2023-07-31 12:18:17 +00:00
|
|
|
-- Test campsite_type
|
|
|
|
set client_min_messages to warning;
|
|
|
|
create extension if not exists pgtap;
|
|
|
|
reset client_min_messages;
|
|
|
|
|
|
|
|
begin;
|
|
|
|
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
select plan(62);
|
2023-07-31 12:18:17 +00:00
|
|
|
|
|
|
|
set search_path to camper, public;
|
|
|
|
|
|
|
|
select has_table('campsite_type');
|
|
|
|
select has_pk('campsite_type' );
|
2023-08-08 17:52:27 +00:00
|
|
|
select table_privs_are('campsite_type', 'guest', array['SELECT']);
|
2023-07-31 12:18:17 +00:00
|
|
|
select table_privs_are('campsite_type', 'employee', array['SELECT']);
|
|
|
|
select table_privs_are('campsite_type', 'admin', array['SELECT', 'INSERT', 'UPDATE', 'DELETE']);
|
|
|
|
select table_privs_are('campsite_type', 'authenticator', array[]::text[]);
|
|
|
|
|
|
|
|
select has_sequence('campsite_type_campsite_type_id_seq');
|
|
|
|
select sequence_privs_are('campsite_type_campsite_type_id_seq', 'guest', array[]::text[]);
|
|
|
|
select sequence_privs_are('campsite_type_campsite_type_id_seq', 'employee', array[]::text[]);
|
|
|
|
select sequence_privs_are('campsite_type_campsite_type_id_seq', 'admin', array['USAGE']);
|
|
|
|
select sequence_privs_are('campsite_type_campsite_type_id_seq', 'authenticator', array[]::text[]);
|
|
|
|
|
|
|
|
select has_column('campsite_type', 'campsite_type_id');
|
|
|
|
select col_is_pk('campsite_type', 'campsite_type_id');
|
|
|
|
select col_type_is('campsite_type', 'campsite_type_id', 'integer');
|
|
|
|
select col_not_null('campsite_type', 'campsite_type_id');
|
|
|
|
select col_has_default('campsite_type', 'campsite_type_id');
|
|
|
|
select col_default_is('campsite_type', 'campsite_type_id', 'nextval(''campsite_type_campsite_type_id_seq''::regclass)');
|
|
|
|
|
|
|
|
select has_column('campsite_type', 'company_id');
|
|
|
|
select col_is_fk('campsite_type', 'company_id');
|
|
|
|
select fk_ok('campsite_type', 'company_id', 'company', 'company_id');
|
|
|
|
select col_type_is('campsite_type', 'company_id', 'integer');
|
|
|
|
select col_not_null('campsite_type', 'company_id');
|
|
|
|
select col_hasnt_default('campsite_type', 'company_id');
|
|
|
|
|
|
|
|
select has_column('campsite_type', 'slug');
|
|
|
|
select col_is_unique('campsite_type', 'slug');
|
|
|
|
select col_type_is('campsite_type', 'slug', 'uuid');
|
|
|
|
select col_not_null('campsite_type', 'slug');
|
|
|
|
select col_has_default('campsite_type', 'slug');
|
|
|
|
select col_default_is('campsite_type', 'slug', 'gen_random_uuid()');
|
|
|
|
|
|
|
|
select has_column('campsite_type', 'name');
|
|
|
|
select col_type_is('campsite_type', 'name', 'text');
|
|
|
|
select col_not_null('campsite_type', 'name');
|
|
|
|
select col_hasnt_default('campsite_type', 'name');
|
|
|
|
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
select has_column('campsite_type', 'media_id');
|
|
|
|
select col_is_fk('campsite_type', 'media_id');
|
|
|
|
select fk_ok('campsite_type', 'media_id', 'media', 'media_id');
|
|
|
|
select col_type_is('campsite_type', 'media_id', 'integer');
|
|
|
|
select col_not_null('campsite_type', 'media_id');
|
|
|
|
select col_hasnt_default('campsite_type', 'media_id');
|
|
|
|
|
2023-07-31 12:18:17 +00:00
|
|
|
select has_column('campsite_type', 'description');
|
|
|
|
select col_type_is('campsite_type', 'description', 'xml');
|
|
|
|
select col_not_null('campsite_type', 'description');
|
|
|
|
select col_has_default('campsite_type', 'description');
|
|
|
|
--select col_default_is('campsite_type', 'description', '');
|
|
|
|
|
|
|
|
select has_column('campsite_type', 'active');
|
|
|
|
select col_type_is('campsite_type', 'active', 'boolean');
|
|
|
|
select col_not_null('campsite_type', 'active');
|
|
|
|
select col_has_default('campsite_type', 'active');
