refactor: began refactoring access control in sql

sqlc/query.sql

@@ -280,7 +280,27 @@ SELECT profiles.* FROM profiles
 JOIN users ON users.id = profiles.user_id
 WHERE users.username = $1;
 
+;-- name: CheckProfileAccess :one
+-- XXX: recheck, was tired
+SELECT
+  CASE WHEN u.deleted OR NOT u.verified THEN TRUE ELSE FALSE END AS user_unavailable,
+  CASE WHEN EXISTS (
+      SELECT 1
+      FROM banned_users
+      WHERE user_id = u.id AND
+      pardoned IS FALSE AND
+      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
+  ) THEN TRUE ELSE FALSE END AS user_banned, 
+  CASE WHEN ps.hide_profile_details THEN TRUE ELSE FALSE END AS hidden,
+  CASE WHEN ps.hide_for_unauthenticated AND @requester::text = '' THEN TRUE ELSE FALSE END AS auth_required,
+  CASE WHEN ps.captcha THEN TRUE ELSE FALSE END AS captcha_required
+FROM profiles p
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE p.id = $1;
+
 ;-- name: GetProfileByUsernameWithPrivacy :one
+-- FIXME: tweak backend code to handle privacy correctly
 SELECT
   u.username,
   p.name,
@@ -288,27 +308,13 @@ SELECT
   p.avatar_url,
   CASE WHEN ps.hide_birthday THEN NULL ELSE p.birthday END AS birthday,
   p.color,
-  p.color_grad,
-  NOT (@requester::text = '' AND ps.hide_for_unauthenticated) AS access_allowed
+  p.color_grad
 FROM
   users AS u
 JOIN profiles AS p ON u.id = p.user_id
 JOIN profile_settings AS ps ON p.id = ps.profile_id
 WHERE
-  u.username = @searched_username::text
-  AND (
-    @searched_username::text = @requester::text
-    OR
-    u.deleted IS FALSE
-    AND u.verified IS TRUE
-    AND NOT EXISTS (
-      SELECT 1
-      FROM banned_users
-      WHERE user_id = u.id AND
-      pardoned IS FALSE AND
-      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
-    )
-  );
+  u.username = @searched_username::text;
 
 ;-- name: GetProfilesRestricted :many
 SELECT 
@@ -389,11 +395,23 @@ WHERE wl.guid = (@guid::text)::uuid;
 SELECT * FROM wish_lists wl
 WHERE wl.guid = (@guid::text)::uuid;
 
+;-- name: GetWishlistsByUsername :many
+SELECT * FROM wish_lists wl
+JOIN profiles p ON p.id = wl.profile_id
+JOIN users u ON u.id = p.user_id
+WHERE u.username = @username::text;
+
 -- name: GetWishlistsByUsernameWithPrivacy :many
+-- XXX: Obsolete, create according access check query instead
 SELECT 
   wl.*, 
   CASE 
-    WHEN (ps.hide_profile_details OR ps.hide_for_unauthenticated) THEN FALSE 
+    WHEN (
+      ps.hide_profile_details OR (
+        ps.hide_for_unauthenticated AND
+        @requester::text = ''
+      )
+    ) THEN FALSE 
     ELSE TRUE 
   END AS access_allowed
 FROM 
@@ -423,6 +441,25 @@ WHERE
 
 --: Wish Object {{{
 
+;-- name: CreateWish :one
+INSERT INTO wishes(
+  wish_list_id,
+  wish_list_guid,
+  name,
+  description,
+  picture_url,
+  stars)
+VALUES
+  (
+    (SELECT id FROM wish_lists wl WHERE wl.guid = (@wish_list_guid::text)::uuid),
+    (@wish_list_guid::text)::uuid,
+    @name::text,
+    @description::text,
+    @picture_url::text,
+    @stars::smallint
+  )
+RETURNING *;
+
 ;-- name: UpdateWishByGuid :exec
 UPDATE wishes w
 SET 
@@ -454,4 +491,37 @@ WITH updated AS (
 SELECT 
   COUNT(*) > 0 AS target_found
 FROM updated;
+
+;-- name: GetWishByGuid :one
+SELECT * FROM wishes w
+WHERE w.guid = (@guid::text)::uuid;
+
+;-- name: GetWishByGuidWithPrivacy :one
+-- XXX: Obsolete, create according access check query instead
+SELECT 
+  w.*,
+  CASE 
+    WHEN 
+      (
+        @requester::text = u.username OR
+        NOT ps.hide_profile_details AND 
+        NOT
+          (
+            ps.hide_for_unauthenticated AND
+            @requester::text = ''
+          ) AND
+        NOT wl.hidden
+      )
+    THEN TRUE 
+    ELSE FALSE
+  END AS access_allowed
+FROM wishes w
+JOIN wish_lists wl ON w.wish_list_id = wl.id
+JOIN profiles p ON wl.profile_id = p.id
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE
+  w.guid = (@guid::text)::uuid AND
+  w.deleted IS FALSE;
+
 --: }}}