Add public profile by column security

Now the row `lastactive` is only accessible by the admin.
The public profile is accessed everywhere and in the admin view
the whole profile is queried.

For the me() function, we have to output a valid ctfnote.profile
but we can't access the `lastactive` column, so we replace it with
NULL by default. This fixes the problem we faced in the row wise
security model.

Author: JJ-8

api/migrations/42-add-last-active.sql

@@ -1,48 +1,9 @@
 ALTER TABLE ctfnote.profile
 ADD COLUMN "lastactive" timestamptz NOT NULL DEFAULT CURRENT_TIMESTAMP;
 
---- Security
-DROP POLICY select_profile ON ctfnote.profile;
-CREATE POLICY select_profile_admin ON ctfnote.profile
-  FOR SELECT TO user_admin
-    USING (TRUE);
-  
-CREATE POLICY select_profile ON ctfnote.profile
-  FOR SELECT TO user_guest
-    USING (id = ctfnote_private.user_id ());
-
-CREATE OR REPLACE VIEW ctfnote.public_profile AS 
-SELECT 
-  "ctfnote"."profile"."id" as id,
-  "ctfnote"."profile"."description",
-  "ctfnote"."profile"."color",
-  "ctfnote"."profile"."username",
-  "ctfnote_private"."user"."role",
-  CONCAT('profile-', "ctfnote"."profile"."id") as node_id
-FROM ctfnote.profile
-INNER JOIN "ctfnote_private"."user" ON "ctfnote_private"."user"."id" = "ctfnote"."profile"."id"
-ORDER BY id;
-
-GRANT SELECT on ctfnote.public_profile TO user_guest;
-
-CREATE OR REPLACE FUNCTION ctfnote_private.notify_profile_edit ()
-  RETURNS TRIGGER
-  AS $$
-BEGIN
-  CASE TG_OP
-  WHEN 'INSERT' THEN
-    PERFORM
-      ctfnote_private.notify ('created', 'profiles', NEW.id); RETURN NEW;
-  WHEN 'UPDATE' THEN
-    PERFORM
-      ctfnote_private.notify ('update', 'public_profiles', NEW.id); RETURN NEW;
-  WHEN 'DELETE' THEN
-    PERFORM
-      ctfnote_private.notify ('deleted', 'profiles', OLD.id); RETURN OLD;
-  END CASE;
-END
-$$ VOLATILE
-LANGUAGE plpgsql;
+--- Security - Column wise
+GRANT SELECT (id, color, username, description) on ctfnote.profile TO user_guest;
+GRANT SELECT (id, color, username, description, lastactive) on ctfnote.profile TO user_admin;
 
 /* UpdateLastActive */
 CREATE FUNCTION ctfnote.update_last_active ()
@@ -56,15 +17,17 @@ CREATE FUNCTION ctfnote.update_last_active ()
 $$
 LANGUAGE plpgsql VOLATILE
 SECURITY DEFINER;
-GRANT EXECUTE ON FUNCTION ctfnote.update_last_active () TO user_guest;
 
+GRANT EXECUTE ON FUNCTION ctfnote.update_last_active () TO user_guest;
 
+--- Update me() function to not include lastactive but still return a ctfnote.profile
+DROP FUNCTION ctfnote.me();
 CREATE OR REPLACE FUNCTION ctfnote.me ()  
   RETURNS ctfnote.profile
   AS $$
   SELECT ctfnote.update_last_active();
   SELECT
-    *
+    id, color, username, description, COALESCE(lastactive, NULL)
   FROM
     ctfnote.profile
   WHERE
@@ -74,3 +37,20 @@ CREATE OR REPLACE FUNCTION ctfnote.me ()
 $$
 LANGUAGE SQL
 STRICT STABLE;
+
+GRANT EXECUTE ON FUNCTION ctfnote.me () TO user_anonymous;
+
+--- Update triggers
+DROP TRIGGER _500_gql_update_profile ON ctfnote.profile;
+
+CREATE TRIGGER _500_gql_update_profile
+  AFTER INSERT OR DELETE ON ctfnote.profile
+  FOR EACH ROW
+  EXECUTE PROCEDURE ctfnote_private.notify_profile_edit ();
+
+--- Exclude lastactive updates for update trigger
+CREATE TRIGGER _500_gql_update_profile_update
+  AFTER UPDATE ON ctfnote.profile
+  FOR EACH ROW
+  WHEN (OLD.lastactive = NEW.lastactive)
+  EXECUTE PROCEDURE ctfnote_private.notify_profile_edit ();