archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-02-05 06:24:04 +00:00
Code Activity

Move Postgres user permissions to config

Browse source
This commit is contained in:
lukinovec 2023-06-15 13:03:44 +02:00
parent 1ce18d2759
commit 0f9e0f33b0
3 changed files with 25 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

27
assets/config.php
View file

@ -175,16 +175,31 @@ return [
// todo docblock // todo docblock
'drop_tenant_databases_on_migrate_fresh' => false, 'drop_tenant_databases_on_migrate_fresh' => false,
/**
* Scope tenant models using RLS.
*
* Requires Postgres with single-database tenancy.
*/
], ],
/**
* Requires Postgres with single-database tenancy.
*/
'rls' => [ 'rls' => [
/**
* Scope tenant models using RLS.
*/
'enabled' => false, 'enabled' => false,
/**
* Permissions to grant to the tenant Postgres users.
*
* By default, all permissions are granted.
*
* @see Stancl\Tenancy\Jobs\CreatePostgresUserForTenant
*/
'user_permissions' => ['ALL'],
/**
* Directories in which Tenancy will discover your models.
*
* @see Stancl\Tenancy\Commands\CreateRLSPoliciesForTenantTables
*/
'model_directories' => ['app/Models'], 'model_directories' => ['app/Models'],
], ],

4
src/Jobs/CreatePostgresUserForTenant.php
View file

@ -17,8 +17,6 @@ class CreatePostgresUserForTenant implements ShouldQueue
{ {
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels; use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public static array $permissions = ['ALL'];
/** /**
* Create a new job instance. * Create a new job instance.
* *
@ -59,7 +57,7 @@ class CreatePostgresUserForTenant implements ShouldQueue
foreach ($tenantModels as $model) { foreach ($tenantModels as $model) {
$table = $model->getTable(); $table = $model->getTable();
foreach (static::$permissions as $permission) { foreach (config('tenancy.rls.user_permissions') as $permission) {
$databaseManager->database()->statement("GRANT {$permission} ON {$table} TO \"{$userName}\""); $databaseManager->database()->statement("GRANT {$permission} ON {$table} TO \"{$userName}\"");
} }

7
tests/PostgresRLSTest.php
View file

@ -31,13 +31,12 @@ beforeEach(function () {
// Turn RLS scoping on // Turn RLS scoping on
config(['tenancy.rls.enabled' => false]); config(['tenancy.rls.enabled' => false]);
config(['tenancy.rls.model_directories' => [__DIR__ . '/Etc']]); config(['tenancy.rls.model_directories' => [__DIR__ . '/Etc']]);
config(['tenancy.rls.user_permissions' => ['ALL']]);
config(['tenancy.bootstrappers' => [PostgresRLSBootstrapper::class]]); config(['tenancy.bootstrappers' => [PostgresRLSBootstrapper::class]]);
config(['database.connections.' . $centralConnection => config('database.connections.pgsql')]); config(['database.connections.' . $centralConnection => config('database.connections.pgsql')]);
config(['tenancy.models.tenant_key_column' => 'tenant_id']); config(['tenancy.models.tenant_key_column' => 'tenant_id']);
config(['tenancy.models.tenant' => $tenantClass = Tenant::class]); config(['tenancy.models.tenant' => $tenantClass = Tenant::class]);
CreatePostgresUserForTenant::$permissions = ['ALL'];
$tenantModel = new $tenantClass; $tenantModel = new $tenantClass;
$primaryModel = new Post; $primaryModel = new Post;
$secondaryModel = new ScopedComment; $secondaryModel = new ScopedComment;
@ -218,14 +217,14 @@ test('queries are correctly scoped using RLS', function() {
}); });
test('users created by CreatePostgresUserForTenant are only granted the permissions specified in the static property', function() { test('users created by CreatePostgresUserForTenant are only granted the permissions specified in the static property', function() {
CreatePostgresUserForTenant::$permissions = ['INSERT', 'SELECT', 'UPDATE']; config(['tenancy.rls.user_permissions' => ['INSERT', 'SELECT', 'UPDATE']]);
$tenant = Tenant::create(); $tenant = Tenant::create();
$name = $tenant->getTenantKey(); $name = $tenant->getTenantKey();
CreatePostgresUserForTenant::dispatchSync($tenant); CreatePostgresUserForTenant::dispatchSync($tenant);
$grants = array_map(fn (object $grant) => $grant->privilege_type, DB::select("SELECT * FROM information_schema.role_table_grants WHERE grantee = '$name';")); $grants = array_map(fn (object $grant) => $grant->privilege_type, DB::select("SELECT * FROM information_schema.role_table_grants WHERE grantee = '$name';"));
expect($grants)->toContain(...CreatePostgresUserForTenant::$permissions) expect($grants)->toContain(...config('tenancy.rls.user_permissions'))
->not()->toContain('DELETE'); ->not()->toContain('DELETE');
}); });