| commit | author | age | ||
| 4e90f5 | 1 | --liquibase formatted sql |
| MH | 2 | |
| 3 | -- ============================================================================ | |
| 4 | --changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--// | |
| 5 | -- ---------------------------------------------------------------------------- | |
| 6 | call generateRelatedRbacObject('hs_office_partner'); | |
| 7 | --// | |
| 8 | ||
| 9 | ||
| 10 | -- ============================================================================ | |
| 11 | --changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// | |
| 12 | -- ---------------------------------------------------------------------------- | |
| d63e3f | 13 | call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner'); |
| 4e90f5 | 14 | --// |
| MH | 15 | |
| 16 | ||
| 17 | -- ============================================================================ | |
| 18 | --changeset hs-office-partner-rbac-ROLES-CREATION:1 endDelimiter:--// | |
| 19 | -- ---------------------------------------------------------------------------- | |
| 20 | ||
| 21 | /* | |
| 1dd631 | 22 | Creates and updates the roles and their assignments for partner entities. |
| 4e90f5 | 23 | */ |
| MH | 24 | |
| 1dd631 | 25 | create or replace function hsOfficePartnerRbacRolesTrigger() |
| 4e90f5 | 26 | returns trigger |
| MH | 27 | language plpgsql |
| 28 | strict as $$ | |
| 29 | declare | |
| 1dd631 | 30 | hsOfficePartnerTenant RbacRoleDescriptor; |
| MH | 31 | ownerRole uuid; |
| 32 | adminRole uuid; | |
| 33 | oldPerson hs_office_person; | |
| 34 | newPerson hs_office_person; | |
| 35 | oldContact hs_office_contact; | |
| 36 | newContact hs_office_contact; | |
| 4e90f5 | 37 | begin |
| 1dd631 | 38 | |
| MH | 39 | hsOfficePartnerTenant := hsOfficePartnerTenant(NEW); |
| 40 | ||
| 41 | select * from hs_office_person as p where p.uuid = NEW.personUuid into newPerson; | |
| 42 | select * from hs_office_contact as c where c.uuid = NEW.contactUuid into newContact; | |
| 43 | ||
| 44 | if TG_OP = 'INSERT' then | |
| 45 | ||
| 46 | -- the owner role with full access for the global admins | |
| 47 | ownerRole = createRole( | |
| 48 | hsOfficePartnerOwner(NEW), | |
| 49 | grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), | |
| 50 | beneathRole(globalAdmin()) | |
| 51 | ); | |
| 52 | ||
| 53 | -- the admin role with full access for the global admins | |
| 54 | adminRole = createRole( | |
| 55 | hsOfficePartnerAdmin(NEW), | |
| 56 | grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']), | |
| 57 | beneathRole(ownerRole) | |
| 58 | ); | |
| 59 | ||
| 60 | -- the tenant role for those related users who can view the data | |
| 61 | perform createRole( | |
| 62 | hsOfficePartnerTenant, | |
| 63 | grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']), | |
| 64 | beneathRoles(array[hsOfficePartnerAdmin(NEW), hsOfficePersonAdmin(newPerson), hsOfficeContactAdmin(newContact)]), | |
| 65 | withSubRoles(array[hsOfficePersonTenant(newPerson), hsOfficeContactTenant(newContact)]) | |
| 66 | ); | |
| 67 | ||
| 68 | elsif TG_OP = 'UPDATE' then | |
| 69 | ||
| 70 | if OLD.personUuid <> NEW.personUuid then | |
| 71 | select * from hs_office_person as p where p.uuid = OLD.personUuid into oldPerson; | |
| 72 | ||
| 73 | call revokeRoleFromRole( hsOfficePartnerTenant, hsOfficePersonAdmin(oldPerson) ); | |
| 74 | call grantRoleToRole( hsOfficePartnerTenant, hsOfficePersonAdmin(newPerson) ); | |
| 75 | ||
| 76 | call revokeRoleFromRole( hsOfficePersonTenant(oldPerson), hsOfficePartnerTenant ); | |
