I'm a newbie to sql and am trying to follow this example here: http://net.tutsplus.com/tutorials/php/a-better-login-system/
So gist of the problem is,
permissions that allow access to resourcesroles that can have multiple permissionsusers that may have multiple roles and multiple permissionsThe db tables are listed as follows:
permission role user role_permissions user_roles and user_permissions
And here is the code to create the tables:
CREATE TABLE "permission" (
"id" SERIAL PRIMARY KEY,
"permission_key" VARCHAR(32) NOT NULL UNIQUE,
"permission_name" VARCHAR(32) NOT NULL);
CREATE TABLE "role" (
"id" SERIAL PRIMARY KEY,
"role_name" varchar(32) NOT NULL);
CREATE TABLE "role_permissions" (
"id" SERIAL PRIMARY KEY,
"role_id" INTEGER NOT NULL,
"permission_id" INTEGER NOT NULL,
"value" BOOLEAN NOT NULL DEFAULT FALSE,
"created_date" DATE NOT NULL,
UNIQUE ("role_id","permission_id"));
CREATE TABLE "user" (
"id" SERIAL PRIMARY KEY,
"username" VARCHAR(32) UNIQUE);
CREATE TABLE "user_permissions" (
"id" SERIAL PRIMARY KEY,
"user_id" INTEGER NOT NULL,
"permission_id" INTEGER NOT NULL,
"value" BOOLEAN NOT NULL DEFAULT FALSE,
"created_date" DATE NOT NULL,
UNIQUE ("user_id","permission_id"));
CREATE TABLE "user_roles" (
"id" SERIAL PRIMARY KEY,
"user_id" INTEGER NOT NULL,
"role_id" INTEGER NOT NULL,
"created_date" DATE NOT NULL,
UNIQUE ("user_id", "role_id"));
I want to be able to write the following in an sql statement:
"Find me all PERMISSIONS that are available for a ROLE whose NAME is ________"
"Find me all PERMISSIONS that are available for a USER whose NAME is ________"
I know that I can use IDs to match everything, but I want to use names instead because it just makes more sense for me to think "find me all the permissions for user x"
Also, with the second question, please note that a user can get permissions via 2 ways:
User > Role > Permission
User > Permission
I would prefer to get the results in a single statement for brevity.
Also, if anyone knows how to translate that to a Korma query, I would be ever so grateful.
I had to make some choices. if there are both a user and a role permission, the user permission is applicable. I replaced the user and role by zuser and zrole, because they are reserved words in postgres, and I don't like quoting. The query is not very easthetic in its current form but it seems to work. The data is fictuous.
DROP SCHEMA tmp CASCADE;
CREATE SCHEMA tmp ;
SET search_path='tmp';
CREATE TABLE permission
( id SERIAL PRIMARY KEY
, permission_key VARCHAR(32) NOT NULL UNIQUE
, permission_name VARCHAR(32) NOT NULL
);
INSERT INTO permission(id,permission_key, permission_name) VALUES
(1, 'Eat', 'Eat' ) , (2, 'Drink', 'Drink' )
,(3, 'Shit', 'Shit' ) , (4, 'Urinate', 'Urinate' )
;
CREATE TABLE zrole
( id SERIAL PRIMARY KEY
, role_name varchar(32) NOT NULL
);
INSERT INTO zrole(id, role_name) VALUES
(1, 'Manager'), (2, 'Employee'), (3, 'Client') , (4, 'Visitor')
;
CREATE TABLE zuser
( id SERIAL PRIMARY KEY
, username VARCHAR(32) UNIQUE
);
INSERT INTO zuser(id, username) VALUES
(1, 'Jan Kees de Jager'), (2, 'Wildplasser'), (3, 'Joop') , (4, 'Mina')
;
CREATE TABLE role_permissions
( id SERIAL PRIMARY KEY
, role_id INTEGER NOT NULL REFERENCES zrole(id)
, permission_id INTEGER NOT NULL REFERENCES permission(id)
, created_date DATE NOT NULL
, value BOOLEAN NOT NULL DEFAULT FALSE
, UNIQUE (role_id,permission_id)
);
INSERT INTO role_permissions( id, role_id, permission_id, created_date, value) VALUES
(1,1,1, '2012-01-01', True )
,(2,1,2, '2012-01-01', False )
,(3,2,2, '2012-01-01', True )
,(4,2,3, '2012-01-01', False )
,(5,2,4, '2012-01-01', True )
,(6,3,2, '2012-01-01', True )
,(7,3,3, '2012-01-01', True )
,(8,3,4, '2012-01-01', True )
,(9,4,2, '2012-01-01', True )
,(10,4,3, '2012-01-01', True )
,(11,4,4, '2012-01-01', True )
