fix #430

Author: mevdschee

README.md

@@ -681,6 +681,18 @@ Then the server will return a '422' HTTP status code and nice error message:
 
 You can parse this output to make form fields show up with a red border and their appropriate error message.
 
+### Multi Tenancy support
+
+You may use the "multiTenancy" middleware when you have a multi-tenant database. 
+If your tenants are identified by the "customer_id" column you can use the following handler:
+
+    'multiTenancy.handler' => function ($operation, $tableName) {
+        return ['customer_id' => 12];
+    },
+
+This construct adds a filter requiring "customer_id" to be "12" to every operation (except for "create").
+It also sets the column "customer_id" on "create" to "12" and removes the column from any other write operation.
+
 ## OpenAPI specification
 
 On the "/openapi" end-point the OpenAPI 3.0 (formerly called "Swagger") specification is served. 

src/Tqdev/PhpCrudApi/Api.php

@@ -15,6 +15,7 @@
 use Tqdev\PhpCrudApi\Middleware\CorsMiddleware;
 use Tqdev\PhpCrudApi\Middleware\FirewallMiddleware;
 use Tqdev\PhpCrudApi\Middleware\JwtAuthMiddleware;
+use Tqdev\PhpCrudApi\Middleware\MultiTenancyMiddleware;
 use Tqdev\PhpCrudApi\Middleware\Router\SimpleRouter;
 use Tqdev\PhpCrudApi\Middleware\SanitationMiddleware;
 use Tqdev\PhpCrudApi\Middleware\ValidationMiddleware;
@@ -62,6 +63,9 @@ public function __construct(Config $config)
                 case 'sanitation':
                     new SanitationMiddleware($router, $responder, $properties, $reflection);
                     break;
+                case 'multiTenancy':
+                    new MultiTenancyMiddleware($router, $responder, $properties, $reflection);
+                    break;
                 case 'authorization':
                     new AuthorizationMiddleware($router, $responder, $properties, $reflection);
                     break;

src/Tqdev/PhpCrudApi/Column/ReflectionService.php

@@ -88,8 +88,4 @@ public function removeTable(String $tableName): bool
         return $this->database->removeTable($tableName);
     }
 
-    public function removeColumn(String $tableName, String $columnName): bool
-    {
-        return $this->getTable($tableName)->removeColumn($columnName);
-    }
 }

src/Tqdev/PhpCrudApi/Database/GenericDB.php

@@ -3,7 +3,6 @@
 
 use Tqdev\PhpCrudApi\Column\Reflection\ReflectedTable;
 use Tqdev\PhpCrudApi\Middleware\Communication\VariableStore;
-use Tqdev\PhpCrudApi\Record\Condition\AndCondition;
 use Tqdev\PhpCrudApi\Record\Condition\ColumnCondition;
 use Tqdev\PhpCrudApi\Record\Condition\Condition;
 
@@ -98,10 +97,17 @@ public function definition(): GenericDefinition
         return $this->definition;
     }
 
-    private function addAuthorizationCondition(String $tableName, Condition $condition2): Condition
+    private function addMiddlewareConditions(String $tableName, Condition $condition): Condition
     {
         $condition1 = VariableStore::get("authorization.conditions.$tableName");
-        return $condition1 ? AndCondition::fromArray([$condition1, $condition2]) : $condition2;
+        if ($condition1) {
+            $condition = $condition->_and($condition1);
+        }
+        $condition2 = VariableStore::get("multiTenancy.conditions.$tableName");
+        if ($condition2) {
+            $condition = $condition->_and($condition2);
+        }
+        return $condition;
     }
 