| 77 | call grantRoleToRole( hsOfficePersonTenant(newPerson), hsOfficePartnerTenant ); | |
| 78 | end if; | |
| 79 | ||
| 80 | if OLD.contactUuid <> NEW.contactUuid then | |
| 81 | select * from hs_office_contact as c where c.uuid = OLD.contactUuid into oldContact; | |
| 82 | ||
| 83 | call revokeRoleFromRole( hsOfficePartnerTenant, hsOfficeContactAdmin(oldContact) ); | |
| 84 | call grantRoleToRole( hsOfficePartnerTenant, hsOfficeContactAdmin(newContact) ); | |
| 85 | ||
| 86 | call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficePartnerTenant ); | |
| 87 | call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficePartnerTenant ); | |
| 88 | end if; | |
| 89 | else | |
| 90 | raise exception 'invalid usage of TRIGGER'; | |
| 4e90f5 | 91 | end if; |
| MH | 92 | |
| 93 | return NEW; | |
| 94 | end; $$; | |
| 95 | ||
| 96 | /* | |
| 97 | An AFTER INSERT TRIGGER which creates the role structure for a new customer. | |
| 98 | */ | |
| 99 | create trigger createRbacRolesForHsOfficePartner_Trigger | |
| 100 | after insert | |
| 101 | on hs_office_partner | |
| 102 | for each row | |
| 1dd631 | 103 | execute procedure hsOfficePartnerRbacRolesTrigger(); |
| MH | 104 | |
| 105 | /* | |
| 106 | An AFTER UPDATE TRIGGER which updates the role structure of a customer. | |
| 107 | */ | |
| 108 | create trigger updateRbacRolesForHsOfficePartner_Trigger | |
| 109 | after update | |
| 110 | on hs_office_partner | |
| 111 | for each row | |
| 112 | execute procedure hsOfficePartnerRbacRolesTrigger(); | |
| 4e90f5 | 113 | --// |
| MH | 114 | |
| 115 | ||
| 116 | -- ============================================================================ | |
| 117 | --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--// | |
| 118 | -- ---------------------------------------------------------------------------- | |
| 119 | ||
| 120 | /* | |
| 121 | Creates a view to the partner main table which maps the identifying name | |
| 122 | (in this case, the prefix) to the objectUuid. | |
| 123 | */ | |
| 124 | create or replace view hs_office_partner_iv as | |
| 125 | select target.uuid, | |
| 126 | cleanIdentifier( | |
| 127 | (select idName from hs_office_person_iv p where p.uuid = target.personuuid) | |
| 128 | || '-' || | |
| 129 | (select idName from hs_office_contact_iv c where c.uuid = target.contactuuid) | |
| 130 | ) | |
| 131 | as idName | |
| 132 | from hs_office_partner as target; | |
| 133 | -- TODO.spec: Is it ok that everybody has access to this information? | |
| 134 | grant all privileges on hs_office_partner_iv to restricted; | |
| 135 | ||
| 136 | /* | |
| 137 | Returns the objectUuid for a given identifying name (in this case the prefix). | |
| 138 | */ | |
| 139 | create or replace function hs_office_partnerUuidByIdName(idName varchar) | |
| 140 | returns uuid | |
| 141 | language sql | |
| 142 | strict as $$ | |
| 143 | select uuid from hs_office_partner_iv iv where iv.idName = hs_office_partnerUuidByIdName.idName; | |
| 144 | $$; | |
| 145 | ||
| 146 | /* | |
| 147 | Returns the identifying name for a given objectUuid (in this case the label). | |
| 148 | */ | |
| 149 | create or replace function hs_office_partnerIdNameByUuid(uuid uuid) | |
| 150 | returns varchar | |
| 151 | language sql | |
| 152 | strict as $$ | |
| 153 | select idName from hs_office_partner_iv iv where iv.uuid = hs_office_partnerIdNameByUuid.uuid; | |
| 154 | $$; | |
| 155 | --// | |
| 156 | ||
| 157 | ||
| 158 | -- ============================================================================ | |
