chore: move the go code into a subfolder

apps/api/cmd/setup/46/01-role_permissions_view.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE VIEW eventstore.role_permissions AS
+SELECT instance_id, aggregate_id, object_id as role, text_value as permission
+FROM eventstore.fields
+WHERE aggregate_type = 'permission'
+AND object_type = 'role_permission'
+AND field_name = 'permission';

apps/api/cmd/setup/46/02-instance_orgs_view.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE VIEW eventstore.instance_orgs AS
+SELECT instance_id, aggregate_id as org_id
+FROM eventstore.fields
+WHERE aggregate_type = 'org'
+AND object_type = 'org'
+AND field_name = 'state';

apps/api/cmd/setup/46/03-instance_members_view.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE VIEW eventstore.instance_members AS
+SELECT instance_id, object_id as user_id, text_value as role
+FROM eventstore.fields
+WHERE aggregate_type = 'instance'
+AND object_type = 'instance_member_role'
+AND field_name = 'instance_role';

apps/api/cmd/setup/46/04-org_members_view.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE VIEW eventstore.org_members AS
+SELECT instance_id, aggregate_id as org_id, object_id as user_id, text_value as role
+FROM eventstore.fields
+WHERE aggregate_type = 'org'
+AND object_type = 'org_member_role'
+AND field_name = 'org_role';

apps/api/cmd/setup/46/05-project_members_view.sql

@@ -0,0 +1,6 @@
+CREATE OR REPLACE VIEW eventstore.project_members AS
+SELECT instance_id, aggregate_id as project_id, object_id as user_id, text_value as role
+FROM eventstore.fields
+WHERE aggregate_type = 'project'
+AND object_type = 'project_member_role'
+AND field_name = 'project_role';

apps/api/cmd/setup/46/06-permitted_orgs_function.sql

@@ -0,0 +1,50 @@
+CREATE OR REPLACE FUNCTION eventstore.permitted_orgs(
+    instanceId TEXT
+    , userId TEXT
+    , perm TEXT
+
+    , org_ids OUT TEXT[]
+)
+	LANGUAGE 'plpgsql'
+	STABLE
+AS $$
+DECLARE
+	matched_roles TEXT[]; -- roles containing permission
+BEGIN
+	SELECT array_agg(rp.role) INTO matched_roles
+	FROM eventstore.role_permissions rp
+	WHERE rp.instance_id = instanceId
+	AND rp.permission = perm;
+	
+	-- First try if the permission was granted thru an instance-level role
+	DECLARE
+		has_instance_permission bool;
+	BEGIN
+		SELECT true INTO has_instance_permission
+			FROM eventstore.instance_members im
+			WHERE im.role = ANY(matched_roles)
+			AND im.instance_id = instanceId
+			AND im.user_id = userId
+			LIMIT 1;
+		
+		IF has_instance_permission THEN
+			-- Return all organizations
+			SELECT array_agg(o.org_id) INTO org_ids
+				FROM eventstore.instance_orgs o
+				WHERE o.instance_id = instanceId;
+			RETURN;
+		END IF;
+	END;
+	
+	-- Return the organizations where permission were granted thru org-level roles
+	SELECT array_agg(sub.org_id) INTO org_ids
+	FROM (
+		SELECT DISTINCT om.org_id
+		FROM eventstore.org_members om
+		WHERE om.role = ANY(matched_roles)
+		AND om.instance_id = instanceID
+		AND om.user_id = userId
+	) AS sub;
+    RETURN;
+END;
+$$;