     public function createSingle(ReflectedTable $table, array $columnValues) /*: ?String*/
@@ -131,7 +137,7 @@ public function selectSingle(ReflectedTable $table, array $columnNames, String $
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '" ' . $whereClause;
@@ -153,7 +159,7 @@ public function selectMultiple(ReflectedTable $table, array $columnNames, array
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'in', implode(',', $ids));
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '" ' . $whereClause;
@@ -166,7 +172,7 @@ public function selectMultiple(ReflectedTable $table, array $columnNames, array
     public function selectCount(ReflectedTable $table, Condition $condition): int
     {
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT COUNT(*) FROM "' . $tableName . '"' . $whereClause;
@@ -178,7 +184,7 @@ public function selectAllUnordered(ReflectedTable $table, array $columnNames, Co
     {
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'SELECT ' . $selectColumns . ' FROM "' . $tableName . '"' . $whereClause;
@@ -195,7 +201,7 @@ public function selectAll(ReflectedTable $table, array $columnNames, Condition $
         }
         $selectColumns = $this->columns->getSelect($table, $columnNames);
         $tableName = $table->getName();
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $orderBy = $this->columns->getOrderBy($table, $columnOrdering);
@@ -216,7 +222,7 @@ public function updateSingle(ReflectedTable $table, array $columnValues, String
         $updateColumns = $this->columns->getUpdate($table, $columnValues);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array_values($columnValues);
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'UPDATE "' . $tableName . '" SET ' . $updateColumns . $whereClause;
@@ -228,7 +234,7 @@ public function deleteSingle(ReflectedTable $table, String $id)
     {
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array();
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'DELETE FROM "' . $tableName . '" ' . $whereClause;
@@ -245,7 +251,7 @@ public function incrementSingle(ReflectedTable $table, array $columnValues, Stri
         $updateColumns = $this->columns->getIncrement($table, $columnValues);
         $tableName = $table->getName();
         $condition = new ColumnCondition($table->getPk(), 'eq', $id);
-        $condition = $this->addAuthorizationCondition($tableName, $condition);
+        $condition = $this->addMiddlewareConditions($tableName, $condition);
         $parameters = array_values($columnValues);
         $whereClause = $this->conditions->getWhereClause($condition, $parameters);
         $sql = 'UPDATE "' . $tableName . '" SET ' . $updateColumns . $whereClause;

src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php

@@ -30,7 +30,7 @@ private function handleColumns(String $operation, String $tableName) /*: void*/
             foreach ($table->columnNames() as $columnName) {
                 $allowed = call_user_func($columnHandler, $operation, $tableName, $columnName);
                 if (!$allowed) {
-                    $this->reflection->removeColumn($tableName, $columnName);
+                    $table->removeColumn($columnName);
                 }
             }
         }

tests/config/base.php

@@ -4,7 +4,7 @@
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
     'controllers' => 'records,columns,cache,openapi',
-    'middlewares' => 'cors,jwtAuth,basicAuth,authorization,validation,sanitation',
+    'middlewares' => 'cors,jwtAuth,basicAuth,authorization,validation,sanitation,multiTenancy',
     'jwtAuth.time' => '1538207605',
     'jwtAuth.secret' => 'axpIrCGNGqxzx2R9dtXLIPUSqPo778uhb8CA0F4Hx',
     'basicAuth.passwordFile' => __DIR__ . DIRECTORY_SEPARATOR . '.htpasswd',
@@ -23,5 +23,8 @@
     'validation.handler' => function ($operation, $tableName, $column, $value, $context) {
         return ($column['name'] == 'post_id' && !is_numeric($value)) ? 'must be numeric' : true;
     },
+    'multiTenancy.handler' => function ($operation, $tableName) {
+        return ($tableName == 'kunsthåndværk') ? ['user_id' => 1] : [];
+    },
     'debug' => true,
 ];

tests/fixtures/blog_mysql.sql

@@ -152,13 +152,16 @@ DROP TABLE IF EXISTS `kunsthåndværk`;
 CREATE TABLE `kunsthåndværk` (
   `id` varchar(36) NOT NULL,
   `Umlauts ä_ö_ü-COUNT` int(11) NOT NULL,
+  `user_id` int(11) NOT NULL,
   `invisible` varchar(36),
   PRIMARY KEY (`id`),
-  CONSTRAINT `kunsthåndværk_Umlauts ä_ö_ü-COUNT_fkey` UNIQUE (`Umlauts ä_ö_ü-COUNT`)
+  CONSTRAINT `kunsthåndværk_Umlauts ä_ö_ü-COUNT_fkey` UNIQUE (`Umlauts ä_ö_ü-COUNT`),
+  CONSTRAINT `kunsthåndværk_user_id_fkey` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
-INSERT INTO `kunsthåndværk` (`id`, `Umlauts ä_ö_ü-COUNT`, `invisible`) VALUES
-('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, NULL);
+INSERT INTO `kunsthåndværk` (`id`, `Umlauts ä_ö_ü-COUNT`, `user_id`, `invisible`) VALUES
+('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, 1, NULL),
+('e31ecfe6-591f-4660-9fbd-1a232083037f', 2, 2, NULL);
 
 DROP TABLE IF EXISTS `invisibles`;
 CREATE TABLE `invisibles` (

tests/fixtures/blog_pgsql.sql

@@ -159,6 +159,7 @@ CREATE TABLE barcodes (
 CREATE TABLE "kunsthåndværk" (
   id character varying(36) NOT NULL,
   "Umlauts ä_ö_ü-COUNT" integer NOT NULL,
+  user_id integer NOT NULL,
   invisible character varying(36)
 );
 
@@ -263,8 +264,9 @@ INSERT INTO "barcodes" ("product_id", "hex", "bin") VALUES
 -- Data for Name: kunsthåndværk; Type: TABLE DATA; Schema: public; Owner: postgres
 --
 
