x

db/migration/V009__postgrest_roles.sql

@@ -0,0 +1,26 @@
+-- Role pro PostgREST anonymní přístup (read-only).
+-- GRANT na views je v db/views/R__z_postgrest_ems_anon_grants.sql (Flyway je aplikuje až po R__vw_*).
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'ems_anon') THEN
+    CREATE ROLE ems_anon NOLOGIN;
+  END IF;
+END $$;
+
+GRANT USAGE ON SCHEMA ems TO ems_anon;
+
+-- Read-only na tabulky (existují po V001–V008)
+GRANT SELECT ON ems.market_interval_price    TO ems_anon;
+GRANT SELECT ON ems.planning_run             TO ems_anon;
+GRANT SELECT ON ems.planning_interval        TO ems_anon;
+GRANT SELECT ON ems.forecast_pv_interval     TO ems_anon;
+GRANT SELECT ON ems.forecast_pv_run          TO ems_anon;
+GRANT SELECT ON ems.operating_mode_def       TO ems_anon;
+GRANT SELECT ON ems.site_operating_mode      TO ems_anon;
+GRANT SELECT ON ems.site_operating_mode_log  TO ems_anon;
+GRANT SELECT ON ems.ev_session               TO ems_anon;
+GRANT SELECT ON ems.asset_vehicle            TO ems_anon;
+
+COMMENT ON ROLE ems_anon IS
+'Anonymní role pro PostgREST. Read-only přístup na views a vybrané tabulky.
+Zápisy jdou výhradně přes FastAPI backend který má vlastní DB connection.';