| 159 | --changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--// | |
| 160 | -- ---------------------------------------------------------------------------- | |
| 161 | /* | |
| 162 | Creates a view to the partner main table with row-level limitation | |
| 163 | based on the 'view' permission of the current user or assumed roles. | |
| 164 | */ | |
| 165 | set session session authorization default; | |
| 166 | drop view if exists hs_office_partner_rv; | |
| 167 | create or replace view hs_office_partner_rv as | |
| 168 | select target.* | |
| 169 | from hs_office_partner as target | |
| 170 | where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'hs_office_partner', currentSubjectsUuids())); | |
| 171 | grant all privileges on hs_office_partner_rv to restricted; | |
| 172 | --// | |
| 173 | ||
| 174 | ||
| 175 | -- ============================================================================ | |
| 176 | --changeset hs-office-partner-rbac-INSTEAD-OF-INSERT-TRIGGER:1 endDelimiter:--// | |
| 177 | -- ---------------------------------------------------------------------------- | |
| 178 | ||
| 179 | /** | |
| 180 | Instead of insert trigger function for hs_office_partner_rv. | |
| 181 | */ | |
| 182 | create or replace function insertHsOfficePartner() | |
| 183 | returns trigger | |
| 184 | language plpgsql as $$ | |
| 185 | declare | |
| 186 | newUser hs_office_partner; | |
| 187 | begin | |
| 188 | insert | |
| 189 | into hs_office_partner | |
| 190 | values (new.*) | |
| 191 | returning * into newUser; | |
| 192 | return newUser; | |
| 193 | end; | |
| 194 | $$; | |
| 195 | ||
| 196 | /* | |
| 197 | Creates an instead of insert trigger for the hs_office_partner_rv view. | |
| 198 | */ | |
| 199 | create trigger insertHsOfficePartner_Trigger | |
| 200 | instead of insert | |
| 201 | on hs_office_partner_rv | |
| 202 | for each row | |
| 203 | execute function insertHsOfficePartner(); | |
| 204 | --// | |
| 205 | ||
| 1dd631 | 206 | |
| 4e90f5 | 207 | -- ============================================================================ |
| MH | 208 | --changeset hs-office-partner-rbac-INSTEAD-OF-DELETE-TRIGGER:1 endDelimiter:--// |
| 209 | -- ---------------------------------------------------------------------------- | |
| 210 | ||
| 211 | /** | |
| 212 | Instead of delete trigger function for hs_office_partner_rv. | |
| 213 | ||
| 214 | Checks if the current subject (user / assumed role) has the permission to delete the row. | |
| 215 | */ | |
| 216 | create or replace function deleteHsOfficePartner() | |
| 217 | returns trigger | |
| 218 | language plpgsql as $$ | |
| 219 | begin | |
| 1dd631 | 220 | if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('delete', 'hs_office_partner', currentSubjectsUuids())) then |
| MH | 221 | delete from hs_office_partner p where p.uuid = old.uuid; |
| 4e90f5 | 222 | return old; |
| MH | 223 | end if; |
| 1dd631 | 224 | raise exception '[403] Subject % is not allowed to delete partner uuid %', currentSubjectsUuids(), old.uuid; |
| 4e90f5 | 225 | end; $$; |
| MH | 226 | |
| 227 | /* | |
| 228 | Creates an instead of delete trigger for the hs_office_partner_rv view. | |
| 229 | */ | |
| 230 | create trigger deleteHsOfficePartner_Trigger | |
| 231 | instead of delete | |
| 232 | on hs_office_partner_rv | |
| 233 | for each row | |
| 234 | execute function deleteHsOfficePartner(); | |
| 235 | --/ | |
| 236 | ||
| 1dd631 | 237 | |
| MH | 238 | -- ============================================================================ |
| 239 | --changeset hs-office-partner-rbac-INSTEAD-OF-UPDATE-TRIGGER:1 endDelimiter:--// | |