-INSERT INTO "kunsthåndværk" ("id", "Umlauts ä_ö_ü-COUNT", "invisible") VALUES
-('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, NULL);
+INSERT INTO "kunsthåndværk" ("id", "Umlauts ä_ö_ü-COUNT", "user_id", "invisible") VALUES
+('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, 1, NULL),
+('e31ecfe6-591f-4660-9fbd-1a232083037f', 2, 2, NULL);
 
 --
 -- Data for Name: invisibles; Type: TABLE DATA; Schema: public; Owner: postgres
@@ -429,6 +431,13 @@ CREATE INDEX barcodes_product_id_idx ON barcodes USING btree (product_id);
 CREATE INDEX "kunsthåndværk_Umlauts ä_ö_ü-COUNT_idx" ON "kunsthåndværk" USING btree ("Umlauts ä_ö_ü-COUNT");
 
 
+--
+-- Name: kunsthåndværk_user_id_idx; Type: INDEX; Schema: public; Owner: postgres; Tablespace:
+--
+
+CREATE INDEX "kunsthåndværk_user_id_idx" ON "kunsthåndværk" USING btree (user_id);
+
+
 --
 -- Name: comments_post_id_fkey; Type: FK CONSTRAINT; Schema: public; Owner: postgres
 --
@@ -484,6 +493,13 @@ ALTER TABLE ONLY barcodes
 ALTER TABLE ONLY "kunsthåndværk"
     ADD CONSTRAINT "kunsthåndværk_Umlauts ä_ö_ü-COUNT_uc" UNIQUE ("Umlauts ä_ö_ü-COUNT");
 
+--
+-- Name: kunsthåndværk_user_id_fkey; Type: FK CONSTRAINT; Schema: public; Owner: postgres
+--
+
+ALTER TABLE ONLY "kunsthåndværk"
+    ADD CONSTRAINT "kunsthåndværk_user_id_fkey" FOREIGN KEY (user_id) REFERENCES users(id);
+
 
 --
 -- PostgreSQL database dump complete

tests/fixtures/blog_sqlsrv.sql

@@ -224,6 +224,7 @@ GO
 CREATE TABLE [kunsthåndværk](
 	[id] [nvarchar](36),
 	[Umlauts ä_ö_ü-COUNT] [int] NOT NULL,
+	[user_id] [int] NOT NULL,
 	[invisible] [nvarchar](36),
 	CONSTRAINT [PK_kunsthåndværk]
 	PRIMARY KEY CLUSTERED([id] ASC)
@@ -294,7 +295,9 @@ GO
 INSERT [barcodes] ([product_id], [hex], [bin]) VALUES (1, N'00ff01', 0x00ff01)
 GO
 
-INSERT [kunsthåndværk] ([id], [Umlauts ä_ö_ü-COUNT], [invisible]) VALUES ('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, NULL)
+INSERT [kunsthåndværk] ([id], [Umlauts ä_ö_ü-COUNT], [user_id], [invisible]) VALUES ('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, 1, NULL)
+GO
+INSERT [kunsthåndværk] ([id], [Umlauts ä_ö_ü-COUNT], [user_id], [invisible]) VALUES ('e31ecfe6-591f-4660-9fbd-1a232083037f', 2, 2, NULL)
 GO
 
 INSERT [invisibles] ([id]) VALUES ('e42c77c6-06a4-4502-816c-d112c7142e6d')
@@ -341,3 +344,9 @@ GO
 
 ALTER TABLE [kunsthåndværk]  WITH CHECK ADD 	CONSTRAINT [UC_kunsthåndværk_Umlauts ä_ö_ü-COUNT] UNIQUE([Umlauts ä_ö_ü-COUNT])
 GO
+
+ALTER TABLE [kunsthåndværk]  WITH CHECK ADD 	CONSTRAINT [FK_kunsthåndværk_users] FOREIGN KEY([user_id])
+REFERENCES [users] ([id])
+GO
+ALTER TABLE [kunsthåndværk] CHECK	CONSTRAINT [FK_kunsthåndværk_users]
+GO

tests/functional/001_records/063_list_kunsthåndværk.log

@@ -2,6 +2,6 @@ GET /records/kunsthåndværk
 ===
 200
 Content-Type: application/json
-Content-Length: 86
+Content-Length: 98
 
-{"records":[{"id":"e42c77c6-06a4-4502-816c-d112c7142e6d","Umlauts ä_ö_ü-COUNT":1}]}
+{"records":[{"id":"e42c77c6-06a4-4502-816c-d112c7142e6d","Umlauts ä_ö_ü-COUNT":1,"user_id":1}]}