| commit | author | age | ||
| 368da1 | 1 | --liquibase formatted sql |
| MH | 2 | |
| 3 | -- ============================================================================ | |
| 4 | --changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--// | |
| 5 | -- ---------------------------------------------------------------------------- | |
| 6 | call generateRelatedRbacObject('hs_office_membership'); | |
| 7 | --// | |
| 8 | ||
| 9 | ||
| 10 | -- ============================================================================ | |
| 11 | --changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// | |
| 12 | -- ---------------------------------------------------------------------------- | |
| 13 | call generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership'); | |
| 14 | --// | |
| 15 | ||
| 16 | ||
| 17 | -- ============================================================================ | |
| 18 | --changeset hs-office-membership-rbac-ROLES-CREATION:1 endDelimiter:--// | |
| 19 | -- ---------------------------------------------------------------------------- | |
| 20 | ||
| 21 | /* | |
| 22 | Creates and updates the roles and their assignments for membership entities. | |
| 23 | */ | |
| 24 | ||
| 25 | create or replace function hsOfficeMembershipRbacRolesTrigger() | |
| 26 | returns trigger | |
| 27 | language plpgsql | |
| 28 | strict as $$ | |
| 29 | declare | |
| 30 | newHsOfficePartner hs_office_partner; | |
| 31 | newHsOfficeDebitor hs_office_debitor; | |
| 32 | begin | |
| 33 | ||
| 34 | select * from hs_office_partner as p where p.uuid = NEW.partnerUuid into newHsOfficePartner; | |
| 35 | select * from hs_office_debitor as c where c.uuid = NEW.mainDebitorUuid into newHsOfficeDebitor; | |
| 36 | ||
| 37 | if TG_OP = 'INSERT' then | |
| 38 | ||
| 39 | -- === ATTENTION: code generated from related Mermaid flowchart: === | |
| 40 | ||
| 41 | perform createRoleWithGrants( | |
| 42 | hsOfficeMembershipOwner(NEW), | |
| 43 | permissions => array['*'], | |
| 44 | incomingSuperRoles => array[globalAdmin()] | |
| 45 | ); | |
| 46 | ||
| 47 | perform createRoleWithGrants( | |
| 48 | hsOfficeMembershipAdmin(NEW), | |
| 49 | permissions => array['edit'], | |
| 50 | incomingSuperRoles => array[hsOfficeMembershipOwner(NEW)], | |
| 51 | outgoingSubRoles => array[hsOfficeDebitorTenant(newHsOfficeDebitor)] | |
| 52 | ); | |
| 53 | ||
| 54 | perform createRoleWithGrants( | |
| 55 | hsOfficeMembershipAgent(NEW), | |
| 56 | incomingSuperRoles => array[hsOfficeMembershipAdmin(NEW), hsOfficePartnerAdmin(newHsOfficePartner), hsOfficeDebitorAdmin(newHsOfficeDebitor)], | |
| 57 | outgoingSubRoles => array[hsOfficePartnerTenant(newHsOfficePartner)] | |
| 58 | ); | |
| 59 | ||
| 60 | perform createRoleWithGrants( | |
| 61 | hsOfficeMembershipTenant(NEW), | |
| 62 | incomingSuperRoles => array[hsOfficeMembershipAgent(NEW)], | |
| 63 | outgoingSubRoles => array[hsOfficePartnerGuest(newHsOfficePartner), hsOfficeDebitorGuest(newHsOfficeDebitor)] | |
| 64 | ); | |
| 65 | ||
| 66 | perform createRoleWithGrants( | |
| 67 | hsOfficeMembershipGuest(NEW), | |
| 68 | permissions => array['view'], | |
| 69 | incomingSuperRoles => array[hsOfficeMembershipTenant(NEW)] | |
| 70 | ); | |
| 71 | ||
| 72 | -- === END of code generated from Mermaid flowchart. === | |
| 73 | ||
| 74 | else | |
| 75 | raise exception 'invalid usage of TRIGGER'; | |
| 76 | end if; | |
| 77 | ||
| 78 | return NEW; | |
| 79 | end; $$; | |
| 80 | ||
| 81 | /* | |
