The code is data
There is a multitude of variations available for organizing permissions. The simple suggestion is appropriate for small installations with non-critical data. A formal structured method is also given. It is more appropriate for projects with multiple form developers, and projects requiring unique permissions for different users.
In order to use QZForms, a user needs read permissions on schema qz. For quasimodo:
GRANT SELECT ON ALL TABLES IN SCHEMA qz TO quasimodo;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA qz TO quasimodo;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA qz TO quasimodo;
A form developer will need to be able to update items in schema qz. The simplest way to accomplish this is for the database to be created with the form developer as the owner, then run the qz_db_install_SVn.sql script as this user. Permissions will follow by being the owner of all objects created.
Putting the tables and other objects into the public schema will avoid the need to grant permissions for each object created.
This scenario starts with the database superuser (created when PostgreqSQL is installed and the database cluster is created with initdb) creating specific roles for users, form developers, and an assumable role for DB admin. As the superuser, for database test4:
CREATE ROLE dbadmin NOINHERIT NOLOGIN;
-- Create the db owned by above
CREATE DATABASE test4
-- Create roles to be assigned
CREATE ROLE qzdev NOINHERIT NOLOGIN;
CREATE ROLE qzuser NOINHERIT NOLOGIN;
-- Because noinherit, developers must become dbadmin
-- with set role, all db objects are owned by dbadmin.
GRANT ALL ON DATABASE test4 TO dbadmin WITH GRANT OPTION;
GRANT dbadmin TO qzdev;
-- Allow users to connect
GRANT CONNECT, TEMP ON DATABASE test4 TO qzdev;
GRANT CONNECT, TEMP ON DATABASE test4 TO qzuser;
-- Repeat these for users and developers
GRANT qzdev TO jk;
GRANT qzuser TO esmeralda;
GRANT qzuser TO quasimodo;
With the database and roles created, the next step can be done by the form developer.
SET ROLE dbadmin;
-- Load the qzforms schema
-- Allow \d to show schema qz
SET search_path = "$user",public,qz;
-- Allow users to see into schema qz
GRANT USAGE ON SCHEMA qz TO qzuser,qzdev;
-- Allow things to work
GRANT SELECT ON ALL TABLES IN SCHEMA qz TO qzuser;
GRANT ALL ON ALL TABLES IN SCHEMA qz TO qzdev;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA qz TO qzuser;
GRANT ALL ON ALL SEQUENCES IN SCHEMA qz TO qzdev;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA qz TO qzuser,qzdev;
A schema for data may be setup. By creating a schema instead of using the public schema, permissions are by default, limited to just those explicitly granted. For example:
CREATE SCHEMA work;
GRANT USAGE ON SCHEMA work TO qzuser,qzdev;
CREATE TABLE work.list (
id SERIAL PRIMARY KEY,
GRANT SELECT, INSERT, UPDATE, DELETE, TRIGGER
ON TABLE work.list
There is a "main" menu that is different from other menus. A user menu will be substituted for the menu "main" if it is specified allowing the form developer to control which forms the user can access.
Create a menu
Create a menu from the Form Development Menu, Menu Menu, All Menus. Click Insert,
- needs to conform to the pattern for a variable name, no symbols, whitespace, or funny characters, just an unbroken text string less than 63 bytes.
- The xml template will have some <div id="X"> tags with various id's in place of X. The menu goes into the div with the given id.
- Just some helpful text
Add menu items
Go back into the menu just created, the select "Menu Items".
- The menu item sequence is an integer and determines the order of each menu item. The record key is the menu name, sequence pair.
- The target form name is any existing form. Create the form before adding it to a menu.
- The action is any action the form supports, but some actions are more useful than others. Common choices are "list" for onetable forms, and "edit" for grid forms.
- The menu text is what appears on the menu button.
- Context parameters apply to forms in a form set. For simple forms, this should be left empty. Form sets allow the menu option to carry attributes from the current form to the form action specified. form_sets.html
Assign a user menu
From the Form Development Menu, Menu Menu, user menus, you may insert a user name and select a menu from those available. When the user logs in, the selected menu will be the one displayed across the top.