Migration: add privileges and policies on nodes_nodes table

alembic/versions/492ab1373f8d_add_privileges_on_nodes_nodes_table.py

+"""Add privileges on nodes_nodes table
+
+Revision ID: 492ab1373f8d
+Revises: cceddcb46e27
+Create Date: 2018-03-28 19:41:26.148413
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from gargantext.util.alembic import ReplaceableObject
+
+
+# revision identifiers, used by Alembic.
+revision = '492ab1373f8d'
+down_revision = 'cceddcb46e27'
+branch_labels = None
+depends_on = None
+
+
+grants = [
+    # Basic privileges for gargantext role
+    ('SELECT ON nodes_nodes', 'gargantext'),
+    ('UPDATE (node1_id, node2_id) ON nodes_nodes', 'gargantext'),
+    ('INSERT ON nodes_nodes', 'gargantext'),
+    ('DELETE ON nodes_nodes', 'gargantext'),
+]
+
+
+is_owner = "COALESCE(current_user_id() = (SELECT user_id FROM nodes n WHERE n.id = nodes_nodes.node1_id), FALSE)"
+owner_related_select_policy = ReplaceableObject("owner_related_select", "nodes_nodes", "FOR SELECT USING (%s)" % is_owner)
+owner_related_update_policy = ReplaceableObject("owner_related_update", "nodes_nodes", "FOR UPDATE USING (%s)" % is_owner)
+owner_related_insert_policy = ReplaceableObject("owner_related_insert", "nodes_nodes", "FOR INSERT WITH CHECK (%s)" % is_owner)
+owner_related_delete_policy = ReplaceableObject("owner_related_delete", "nodes_nodes", "FOR DELETE USING (%s)" % is_owner)
+policies = [owner_related_select_policy,
+            owner_related_update_policy,
+            owner_related_insert_policy,
+            owner_related_delete_policy]
+
+
+def upgrade():
+    for grant in grants:
+        op.execute('GRANT {} TO {}'.format(*grant))
+
+    op.execute("ALTER TABLE nodes_nodes ENABLE ROW LEVEL SECURITY")
+
+    for policy in policies:
+        op.create_policy(policy)
+
+
+def downgrade():
+    for policy in policies:
+        op.drop_policy(policy)
+
+    op.execute("ALTER TABLE nodes_nodes DISABLE ROW LEVEL SECURITY")
+
+    for grant in grants:
+        op.execute('REVOKE {} FROM {}'.format(*grant))