-hosted
-
Notifications
You must be signed in to change notification settings - Fork 0
/
primo_schema.sql
160 lines (131 loc) · 5.9 KB
/
primo_schema.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
-- DATABASE
-- Create tables
CREATE TABLE public.sites (
id text NOT NULL,
name text,
password text,
active_editor text,
host text,
active_deployment jsonb,
created_at timestamp with time zone DEFAULT now()
);
CREATE TABLE public.users (
id bigint NOT NULL,
email text,
role text,
sites text[],
created_at timestamp with time zone DEFAULT now(),
updated_at timestamp with time zone DEFAULT now()
);
CREATE TABLE public.hosts (
id bigint NOT NULL,
name text,
token text,
created_at timestamp with time zone DEFAULT now(),
updated_at timestamp with time zone DEFAULT now()
);
CREATE TABLE public.config (
id text NOT NULL,
value text,
options jsonb,
created_at timestamp with time zone DEFAULT now(),
updated_at timestamp with time zone DEFAULT now()
);
INSERT INTO public.config (id, value, options, created_at, updated_at) VALUES
('server-token', null, null, now(), now());
INSERT INTO public.config (id, value, options, created_at, updated_at) VALUES
('invitation-key', null, null, now(), now());
-- Set owner
ALTER TABLE public.sites OWNER TO supabase_admin;
ALTER TABLE public.users OWNER TO supabase_admin;
ALTER TABLE public.hosts OWNER TO supabase_admin;
ALTER TABLE public.config OWNER TO supabase_admin;
-- Auto-generate row ID
ALTER TABLE public.users ALTER COLUMN id ADD GENERATED BY DEFAULT AS IDENTITY (
SEQUENCE NAME public.users_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1
);
ALTER TABLE public.hosts ALTER COLUMN id ADD GENERATED BY DEFAULT AS IDENTITY (
SEQUENCE NAME public.hosts_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1
);
-- Set Primary Key
ALTER TABLE ONLY public.sites
ADD CONSTRAINT sites_pkey PRIMARY KEY (id);
ALTER TABLE ONLY public.users
ADD CONSTRAINT users_pkey PRIMARY KEY (id);
ALTER TABLE ONLY public.hosts
ADD CONSTRAINT hosts_pkey PRIMARY KEY (id);
ALTER TABLE ONLY public.config
ADD CONSTRAINT config_pkey PRIMARY KEY (id);
-- Set Row Level Security
ALTER TABLE public.sites ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.users ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.hosts ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.config ENABLE ROW LEVEL SECURITY;
-- Set RLS Policy
CREATE POLICY "Authenticated users can access sites" ON public.sites FOR ALL USING (auth.role() = 'authenticated') WITH CHECK (auth.role() = 'authenticated');
CREATE POLICY "Authenticated users can access users" ON public.users FOR ALL USING (auth.role() = 'authenticated') WITH CHECK (auth.role() = 'authenticated');
CREATE POLICY "Authenticated users can access config" ON public.config FOR ALL USING (auth.role() = 'authenticated') WITH CHECK (auth.role() = 'authenticated');
CREATE POLICY "Authenticated users can access hosts" ON public.hosts FOR ALL USING (auth.role() = 'authenticated') WITH CHECK (auth.role() = 'authenticated');
-- No users can access Hosts (to secure Tokens)
-- Set permissions for tables
GRANT ALL ON TABLE public.sites TO postgres;
GRANT ALL ON TABLE public.sites TO anon;
GRANT ALL ON TABLE public.sites TO authenticated;
GRANT ALL ON TABLE public.sites TO service_role;
GRANT ALL ON TABLE public.users TO postgres;
GRANT ALL ON TABLE public.users TO anon;
GRANT ALL ON TABLE public.users TO authenticated;
GRANT ALL ON TABLE public.users TO service_role;
GRANT ALL ON TABLE public.hosts TO postgres;
GRANT ALL ON TABLE public.hosts TO anon;
GRANT ALL ON TABLE public.hosts TO authenticated;
GRANT ALL ON TABLE public.hosts TO service_role;
GRANT ALL ON TABLE public.config TO postgres;
GRANT ALL ON TABLE public.config TO anon;
GRANT ALL ON TABLE public.config TO authenticated;
GRANT ALL ON TABLE public.config TO service_role;
-- Set permissions for table sequence
GRANT ALL ON SEQUENCE public.users_id_seq TO postgres;
GRANT ALL ON SEQUENCE public.users_id_seq TO anon;
GRANT ALL ON SEQUENCE public.users_id_seq TO authenticated;
GRANT ALL ON SEQUENCE public.users_id_seq TO service_role;
GRANT ALL ON SEQUENCE public.hosts_id_seq TO postgres;
GRANT ALL ON SEQUENCE public.hosts_id_seq TO anon;
GRANT ALL ON SEQUENCE public.hosts_id_seq TO authenticated;
GRANT ALL ON SEQUENCE public.hosts_id_seq TO service_role;
-- STORAGE (for saving site data & images)
INSERT INTO storage.buckets (id, name, created_at, updated_at, public) VALUES
('sites', 'sites', now(), now(), true);
-- Set storage security
CREATE POLICY "Public access to view sites" ON storage.objects FOR SELECT USING (((bucket_id = 'sites'::text)));
CREATE POLICY "Give Authenticated users access to upload new sites" ON storage.objects FOR INSERT WITH CHECK (((bucket_id = 'sites'::text) AND (auth.role() = 'authenticated'::text)));
CREATE POLICY "Give Authenticated users access to update sites" ON storage.objects FOR UPDATE USING (((bucket_id = 'sites'::text) AND (auth.role() = 'authenticated'::text)));
CREATE POLICY "Give Authenticated users access to delete sites" ON storage.objects FOR DELETE USING (((bucket_id = 'sites'::text) AND (auth.role() = 'authenticated'::text)));
-- Function (for setting active user)
-- Setup
CREATE EXTENSION IF NOT EXISTS "plv8" WITH SCHEMA "pg_catalog";
COMMENT ON EXTENSION "plv8" IS 'PL/JavaScript (v8) trusted procedural language';
CREATE FUNCTION "public"."remove_active_editor"("site" "text") RETURNS smallint
LANGUAGE "plv8"
AS $_$
var num_affected = plv8.execute(
'select pg_sleep(10); update sites set active_editor = NULL where id = $1;',
[site]
);
return num_affected;
$_$;
ALTER FUNCTION "public"."remove_active_editor"("site" "text") OWNER TO "supabase_admin";
GRANT ALL ON FUNCTION "public"."remove_active_editor"("site" "text") TO "postgres";
GRANT ALL ON FUNCTION "public"."remove_active_editor"("site" "text") TO "anon";
GRANT ALL ON FUNCTION "public"."remove_active_editor"("site" "text") TO "authenticated";
GRANT ALL ON FUNCTION "public"."remove_active_editor"("site" "text") TO "service_role";