| 240 | -- ---------------------------------------------------------------------------- | |
| 241 | ||
| 242 | /** | |
| 243 | Instead of update trigger function for hs_office_partner_rv. | |
| 244 | ||
| 245 | Checks if the current subject (user / assumed role) has the permission to update the row. | |
| 246 | */ | |
| 247 | create or replace function updateHsOfficePartner() | |
| 248 | returns trigger | |
| 249 | language plpgsql as $$ | |
| 250 | begin | |
| 251 | if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('edit', 'hs_office_partner', currentSubjectsUuids())) then | |
| 252 | update hs_office_partner | |
| 253 | set personUuid = new.personUuid, | |
| 254 | contactUuid = new.contactUuid, | |
| 255 | registrationOffice = new.registrationOffice, | |
| 256 | registrationNumber = new.registrationNumber, | |
| 257 | birthday = new.birthday, | |
| 258 | birthName = new.birthName, | |
| 259 | dateOfDeath = new.dateOfDeath | |
| 260 | where uuid = old.uuid; | |
| 261 | return old; | |
| 262 | end if; | |
| 263 | raise exception '[403] Subject % is not allowed to update partner uuid %', currentSubjectsUuids(), old.uuid; | |
| 264 | end; $$; | |
| 265 | ||
| 266 | /* | |
| 267 | Creates an instead of delete trigger for the hs_office_partner_rv view. | |
| 268 | */ | |
| 269 | create trigger updateHsOfficePartner_Trigger | |
| 270 | instead of update | |
| 271 | on hs_office_partner_rv | |
| 272 | for each row | |
| 273 | execute function updateHsOfficePartner(); | |
| 274 | --/ | |
| 275 | ||
| 276 | ||
| 4e90f5 | 277 | -- ============================================================================ |
| MH | 278 | --changeset hs-office-partner-rbac-NEW-CONTACT:1 endDelimiter:--// |
| 279 | -- ---------------------------------------------------------------------------- | |
| 280 | /* | |
| 281 | Creates a global permission for new-partner and assigns it to the hostsharing admins role. | |
| 282 | */ | |
| 283 | do language plpgsql $$ | |
| 284 | declare | |
| 285 | addCustomerPermissions uuid[]; | |
| 286 | globalObjectUuid uuid; | |
| 287 | globalAdminRoleUuid uuid ; | |
| 288 | begin | |
| 289 | call defineContext('granting global new-partner permission to global admin role', null, null, null); | |
| 290 | ||
| 291 | globalAdminRoleUuid := findRoleId(globalAdmin()); | |
| 292 | globalObjectUuid := (select uuid from global); | |
| 293 | addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-partner']); | |
| 294 | call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions); | |
| 295 | end; | |
| 296 | $$; | |
| 297 | ||
| 298 | /** | |
| 299 | Used by the trigger to prevent the add-customer to current user respectively assumed roles. | |
| 300 | */ | |
| 301 | create or replace function addHsOfficePartnerNotAllowedForCurrentSubjects() | |
| 302 | returns trigger | |
| 303 | language PLPGSQL | |
| 304 | as $$ | |
| 305 | begin | |
| 306 | raise exception '[403] new-partner not permitted for %', | |
| 307 | array_to_string(currentSubjects(), ';', 'null'); | |
| 308 | end; $$; | |
| 309 | ||
| 310 | /** | |
| 311 | Checks if the user or assumed roles are allowed to create a new customer. | |
| 312 | */ | |
| 313 | create trigger hs_office_partner_insert_trigger | |
| 314 | before insert | |
| 315 | on hs_office_partner | |
| 316 | for each row | |
| 317 | -- TODO.spec: who is allowed to create new partners | |
| 318 | when ( not hasAssumedRole() ) | |
| 319 | execute procedure addHsOfficePartnerNotAllowedForCurrentSubjects(); | |
| 320 | --// | |
| 321 | ||