;
CREATE TABLE user_permissions
( id SERIAL PRIMARY KEY
, user_id INTEGER NOT NULL REFERENCES zuser(id)
, permission_id INTEGER NOT NULL REFERENCES permission(id)
, created_date DATE NOT NULL
, value BOOLEAN NOT NULL DEFAULT FALSE
, UNIQUE (user_id,permission_id)
);
INSERT INTO user_permissions( id, user_id, permission_id, created_date, value) VALUES
(1,1,1, '2012-01-01', False )
,(2,1,2, '2012-01-01', False )
,(3,2,2, '2012-01-01', True )
,(4,3,2, '2012-01-01', True )
,(5,4,1, '2012-01-01', True )
;
CREATE TABLE user_roles
( id SERIAL PRIMARY KEY
, user_id INTEGER NOT NULL REFERENCES zuser(id)
, role_id INTEGER NOT NULL REFERENCES zrole(id)
, created_date DATE NOT NULL
, UNIQUE (user_id, role_id)
);
INSERT INTO user_roles (id, user_id, role_id, created_date) VALUES
(1,1,1, '2010-01-01' )
,(2,2,2, '2010-01-01' )
,(3,3,4, '2010-01-01' )
,(4,4,3, '2010-01-01' )
-- uncomment the next line to add a duplicate role
-- ,(5,2,4, '2010-01-01' )
;
WITH lutser AS (
SELECT up.user_id AS user_id
, up.permission_id AS permission_id
, up.value AS uval
FROM user_permissions up
)
, roler AS (
SELECT
ur.user_id AS user_id
, rp.permission_id AS permission_id
, rp.value AS rval
FROM user_roles ur
JOIN role_permissions rp ON rp.role_id = ur.role_id
)
SELECT us.username
, pe.permission_name
, pe.id AS permission_id
, lu.uval AS uval
, ro.rval AS rval
, COALESCE(lu.uval , ro.rval) AS tval
FROM lutser lu
FULL JOIN roler ro ON ro.user_id = lu.user_id
AND ro.permission_id = lu.permission_id
JOIN zuser us ON us.id = COALESCE(lu.user_id ,ro.user_id)
JOIN permission pe ON pe.id = COALESCE(ro.permission_id , lu.permission_id)
;
Result:
username | permission_name | permission_id | uval | rval | tval
-------------------+-----------------+---------------+------+------+------
Jan Kees de Jager | Eat | 1 | f | t | f
Jan Kees de Jager | Drink | 2 | f | f | f
Wildplasser | Drink | 2 | t | t | t
Wildplasser | Shit | 3 | | f | f
Wildplasser | Urinate | 4 | | t | t
Joop | Drink | 2 | t | t | t
Joop | Shit | 3 | | t | t
Joop | Urinate | 4 | | t | t
Mina | Eat | 1 | t | | t
Mina | Drink | 2 | | t | t
Mina | Shit | 3 | | t | t
Mina | Urinate | 4 | | t | t
(12 rows)
BTW: the above query is still not correct. If a user belongs to more than one role, the query would produce multiple rows for that user. There needs to be added distinct/max() to the role subquery.
UPDATE: to solve the duplicate roles per person problems, I created this double nested CTE:
WITH lutser AS (
WITH aggr AS (
WITH rope AS (
SELECT DISTINCT
ur.user_id AS user_id
, rp.permission_id AS permission_id
, rp.value AS value
FROM user_roles ur
JOIN role_permissions rp ON rp.role_id = ur.role_id
GROUP BY ur.user_id , rp.permission_id , rp.value
)
SELECT user_id,permission_id, value
FROM rope yes
WHERE yes.value = True
UNION ALL
SELECT user_id,permission_id, value
FROM rope nono
WHERE nono.value = False
AND NOT EXISTS (SELECT * FROM rope nx
WHERE nx.user_id= nono.user_id
AND nx.permission_id= nono.permission_id
AND nx.value = True
)
)
SELECT COALESCE(up.user_id , ag.user_id) AS user_id
, COALESCE(up.permission_id , ag.permission_id) AS permission_id
, up.value AS uval
, ag.value AS rval
FROM user_permissions up
FULL JOIN aggr ag ON ag.user_id = up.user_id AND ag.permission_id = up.permission_id
)
SELECT us.username
, pe.permission_name
, lu.uval AS uval
, lu.rval AS rval
, COALESCE(lu.uval , lu.rval) AS tval
FROM lutser lu
JOIN zuser us ON us.id = lu.user_id
JOIN permission pe ON pe.id = lu.permission_id
;
Its functioning can be shown by adding / uncommenting the data row ,(5,2,4, '2010-01-01' ) to the user_role table. Again, I had to make a choice: if two roles exist for a user, with conflicting truth-values, the True one wins. I think the query can be simplified / beautified, but at least it works correctly now.