Postgres RLS + permission controlled database managers (#33)

This PR adds Postgres RLS (trait manager + table manager approach) and permission controlled managers for PostgreSQL. --------- Co-authored-by: lukinovec <lukinovec@gmail.com> Co-authored-by: PHP CS Fixer <phpcsfixer@example.com>
2025-12-12 11:14:04 +00:00 · 2024-04-24 22:32:49 +02:00 · 2024-04-24 22:32:49 +02:00 · 7317d2638a
commit 7317d2638a
parent 34297d3e1a
39 changed files with 2511 additions and 112 deletions
--- a/assets/config.php
+++ b/assets/config.php
@ -162,6 +162,8 @@ return [
        // Integration bootstrappers
        // Bootstrappers\Integrations\FortifyRouteBootstrapper::class,
        // Bootstrappers\Integrations\ScoutPrefixBootstrapper::class,
+
+        // Bootstrappers\PostgresRLSBootstrapper::class,
    ],

    /**
@ -215,6 +217,35 @@ return [
        'drop_tenant_databases_on_migrate_fresh' => false,
    ],

+    /**
+     * Requires PostgreSQL with single-database tenancy.
+     */
+    'rls' => [
+        /**
+         * The RLS manager responsible for generating queries for creating policies.
+         *
+         * @see Stancl\Tenancy\RLS\PolicyManagers\TableRLSManager
+         * @see Stancl\Tenancy\RLS\PolicyManagers\TraitRLSManager
+         */
+        'manager' => Stancl\Tenancy\RLS\PolicyManagers\TableRLSManager::class,
+
+        /**
+         * Credentials for the tenant database user (one user for *all* tenants, not for each tenant).
+         */
+        'user' => [
+            'username' => env('TENANCY_RLS_USERNAME'),
+            'password' => env('TENANCY_RLS_PASSWORD'),
+        ],
+
+        /**
+         * Postgres session variable used to store the current tenant key.
+         *
+         * The variable name has to include a namespace – for example, 'my.'.
+         * The namespace is required because the global one is reserved for the server configuration
+         */
+        'session_variable_name' => 'my.current_tenant',
+    ],
+
    /**
     * Cache tenancy config. Used by the CacheTenancyBootstrapper, the CacheTagsBootstrapper, and the custom CacheManager.
     *
--- a/assets/migrations/2019_09_15_000020_create_domains_table.php
+++ b/assets/migrations/2019_09_15_000020_create_domains_table.php
@ -2,10 +2,10 @@

 declare(strict_types=1);

-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
 use Stancl\Tenancy\Tenancy;
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;

 return new class extends Migration
 {
@ -19,7 +19,7 @@ return new class extends Migration
        Schema::create('domains', function (Blueprint $table) {
            $table->increments('id');
            $table->string('domain', 255)->unique();
-            $table->string(Tenancy::tenantKeyColumn());
+            $table->string(Tenancy::tenantKeyColumn())->comment('no-rls');

            $table->timestamps();
            $table->foreign(Tenancy::tenantKeyColumn())->references('id')->on('tenants')->onUpdate('cascade');