Postgres RLS + permission controlled database managers (#33)

This PR adds Postgres RLS (trait manager + table manager approach) and permission controlled managers for PostgreSQL. --------- Co-authored-by: lukinovec <lukinovec@gmail.com> Co-authored-by: PHP CS Fixer <phpcsfixer@example.com>
2026-03-23 19:24:02 +00:00 · 2024-04-24 22:32:49 +02:00 · 2024-04-24 22:32:49 +02:00 · 7317d2638a
commit 7317d2638a
parent 34297d3e1a
39 changed files with 2511 additions and 112 deletions
--- a/src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLDatabaseManager.php
@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
+
+use Stancl\Tenancy\Database\Concerns\CreatesDatabaseUsers;
+use Stancl\Tenancy\Database\Concerns\ManagesPostgresUsers;
+use Stancl\Tenancy\Database\Contracts\ManagesDatabaseUsers;
+use Stancl\Tenancy\Database\DatabaseConfig;
+
+class PermissionControlledPostgreSQLDatabaseManager extends PostgreSQLDatabaseManager implements ManagesDatabaseUsers
+{
+    use CreatesDatabaseUsers, ManagesPostgresUsers;
+
+    protected function grantPermissions(DatabaseConfig $databaseConfig): bool
+    {
+        // Tenant DB config
+        $database = $databaseConfig->getName();
+        $username = $databaseConfig->getUsername();
+        $schema = $databaseConfig->connection()['search_path'];
+
+        // Host config
+        $connectionName = $this->database()->getConfig('name');
+        $centralDatabase = $this->database()->getConfig('database');
+
+        $this->database()->statement("GRANT CONNECT ON DATABASE \"{$database}\" TO \"{$username}\"");
+
+        // Connect to tenant database
+        config(["database.connections.{$connectionName}.database" => $database]);
+
+        $this->database()->reconnect();
+
+        // Grant permissions to create and use tables in the configured schema ("public" by default) to the user
+        $this->database()->statement("GRANT USAGE, CREATE ON SCHEMA {$schema} TO \"{$username}\"");
+
+        // Grant permissions to use sequences in the current schema to the user
+        $this->database()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA {$schema} TO \"{$username}\"");
+
+        // Reconnect to central database
+        config(["database.connections.{$connectionName}.database" => $centralDatabase]);
+
+        $this->database()->reconnect();
+
+        return true;
+    }
+}