From 5a63af25f96eca700cd282963da2719ae1f7e2ea Mon Sep 17 00:00:00 2001
From: Hongbo Wu <hongbo@omnivore.app>
Date: Fri, 21 Jun 2024 11:42:36 +0800
Subject: [PATCH] Alter omnivore_admin role to prevent omnivore_admin to be
 inherited by app_user or omnivore_user

---
 .../0183.do.alter_omnivore_admin_role.sql     | 36 +++++++++++++++++++
 .../0183.undo.alter_omnivore_admin_role.sql   | 31 ++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100755 packages/db/migrations/0183.do.alter_omnivore_admin_role.sql
 create mode 100755 packages/db/migrations/0183.undo.alter_omnivore_admin_role.sql

diff --git a/packages/db/migrations/0183.do.alter_omnivore_admin_role.sql b/packages/db/migrations/0183.do.alter_omnivore_admin_role.sql
new file mode 100755
index 000000000..5a87699eb
--- /dev/null
+++ b/packages/db/migrations/0183.do.alter_omnivore_admin_role.sql
@@ -0,0 +1,36 @@
+-- Type: DO
+-- Name: alter_omnivore_admin_role
+-- Description: Alter omnivore_admin role to prevent omnivore_admin to be inherited by app_user or omnivore_user
+
+BEGIN;
+
+DROP POLICY user_admin_policy ON omnivore.user;
+
+REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA omnivore from omnivore_admin;
+REVOKE ALL PRIVILEGES ON SCHEMA omnivore from omnivore_admin;
+
+DROP OWNED BY omnivore_admin;
+
+DROP ROLE omnivore_admin;
+
+CREATE ROLE omnivore_admin;
+
+GRANT USAGE ON SCHEMA omnivore TO omnivore_admin;
+
+ALTER ROLE omnivore_user NOINHERIT; -- This is to prevent omnivore_user from inheriting omnivore_admin role
+
+GRANT omnivore_admin TO omnivore_user; -- This is to allow app_user to set omnivore_admin role
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON omnivore.user TO omnivore_admin;
+CREATE POLICY user_admin_policy on omnivore.user
+    FOR ALL
+    TO omnivore_admin
+    USING (true);
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON omnivore.library_item TO omnivore_admin;
+CREATE POLICY library_item_admin_policy ON omnivore.library_item 
+    FOR ALL
+    TO omnivore_admin
+    USING (true);
+
+COMMIT;
diff --git a/packages/db/migrations/0183.undo.alter_omnivore_admin_role.sql b/packages/db/migrations/0183.undo.alter_omnivore_admin_role.sql
new file mode 100755
index 000000000..0b8c5fa6e
--- /dev/null
+++ b/packages/db/migrations/0183.undo.alter_omnivore_admin_role.sql
@@ -0,0 +1,31 @@
+-- Type: UNDO
+-- Name: alter_omnivore_admin_role
+-- Description: Alter omnivore_admin role to prevent omnivore_admin to be inherited by app_user or omnivore_user
+
+BEGIN;
+
+DROP POLICY library_item_admin_policy ON omnivore.library_item;
+REVOKE SELECT, INSERT, UPDATE, DELETE ON omnivore.library_item FROM omnivore_admin;
+
+DROP POLICY user_admin_policy ON omnivore.user;
+REVOKE SELECT, INSERT, UPDATE, DELETE ON omnivore.user FROM omnivore_admin;
+
+DROP OWNED BY omnivore_admin;
+
+DROP ROLE omnivore_admin;
+
+ALTER ROLE omnivore_user INHERIT;
+
+CREATE ROLE omnivore_admin;
+
+GRANT omnivore_admin TO app_user;
+
+GRANT ALL PRIVILEGES ON SCHEMA omnivore TO omnivore_admin;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA omnivore TO omnivore_admin;
+
+CREATE POLICY user_admin_policy on omnivore.user
+    FOR ALL
+    TO omnivore_admin
+    USING (true);
+
+COMMIT;