|
|
|
|
select col_default_is('campsite_type', 'active', 'true');
|
|
|
|
|
|
|
|
|
|
|
|
set client_min_messages to warning;
|
|
|
|
truncate campsite_type cascade;
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
truncate media cascade;
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
truncate company_host cascade;
|
2023-07-31 12:18:17 +00:00
|
|
|
truncate company_user cascade;
|
|
|
|
truncate company cascade;
|
|
|
|
truncate auth."user" cascade;
|
|
|
|
reset client_min_messages;
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
insert into auth."user" (user_id, email, name, password, cookie, cookie_expires_at)
|
|
|
|
values (1, 'demo@tandem.blog', 'Demo', 'test', '44facbb30d8a419dfd4bfbc44a4b5539d4970148dfc84bed0e', current_timestamp + interval '1 month')
|
|
|
|
, (5, 'admin@tandem.blog', 'Demo', 'test', '12af4c88b528c2ad4222e3740496ecbc58e76e26f087657524', current_timestamp + interval '1 month')
|
2023-07-31 12:18:17 +00:00
|
|
|
;
|
|
|
|
|
|
|
|
insert into company (company_id, business_name, vatin, trade_name, phone, email, web, address, city, province, postal_code, country_code, currency_code, default_lang_tag)
|
|
|
|
values (2, 'Company 2', 'XX123', '', '555-555-555', 'a@a', '', '', '', '', '', 'ES', 'EUR', 'ca')
|
|
|
|
, (4, 'Company 4', 'XX234', '', '666-666-666', 'b@b', '', '', '', '', '', 'FR', 'USD', 'ca')
|
|
|
|
;
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
insert into company_user (company_id, user_id, role)
|
|
|
|
values (2, 1, 'admin')
|
|
|
|
, (4, 5, 'admin')
|
|
|
|
;
|
|
|
|
|
|
|
|
insert into company_host (company_id, host)
|
|
|
|
values (2, 'co2')
|
|
|
|
, (4, 'co4')
|
2023-07-31 12:18:17 +00:00
|
|
|
;
|
|
|
|
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
insert into media (media_id, company_id, original_filename, media_type, content)
|
|
|
|
values (6, 2, 'cover2.xpm', 'image/x-xpixmap', 'static char *s[]={"1 1 1 1","a c #ffffff","a"};')
|
|
|
|
, (8, 4, 'cover4.xpm', 'image/x-xpixmap', 'static char *s[]={"1 1 1 1","a c #ffffff","a"};')
|
|
|
|
;
|
|
|
|
|
|
|
|
insert into campsite_type (company_id, name, media_id)
|
|
|
|
values (2, 'Wooden lodge', 6)
|
|
|
|
, (4, 'Bungalow', 8)
|
2023-07-31 12:18:17 +00:00
|
|
|
;
|
|
|
|
|
|
|
|
prepare campsite_type_data as
|
|
|
|
select company_id, name
|
|
|
|
from campsite_type
|
|
|
|
order by company_id, name;
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
set role guest;
|
|
|
|
select bag_eq(
|
|
|
|
'campsite_type_data',
|
|
|
|
$$ values (2, 'Wooden lodge')
|
|
|
|
, (4, 'Bungalow')
|
|
|
|
$$,
|
|
|
|
'Everyone should be able to list all campsite types across all companies'
|
|
|
|
);
|
2023-07-31 12:18:17 +00:00
|
|
|
reset role;
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
select set_cookie('44facbb30d8a419dfd4bfbc44a4b5539d4970148dfc84bed0e/demo@tandem.blog', 'co2');
|
|
|
|
|
|
|
|
select lives_ok(
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
$$ insert into campsite_type(company_id, name, media_id) values (2, 'Another type', 6) $$,
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
'Admin from company 2 should be able to insert a new campsite type to that company.'
|
|
|
|
);
|
|
|
|
|
2023-07-31 12:18:17 +00:00
|
|
|
select bag_eq(
|
|
|
|
'campsite_type_data',
|
|
|
|
$$ values (2, 'Wooden lodge')
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
, (2, 'Another type')
|
|
|
|
, (4, 'Bungalow')
|
2023-07-31 12:18:17 +00:00
|
|
|
$$,
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
'The new row should have been added'
|
|
|
|
);
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
$$ update campsite_type set name = 'Another' where company_id = 2 and name = 'Another type' $$,
|
|
|
|
'Admin from company 2 should be able to update campsite type of that company.'