| 82 | An AFTER INSERT TRIGGER which creates the role structure for a new customer. | |
| 83 | */ | |
| 84 | create trigger createRbacRolesForHsOfficeMembership_Trigger | |
| 85 | after insert | |
| 86 | on hs_office_membership | |
| 87 | for each row | |
| 88 | execute procedure hsOfficeMembershipRbacRolesTrigger(); | |
| 89 | --// | |
| 90 | ||
| 91 | ||
| 92 | -- ============================================================================ | |
| 93 | --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--// | |
| 94 | -- ---------------------------------------------------------------------------- | |
| 95 | call generateRbacIdentityView('hs_office_membership', idNameExpression => $idName$ | |
| 28bdd9 | 96 | target.memberNumber || (select idName from hs_office_partner_iv p where p.uuid = target.partnerUuid) |
| 368da1 | 97 | $idName$); |
| MH | 98 | --// |
| 99 | ||
| 100 | ||
| 101 | -- ============================================================================ | |
| 102 | --changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--// | |
| 103 | -- ---------------------------------------------------------------------------- | |
| 104 | call generateRbacRestrictedView('hs_office_membership', | |
| 28bdd9 | 105 | orderby => 'target.memberNumber', |
| 368da1 | 106 | columnUpdates => $updates$ |
| MH | 107 | validity = new.validity, |
| 108 | reasonForTermination = new.reasonForTermination | |
| 109 | $updates$); | |
| 110 | --// | |
| 111 | ||
| 112 | ||
| 113 | -- ============================================================================ | |
| 114 | --changeset hs-office-membership-rbac-NEW-Membership:1 endDelimiter:--// | |
| 115 | -- ---------------------------------------------------------------------------- | |
| 116 | /* | |
| 117 | Creates a global permission for new-membership and assigns it to the hostsharing admins role. | |
| 118 | */ | |
| 119 | do language plpgsql $$ | |
| 120 | declare | |
| 121 | addCustomerPermissions uuid[]; | |
| 122 | globalObjectUuid uuid; | |
| 123 | globalAdminRoleUuid uuid ; | |
| 124 | begin | |
| 125 | call defineContext('granting global new-membership permission to global admin role', null, null, null); | |
| 126 | ||
| 127 | globalAdminRoleUuid := findRoleId(globalAdmin()); | |
| 128 | globalObjectUuid := (select uuid from global); | |
| 129 | addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-membership']); | |
| 130 | call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions); | |
| 131 | end; | |
| 132 | $$; | |
| 133 | ||
| 134 | /** | |
| 135 | Used by the trigger to prevent the add-customer to current user respectively assumed roles. | |
| 136 | */ | |
| 137 | create or replace function addHsOfficeMembershipNotAllowedForCurrentSubjects() | |
| 138 | returns trigger | |
| 139 | language PLPGSQL | |
| 140 | as $$ | |
| 141 | begin | |
| 142 | raise exception '[403] new-membership not permitted for %', | |
| 143 | array_to_string(currentSubjects(), ';', 'null'); | |
| 144 | end; $$; | |
| 145 | ||
| 146 | /** | |
| 147 | Checks if the user or assumed roles are allowed to create a new customer. | |
| 148 | */ | |
| 149 | create trigger hs_office_membership_insert_trigger | |
| 150 | before insert | |
| 151 | on hs_office_membership | |
| 152 | for each row | |
| 153 | -- TODO.spec: who is allowed to create new memberships | |
| 154 | when ( not hasAssumedRole() ) | |
| 155 | execute procedure addHsOfficeMembershipNotAllowedForCurrentSubjects(); | |
| 156 | --// | |
| 157 | ||
