I am building an app in which I would like to restrict writing permissions according to roles in different ways, and I hope that you could share some insights into best practices.
Case 1
For some relation, a regular user is supposed to be able to see all rows, but only be able to change their own.
Solution 1.a
Should this be done by a trigger function like the following?
DECLARE
_school_id INTEGER;
BEGIN
SELECT (kus_lab_db.contact.school_id)
INTO _school_id
FROM {kus_lab_db}.[contact]
WHERE (kus_lab_db.contact.user_id) = instance.get_user_id();
IF OLD.(kus_lab_db.part.school_id) <> _school_id THEN
PERFORM instance.abort_show_message('Sie haben nicht die nötigen Rechte, um diesen Datensatz zu verändern.');
END IF;
RETURN NEW;
And if so, how can I allow the admin role to update all rows? There is the instance function has_role(), but I don't know how to get the UUID of the admin role.
Solution 1.b
I know that I can set writing permissions on data for every role. But with writing disabled, users of that role see the whole details form greyed out.
Case 2
A list form on some relation should be visible to all users, but only admins are supposed to be able to open the corresponding form to edit a row.
Solution 2.a
Would it be best to create one version of this list for regular users, and another one for admins?
Case 3
On a details form for some relation, users should be able to see all fields, but only admins are supposed to be able to change certain attributes.
Solution 3.a
I guess this should be done via states of fields. Or is there a better way?
Thanks a lot in advance.