|
2023-07-31 12:18:17 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
select bag_eq(
|
|
|
|
'campsite_type_data',
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
$$ values (2, 'Wooden lodge')
|
|
|
|
, (2, 'Another')
|
|
|
|
, (4, 'Bungalow')
|
2023-07-31 12:18:17 +00:00
|
|
|
$$,
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
'The row should have been updated.'
|
|
|
|
);
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
$$ delete from campsite_type where company_id = 2 and name = 'Another' $$,
|
|
|
|
'Admin from company 2 should be able to delete campsite type from that company.'
|
|
|
|
);
|
|
|
|
|
|
|
|
select bag_eq(
|
|
|
|
'campsite_type_data',
|
|
|
|
$$ values (2, 'Wooden lodge')
|
|
|
|
, (4, 'Bungalow')
|
|
|
|
$$,
|
|
|
|
'The row should have been deleted.'
|
2023-07-31 12:18:17 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
select throws_ok(
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
$$ insert into campsite_type (company_id, name, media_id) values (4, 'Another type', 6) $$,
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
'42501', 'new row violates row-level security policy for table "campsite_type"',
|
|
|
|
'Admin from company 2 should NOT be able to insert new campsite types to company 4.'
|
|
|
|
);
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
$$ update campsite_type set name = 'Nope' where company_id = 4 $$,
|
|
|
|
'Admin from company 2 should not be able to update new campsite types of company 4, but no error if company_id is not changed.'
|
|
|
|
);
|
|
|
|
|
|
|
|
select bag_eq(
|
2023-07-31 12:18:17 +00:00
|
|
|
'campsite_type_data',
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
$$ values (2, 'Wooden lodge')
|
|
|
|
, (4, 'Bungalow')
|
|
|
|
$$,
|
|
|
|
'No row should have been changed.'
|
2023-07-31 12:18:17 +00:00
|
|
|
);
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
select throws_ok(
|
|
|
|
$$ update campsite_type set company_id = 4 where company_id = 2 $$,
|
|
|
|
'42501', 'new row violates row-level security policy for table "campsite_type"',
|
|
|
|
'Admin from company 2 should NOT be able to move campsite types to company 4'
|
|
|
|
);
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
$$ delete from campsite_type where company_id = 4 $$,
|
|
|
|
'Admin from company 2 should NOT be able to delete campsite types from company 4, but not error is thrown'
|
|
|
|
);
|
|
|
|
|
|
|
|
select bag_eq(
|
|
|
|
'campsite_type_data',
|
|
|
|
$$ values (2, 'Wooden lodge')
|
|
|
|
, (4, 'Bungalow')
|
2023-07-31 12:18:17 +00:00
|
|
|
$$,
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
'No row should have been changed'
|
2023-07-31 12:18:17 +00:00
|
|
|
);
|
|
|
|
|
2023-08-08 17:52:27 +00:00
|
|
|
select throws_ok(
|
Add cover media to campsite types
This is the image that is shown at the home page, and maybe other pages
in the future. We can not use a static file because this image can be
changed by the customer, not us; just like name and description.
I decided to keep the actual media content in the database, but to copy
this file out to the file system the first time it is accessed. This is
because we are going to replicate the database to a public instance that
must show exactly the same image, but the customer will update the image
from the private instance, behind a firewall. We could also synchronize
the folder where they upload the images, the same way we will replicate,
but i thought that i would make the whole thing a little more brittle:
this way if it can replicate the update of the media, it is impossible
to not have its contents; dumping it to a file is to improve subsequent
requests to the same media.
I use the hex representation of the media’s hash as the URL to the
resource, because PostgreSQL’s base64 is not URL save (i.e., it uses
RFC2045’s charset that includes the forward slash[0]), and i did not
feel necessary write a new function just to slightly reduce the URLs’
length.
Before checking if the file exists, i make sure that the given hash is
an hex string, like i do for UUID, otherwise any other check is going
to fail for sure. I moved out hex.Valid function from UUID to check for
valid hex values, but the actual hash check is inside app/media because
i doubt it will be used outside that module.
[0]: https://datatracker.ietf.org/doc/html/rfc2045#section-6.8
2023-09-10 01:04:18 +00:00
|
|
|
$$ insert into campsite_type (company_id, name, media_id) values (2, ' ', 6) $$,
|
2023-08-08 17:52:27 +00:00
|
|
|
'23514', 'new row for relation "campsite_type" violates check constraint "name_not_empty"',
|
|
|
|
'Should not be able to insert campsite types with a blank name.'
|
|
|
|
);
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
reset role;
|
|
|
|
|
2023-07-31 12:18:17 +00:00
|
|
|
|
|
|
|
select *
|
|
|
|
from finish();
|
|
|
|
|
|
|
|
rollback;
|
|
|
|
|