Skip to content

Commit

Permalink
Revert "Allow CREATE ROLE even if database is not around yet"
Browse files Browse the repository at this point in the history 
This reverts commit d3d316a.
  • Loading branch information
@stevschmid
stevschmid committed Mar 26, 2024
1 parent 638205e commit 7672270
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 39 deletions.
1 change: 1 addition & 0 deletions .github/workflows/rls.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ jobs:
- name: Setup database
working-directory: ./spec/dummy
run: |
bundle exec rake db:create
bundle exec rake rls:create_role
bundle exec rake db:prepare
Expand Down
62 changes: 23 additions & 39 deletions lib/tasks/rls.rake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,52 +34,36 @@ namespace :rls do

task create_role: :environment do
RLS.without_rls do
# Make sure query can be executed even if database in database.yml is not around yet
ActiveRecord::Base.configurations.configs_for(env_name: Rails.env).each do |config|
config = config.configuration_hash.merge(database: 'postgres', schema_search_path: 'public')
ActiveRecord::Base.establish_connection(config)

ActiveRecord::Base.connection.execute <<~SQL
DO $$
BEGIN
CREATE ROLE "#{RLS.role}" WITH NOLOGIN;
EXCEPTION
WHEN DUPLICATE_OBJECT THEN
RAISE NOTICE 'Role "#{RLS.role}" already exists';
END
$$;
GRANT ALL ON ALL TABLES IN SCHEMA public TO "#{RLS.role}";
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "#{RLS.role}";
SQL

ActiveRecord::Base.connection.disconnect!
end
RLS.connection.execute <<~SQL
DO $$
BEGIN
CREATE ROLE "#{RLS.role}" WITH NOLOGIN;
EXCEPTION
WHEN DUPLICATE_OBJECT THEN
RAISE NOTICE 'Role "#{RLS.role}" already exists';
END
$$;
GRANT ALL ON ALL TABLES IN SCHEMA public TO "#{RLS.role}";
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "#{RLS.role}";
SQL

puts "Role #{RLS.role} created"
end
end

task drop_role: :environment do
RLS.without_rls do
# Make sure query can be executed even if database in database.yml is not around yet
ActiveRecord::Base.configurations.configs_for(env_name: Rails.env).each do |config|
config = config.configuration_hash.merge(database: 'postgres', schema_search_path: 'public')
ActiveRecord::Base.establish_connection(config)

ActiveRecord::Base.connection.execute <<~SQL
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM "#{RLS.role}";
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "#{RLS.role}";
REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM "#{RLS.role}";
DROP OWNED BY "#{RLS.role}";
DROP ROLE "#{RLS.role}";
SQL

ActiveRecord::Base.connection.disconnect!
end
RLS.connection.execute <<~SQL
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM "#{RLS.role}";
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM "#{RLS.role}";
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "#{RLS.role}";
REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM "#{RLS.role}";
DROP OWNED BY "#{RLS.role}";
DROP ROLE "#{RLS.role}";
SQL

puts "Role #{RLS.role} dropped"
end
Expand Down

0 comments on commit 7672270

Please sign in to comment.