phonograph/interim-server/src/base_user_perms.rs

use std::collections::HashSet;

use anyhow::Result;
use interim_models::{base::Base, client::AppDbClient};
use interim_pgtypes::{
    client::BaseClient,
    pg_acl::PgPrivilegeType,
    pg_database::PgDatabase,
    pg_role::{PgRole, RoleTree, user_id_from_rolname},
};
use sqlx::query;
use uuid::Uuid;

pub struct BaseUserPerm {
    pub id: Uuid,
    pub base_id: Uuid,
    pub user_id: Uuid,
    pub perm: String,
}

pub async fn sync_perms_for_base(
    base_id: Uuid,
    app_db: &mut AppDbClient,
    base_client: &mut BaseClient,
) -> Result<()> {
    let db = PgDatabase::current().fetch_one(base_client).await?;
    let explicit_roles = PgRole::with_name_in(
        db.datacl
            .unwrap_or_default()
            .into_iter()
            .filter(|item| {
                item.privileges
                    .iter()
                    .any(|privilege| privilege.privilege == PgPrivilegeType::Connect)
            })
            .map(|item| item.grantee)
            .collect(),
    )
    .fetch_all(base_client)
    .await?;
    let mut all_roles: HashSet<PgRole> = HashSet::new();
    for explicit_role in explicit_roles {
        if let Some(role_tree) = RoleTree::members_of(explicit_role.oid)
            .fetch_tree(base_client)
            .await?
        {
            for implicit_role in role_tree.flatten_inherited() {
                all_roles.insert(implicit_role.clone());
            }
        }
    }
    let base = Base::with_id(base_id).fetch_one(app_db).await?;
    let user_ids: Vec<Uuid> = all_roles
        .iter()
        .filter_map(|role| user_id_from_rolname(&role.rolname, &base.user_role_prefix).ok())
        .collect();
    query!(
        "delete from base_user_perms where base_id = $1 and not (user_id = any($2))",
        base_id,
        user_ids.as_slice(),
    )
    .execute(app_db.get_conn())
    .await?;
    for user_id in user_ids {
        query!(
            "
insert into base_user_perms
    (id, base_id, user_id, perm)
values ($1, $2, $3, 'connect')
on conflict (base_id, user_id, perm) do nothing
",
            Uuid::now_v7(),
            base.id,
            user_id
        )
        .execute(app_db.get_conn())
        .await?;
    }
    Ok(())
}
sqlx etc 2025-05-26 22:08:21 -07:00			`use std::collections::HashSet;`

refactor db clients 2025-08-04 13:59:42 -07:00			`use anyhow::Result;`
			`use interim_models::{base::Base, client::AppDbClient};`
implement basic record editing 2025-07-08 16:54:51 -07:00			`use interim_pgtypes::{`
refactor db clients 2025-08-04 13:59:42 -07:00			`client::BaseClient,`
implement basic record editing 2025-07-08 16:54:51 -07:00			`pg_acl::PgPrivilegeType,`
			`pg_database::PgDatabase,`
			`pg_role::{PgRole, RoleTree, user_id_from_rolname},`
			`};`
refactor db clients 2025-08-04 13:59:42 -07:00			`use sqlx::query;`
sqlx etc 2025-05-26 22:08:21 -07:00			`use uuid::Uuid;`

			`pub struct BaseUserPerm {`
			`pub id: Uuid,`
			`pub base_id: Uuid,`
			`pub user_id: Uuid,`
			`pub perm: String,`
			`}`

			`pub async fn sync_perms_for_base(`
			`base_id: Uuid,`
refactor db clients 2025-08-04 13:59:42 -07:00			`app_db: &mut AppDbClient,`
			`base_client: &mut BaseClient,`
sqlx etc 2025-05-26 22:08:21 -07:00			`) -> Result<()> {`
refactor db clients 2025-08-04 13:59:42 -07:00			`let db = PgDatabase::current().fetch_one(base_client).await?;`
			`let explicit_roles = PgRole::with_name_in(`
sqlx etc 2025-05-26 22:08:21 -07:00			`db.datacl`
refactor db clients 2025-08-04 13:59:42 -07:00			`.unwrap_or_default()`
sqlx etc 2025-05-26 22:08:21 -07:00			`.into_iter()`
			`.filter(\|item\| {`
			`item.privileges`
			`.iter()`
			`.any(\|privilege\| privilege.privilege == PgPrivilegeType::Connect)`
			`})`
			`.map(\|item\| item.grantee)`
			`.collect(),`
			`)`
refactor db clients 2025-08-04 13:59:42 -07:00			`.fetch_all(base_client)`
sqlx etc 2025-05-26 22:08:21 -07:00			`.await?;`
			`let mut all_roles: HashSet<PgRole> = HashSet::new();`
			`for explicit_role in explicit_roles {`
refactor db clients 2025-08-04 13:59:42 -07:00			`if let Some(role_tree) = RoleTree::members_of(explicit_role.oid)`
			`.fetch_tree(base_client)`
			`.await?`
			`{`
sqlx etc 2025-05-26 22:08:21 -07:00			`for implicit_role in role_tree.flatten_inherited() {`
			`all_roles.insert(implicit_role.clone());`
			`}`
			`}`
			`}`
refactor db clients 2025-08-04 13:59:42 -07:00			`let base = Base::with_id(base_id).fetch_one(app_db).await?;`
sqlx etc 2025-05-26 22:08:21 -07:00			`let user_ids: Vec<Uuid> = all_roles`
			`.iter()`
			`.filter_map(\|role\| user_id_from_rolname(&role.rolname, &base.user_role_prefix).ok())`
			`.collect();`
			`query!(`
			`"delete from base_user_perms where base_id = $1 and not (user_id = any($2))",`
			`base_id,`
			`user_ids.as_slice(),`
			`)`
refactor db clients 2025-08-04 13:59:42 -07:00			`.execute(app_db.get_conn())`
sqlx etc 2025-05-26 22:08:21 -07:00			`.await?;`
			`for user_id in user_ids {`
			`query!(`
			`"`
			`insert into base_user_perms`
			`(id, base_id, user_id, perm)`
			`values ($1, $2, $3, 'connect')`
			`on conflict (base_id, user_id, perm) do nothing`
			`",`
			`Uuid::now_v7(),`
			`base.id,`
			`user_id`
			`)`
refactor db clients 2025-08-04 13:59:42 -07:00			`.execute(app_db.get_conn())`
sqlx etc 2025-05-26 22:08:21 -07:00			`.await?;`
			`}`
			`Ok(())`
			`}`