1

I'm a newbie to sql and am trying to follow this example here: http://net.tutsplus.com/tutorials/php/a-better-login-system/

So gist of the problem is,

  1. There are permissions that allow access to resources
  2. There are roles that can have multiple permissions
  3. There are users that may have multiple roles and multiple permissions

The db tables are listed as follows:

permission role user role_permissions user_roles and user_permissions

And here is the code to create the tables:

CREATE TABLE "permission" (
    "id" SERIAL PRIMARY KEY,
    "permission_key" VARCHAR(32) NOT NULL UNIQUE,
    "permission_name" VARCHAR(32) NOT NULL);

CREATE TABLE "role" (
    "id" SERIAL PRIMARY KEY,
    "role_name" varchar(32) NOT NULL);

CREATE TABLE "role_permissions" (
    "id" SERIAL PRIMARY KEY,
    "role_id" INTEGER NOT NULL,
    "permission_id" INTEGER  NOT NULL,
    "value"  BOOLEAN NOT NULL DEFAULT FALSE,
    "created_date" DATE NOT NULL, 
    UNIQUE ("role_id","permission_id"));

CREATE TABLE "user" (
    "id" SERIAL PRIMARY KEY,
    "username" VARCHAR(32) UNIQUE);

CREATE TABLE "user_permissions" (
    "id" SERIAL PRIMARY KEY,
    "user_id" INTEGER NOT NULL,
    "permission_id" INTEGER  NOT NULL,
    "value"  BOOLEAN NOT NULL DEFAULT FALSE,
    "created_date" DATE NOT NULL, 
    UNIQUE ("user_id","permission_id"));

CREATE TABLE "user_roles" (
    "id" SERIAL PRIMARY KEY,
    "user_id" INTEGER NOT NULL,
    "role_id" INTEGER NOT NULL,
    "created_date" DATE NOT NULL, 
    UNIQUE ("user_id", "role_id"));

My question is:

I want to be able to write the following in an sql statement:

  1. "Find me all PERMISSIONS that are available for a ROLE whose NAME is ________"

  2. "Find me all PERMISSIONS that are available for a USER whose NAME is ________"

I know that I can use IDs to match everything, but I want to use names instead because it just makes more sense for me to think "find me all the permissions for user x"

Also, with the second question, please note that a user can get permissions via 2 ways:

User > Role > Permission
User > Permission

I would prefer to get the results in a single statement for brevity.

Also, if anyone knows how to translate that to a Korma query, I would be ever so grateful.

wildplasser
  • 43,142
  • 8
  • 66
  • 109
zcaudate
  • 13,998
  • 7
  • 64
  • 124
  • You need to add the foreign key constrants to the tables's definitions. What is `NAME` in your question, username,rolename,permission name? And IMHO you could omit the boolean "value" fields; false could be implied by a non-existing row. – wildplasser Jun 23 '12 at 15:07
  • Also: how should conflicting permissions be handled? (the Role-path may yield True, while the User-path yields False. (or any of them could be absent) – wildplasser Jun 23 '12 at 15:18
  • yep.. your answer is how I would have specified it – zcaudate Jun 24 '12 at 02:57

1 Answers1

1

I had to make some choices. if there are both a user and a role permission, the user permission is applicable. I replaced the user and role by zuser and zrole, because they are reserved words in postgres, and I don't like quoting. The query is not very easthetic in its current form but it seems to work. The data is fictuous.

DROP SCHEMA tmp CASCADE;
CREATE SCHEMA tmp ;
SET search_path='tmp';


CREATE TABLE permission
    ( id SERIAL PRIMARY KEY
    , permission_key VARCHAR(32) NOT NULL UNIQUE
    , permission_name VARCHAR(32) NOT NULL
    );
INSERT INTO permission(id,permission_key, permission_name) VALUES
 (1, 'Eat', 'Eat' ) , (2, 'Drink', 'Drink' )
 ,(3, 'Shit', 'Shit' ) , (4, 'Urinate', 'Urinate' )
    ;

CREATE TABLE zrole
    ( id SERIAL PRIMARY KEY
    , role_name varchar(32) NOT NULL
    );
INSERT INTO zrole(id, role_name) VALUES
  (1, 'Manager'), (2, 'Employee'), (3, 'Client') , (4, 'Visitor')
    ;

CREATE TABLE zuser
    ( id SERIAL PRIMARY KEY
    , username VARCHAR(32) UNIQUE
    );
INSERT INTO zuser(id, username) VALUES
  (1, 'Jan Kees de Jager'), (2, 'Wildplasser'), (3, 'Joop') , (4, 'Mina')
    ;

CREATE TABLE role_permissions
    ( id SERIAL PRIMARY KEY
    , role_id INTEGER NOT NULL REFERENCES zrole(id)
    , permission_id INTEGER  NOT NULL REFERENCES permission(id)
    , created_date DATE NOT NULL
    , value  BOOLEAN NOT NULL DEFAULT FALSE
    , UNIQUE (role_id,permission_id)
    );
INSERT INTO role_permissions( id, role_id, permission_id, created_date, value) VALUES
 (1,1,1, '2012-01-01', True )
,(2,1,2, '2012-01-01', False )
,(3,2,2, '2012-01-01', True )
,(4,2,3, '2012-01-01', False )
,(5,2,4, '2012-01-01', True )
,(6,3,2, '2012-01-01', True )
,(7,3,3, '2012-01-01', True )
,(8,3,4, '2012-01-01', True )
,(9,4,2, '2012-01-01', True )
,(10,4,3, '2012-01-01', True )
,(11,4,4, '2012-01-01', True )
    ;
CREATE TABLE user_permissions
    ( id SERIAL PRIMARY KEY
    , user_id INTEGER NOT NULL REFERENCES zuser(id)
    , permission_id INTEGER  NOT NULL REFERENCES permission(id)
    , created_date DATE NOT NULL
    , value  BOOLEAN NOT NULL DEFAULT FALSE
    , UNIQUE (user_id,permission_id)
    );

