Adds option to grant web user read-only DB access

Introduces a command-line flag to grant read-only access to the web user for all tables, improving ease of permissions management during refresh operations.

src/nominatim_db/clicmd/args.py

@@ -119,6 +119,7 @@ class NominatimArgs:
     enable_debug_statements: bool
     data_object: Sequence[Tuple[str, int]]
     data_area: Sequence[Tuple[str, int]]
+    ro_access: bool
 
     # Arguments to 'replication'
     init: bool

src/nominatim_db/clicmd/refresh.py

@@ -65,6 +65,8 @@ class UpdateRefresh:
                            help='Update secondary importance raster data')
         group.add_argument('--importance', action='store_true',
                            help='Recompute place importances (expensive!)')
+        group.add_argument('--ro-access', action='store_true',
+                           help='Grant read-only access to web user for all tables')
         group.add_argument('--website', action='store_true',
                            help='DEPRECATED. This function has no function anymore'
                                 ' and will be removed in a future version.')
@@ -159,6 +161,11 @@ class UpdateRefresh:
             LOG.error('WARNING: Website setup is no longer required. '
                       'This function will be removed in future version of Nominatim.')
 
+        if args.ro_access:
+            from ..tools import admin
+            LOG.warning('Grant read-only access to web user')
+            admin.grant_ro_access(args.config.get_libpq_dsn(), args.config)
+
         if args.data_object or args.data_area:
             with connect(args.config.get_libpq_dsn()) as conn:
                 for obj in args.data_object or []: