200 lines
6.8 KiB
MySQL
200 lines
6.8 KiB
MySQL
|
--liquibase formatted sql
|
||
|
|
-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
|
||
|
|
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
call generateRelatedRbacObject('hs_booking_item');
|
||
|
|
--//
|
||
|
|
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
|
||
|
|
--//
|
||
|
|
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-insert-trigger:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
/*
|
||
|
|
Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
|
||
|
|
*/
|
||
|
|
|
||
|
|
create or replace procedure buildRbacSystemForHsBookingItem(
|
||
|
|
NEW hs_booking_item
|
||
|
|
)
|
||
|
|
language plpgsql as $$
|
||
|
|
|
||
|
|
declare
|
||
|
|
newDebitor hs_office_debitor;
|
||
|
|
newDebitorRel hs_office_relation;
|
||
|
|
|
||
|
|
begin
|
||
|
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||
|
|
|
||
|
|
SELECT * FROM hs_office_debitor WHERE uuid = NEW.debitorUuid INTO newDebitor;
|
||
|
|
assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
|
||
|
|
|
||
|
|
SELECT debitorRel.*
|
||
|
|
FROM hs_office_relation debitorRel
|
||
|
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||
|
|
WHERE debitor.uuid = NEW.debitorUuid
|
||
|
|
INTO newDebitorRel;
|
||
|
|
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
|
||
|
|
|
||
|
|
|
||
|
|
perform createRoleWithGrants(
|
||
|
|
hsBookingItemOWNER(NEW),
|
||
|
|
permissions => array['UPDATE'],
|
||
|
|
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel)]
|
||
|
|
);
|
||
|
|
|
||
|
|
perform createRoleWithGrants(
|
||
|
|
hsBookingItemADMIN(NEW),
|
||
|
|
incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
|
||
|
|
);
|
||
|
|
|
||
|
|
perform createRoleWithGrants(
|
||
|
|
hsBookingItemTENANT(NEW),
|
||
|
|
permissions => array['SELECT'],
|
||
|
|
incomingSuperRoles => array[hsBookingItemADMIN(NEW)],
|
||
|
|
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||
|
|
);
|
||
|
|
|
||
|
|
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||
|
|
|
||
|
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||
|
|
end; $$;
|
||
|
|
|
||
|
|
/*
|
||
|
|
AFTER INSERT TRIGGER to create the role+grant structure for a new hs_booking_item row.
|
||
|
|
*/
|
||
|
|
|
||
|
|
create or replace function insertTriggerForHsBookingItem_tf()
|
||
|
|
returns trigger
|
||
|
|
language plpgsql
|
||
|
|
strict as $$
|
||
|
|
begin
|
||
|
|
call buildRbacSystemForHsBookingItem(NEW);
|
||
|
|
return NEW;
|
||
|
|
end; $$;
|
||
|
|
|
||
|
|
create trigger insertTriggerForHsBookingItem_tg
|
||
|
|
after insert on hs_booking_item
|
||
|
|
for each row
|
||
|
|
execute procedure insertTriggerForHsBookingItem_tf();
|
||
|
|
--//
|
||
|
|
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-INSERT:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
/*
|
||
|
|
Creates INSERT INTO hs_booking_item permissions for the related hs_office_relation rows.
|
||
|
|
*/
|
||
|
|
do language plpgsql $$
|
||
|
|
declare
|
||
|
|
row hs_office_relation;
|
||
|
|
begin
|
||
|
|
call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');
|
||
|
|
|
||
|
|
FOR row IN SELECT * FROM hs_office_relation
|
||
|
|
WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated
|
||
|
|
LOOP
|
||
|
|
call grantPermissionToRole(
|
||
|
|
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||
|
|
hsOfficeRelationADMIN(row));
|
||
|
|
END LOOP;
|
||
|
|
END;
|
||
|
|
$$;
|
||
|
|
|
||
|
|
/**
|
||
|
|
Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
|
||
|
|
*/
|
||
|
|
create or replace function hs_booking_item_hs_office_relation_insert_tf()
|
||
|
|
returns trigger
|
||
|
|
language plpgsql
|
||
|
|
strict as $$
|
||
|
|
begin
|
||
|
|
if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated
|
||
|
|
call grantPermissionToRole(
|
||
|
|
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||
|
|
hsOfficeRelationADMIN(NEW));
|
||
|
|
end if;
|
||
|
|
return NEW;
|
||
|
|
end; $$;
|
||
|
|
|
||
|
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||
|
|
create trigger z_hs_booking_item_hs_office_relation_insert_tg
|
||
|
|
after insert on hs_office_relation
|
||
|
|
for each row
|
||
|
|
execute procedure hs_booking_item_hs_office_relation_insert_tf();
|
||
|
|
|
||
|
|
/**
|
||
|
|
Checks if the user or assumed roles are allowed to insert a row to hs_booking_item,
|
||
|
|
where the check is performed by an indirect role.
|
||
|
|
|
||
|
|
An indirect role is a role which depends on an object uuid which is not a direct foreign key
|
||
|
|
of the source entity, but needs to be fetched via joined tables.
|
||
|
|
*/
|
||
|
|
create or replace function hs_booking_item_insert_permission_check_tf()
|
||
|
|
returns trigger
|
||
|
|
language plpgsql as $$
|
||
|
|
|
||
|
|
declare
|
||
|
|
superRoleObjectUuid uuid;
|
||
|
|
|
||
|
|
begin
|
||
|
|
superRoleObjectUuid := (SELECT debitorRel.uuid
|
||
|
|
FROM hs_office_relation debitorRel
|
||
|
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||
|
|
WHERE debitor.uuid = NEW.debitorUuid
|
||
|
|
);
|
||
|
|
assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
|
||
|
|
|
||
|
|
if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', 'hs_booking_item') ) then
|
||
|
|
raise exception
|
||
|
|
'[403] insert into hs_booking_item not allowed for current subjects % (%)',
|
||
|
|
currentSubjects(), currentSubjectsUuids();
|
||
|
|
end if;
|
||
|
|
return NEW;
|
||
|
|
end; $$;
|
||
|
|
|
||
|
|
create trigger hs_booking_item_insert_permission_check_tg
|
||
|
|
before insert on hs_booking_item
|
||
|
|
for each row
|
||
|
|
execute procedure hs_booking_item_insert_permission_check_tf();
|
||
|
|
--//
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
call generateRbacIdentityViewFromQuery('hs_booking_item',
|
||
|
|
$idName$
|
||
|
|
SELECT i.uuid as uuid, d.idName || ':' || i.caption as idName
|
||
|
|
FROM hs_booking_item i
|
||
|
|
JOIN hs_office_debitor_iv d ON d.uuid = i.debitorUuid
|
||
|
|
$idName$);
|
||
|
|
--//
|
||
|
|
|
||
|
|
-- ============================================================================
|
||
|
|
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||
|
|
-- ----------------------------------------------------------------------------
|
||
|
|
call generateRbacRestrictedView('hs_booking_item',
|
||
|
|
$orderBy$
|
||
|
|
validity
|
||
|
|
$orderBy$,
|
||
|
|
$updates$
|
||
|
|
version = new.version,
|
||
|
|
validity = new.validity,
|
||
|
|
resources = new.resources
|
||
|
|
$updates$);
|
||
|
|
--//
|
||
|
|
|