INSERT INTO user_permissions( id, user_id, permission_id, created_date, value) VALUES
 (1,1,1, '2012-01-01', False )
,(2,1,2, '2012-01-01', False )
,(3,2,2, '2012-01-01', True )
,(4,3,2, '2012-01-01', True )
,(5,4,1, '2012-01-01', True )
    ;

CREATE TABLE user_roles
    ( id SERIAL PRIMARY KEY
    , user_id INTEGER NOT NULL REFERENCES zuser(id)
    , role_id INTEGER NOT NULL REFERENCES zrole(id)
    , created_date DATE NOT NULL
    , UNIQUE (user_id, role_id)
    );

INSERT INTO user_roles (id, user_id, role_id, created_date) VALUES
 (1,1,1, '2010-01-01' )
,(2,2,2, '2010-01-01' )
,(3,3,4, '2010-01-01' )
,(4,4,3, '2010-01-01' )
-- uncomment the next line to add a duplicate role
-- ,(5,2,4, '2010-01-01' )

    ;

WITH lutser AS (
    SELECT up.user_id AS user_id
    , up.permission_id AS permission_id
    , up.value AS uval
    FROM user_permissions up
    )
, roler AS (
    SELECT
    ur.user_id AS user_id
    , rp.permission_id AS permission_id
    , rp.value AS rval
    FROM user_roles ur
    JOIN role_permissions rp ON rp.role_id = ur.role_id
    )
SELECT us.username
    , pe.permission_name
    , pe.id AS permission_id
    , lu.uval AS uval
    , ro.rval AS rval
    , COALESCE(lu.uval , ro.rval) AS tval
FROM lutser lu
FULL JOIN roler ro ON ro.user_id = lu.user_id
        AND ro.permission_id = lu.permission_id
JOIN zuser us ON us.id = COALESCE(lu.user_id ,ro.user_id)
JOIN permission pe ON pe.id = COALESCE(ro.permission_id , lu.permission_id)
    ;

Result:

     username      | permission_name | permission_id | uval | rval | tval 
-------------------+-----------------+---------------+------+------+------
 Jan Kees de Jager | Eat             |             1 | f    | t    | f
 Jan Kees de Jager | Drink           |             2 | f    | f    | f
 Wildplasser       | Drink           |             2 | t    | t    | t
 Wildplasser       | Shit            |             3 |      | f    | f
 Wildplasser       | Urinate         |             4 |      | t    | t
 Joop              | Drink           |             2 | t    | t    | t
 Joop              | Shit            |             3 |      | t    | t
 Joop              | Urinate         |             4 |      | t    | t
 Mina              | Eat             |             1 | t    |      | t
 Mina              | Drink           |             2 |      | t    | t
 Mina              | Shit            |             3 |      | t    | t
 Mina              | Urinate         |             4 |      | t    | t
(12 rows)

BTW: the above query is still not correct. If a user belongs to more than one role, the query would produce multiple rows for that user. There needs to be added distinct/max() to the role subquery.

UPDATE: to solve the duplicate roles per person problems, I created this double nested CTE:

WITH lutser AS (
    WITH aggr AS (
        WITH rope AS (
            SELECT DISTINCT
            ur.user_id AS user_id
            , rp.permission_id AS permission_id
            , rp.value AS value
            FROM user_roles ur
            JOIN role_permissions rp ON rp.role_id = ur.role_id
            GROUP BY ur.user_id , rp.permission_id , rp.value
            )
        SELECT user_id,permission_id, value
        FROM rope yes
        WHERE yes.value = True
        UNION ALL
        SELECT user_id,permission_id, value
        FROM rope nono
        WHERE nono.value = False
        AND NOT EXISTS (SELECT * FROM rope nx
                WHERE nx.user_id= nono.user_id
                AND nx.permission_id= nono.permission_id
                AND nx.value = True
                )
        )
    SELECT COALESCE(up.user_id , ag.user_id) AS user_id
    , COALESCE(up.permission_id , ag.permission_id) AS permission_id
    , up.value AS uval
    , ag.value AS rval
    FROM user_permissions up
    FULL JOIN aggr ag ON ag.user_id = up.user_id AND ag.permission_id = up.permission_id
    )
SELECT us.username
    , pe.permission_name
    , lu.uval AS uval
    , lu.rval AS rval
    , COALESCE(lu.uval , lu.rval) AS tval
FROM lutser lu
JOIN zuser us ON us.id = lu.user_id
JOIN permission pe ON pe.id = lu.permission_id
    ;

Its functioning can be shown by adding / uncommenting the data row ,(5,2,4, '2010-01-01' ) to the user_role table. Again, I had to make a choice: if two roles exist for a user, with conflicting truth-values, the True one wins. I think the query can be simplified / beautified, but at least it works correctly now.

wildplasser
  • 43,142
  • 8
  • 66
  • 109