2022-10-03 11:09:36 +02:00
|
|
|
--liquibase formatted sql
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
call generateRelatedRbacObject('hs_office_debitor');
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
call generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-ROLES-CREATION:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Creates and updates the roles and their assignments for debitor entities.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
create or replace function hsOfficeDebitorRbacRolesTrigger()
|
|
|
|
|
returns trigger
|
|
|
|
|
language plpgsql
|
|
|
|
|
strict as $$
|
|
|
|
|
declare
|
|
|
|
|
hsOfficeDebitorTenant RbacRoleDescriptor;
|
|
|
|
|
ownerRole uuid;
|
|
|
|
|
adminRole uuid;
|
|
|
|
|
oldPartner hs_office_partner;
|
|
|
|
|
newPartner hs_office_partner;
|
|
|
|
|
newPerson hs_office_person;
|
|
|
|
|
oldContact hs_office_contact;
|
|
|
|
|
newContact hs_office_contact;
|
2022-10-05 17:22:33 +02:00
|
|
|
newBankAccount hs_office_bankaccount;
|
2022-10-03 11:09:36 +02:00
|
|
|
begin
|
|
|
|
|
|
|
|
|
|
hsOfficeDebitorTenant := hsOfficeDebitorTenant(NEW);
|
|
|
|
|
|
|
|
|
|
select * from hs_office_partner as p where p.uuid = NEW.partnerUuid into newPartner;
|
|
|
|
|
select * from hs_office_person as p where p.uuid = newPartner.personUuid into newPerson;
|
|
|
|
|
select * from hs_office_contact as c where c.uuid = NEW.billingContactUuid into newContact;
|
2022-10-05 17:22:33 +02:00
|
|
|
select * from hs_office_bankaccount as b where b.uuid = NEW.refundBankAccountUuid into newBankAccount;
|
2022-10-03 11:09:36 +02:00
|
|
|
if TG_OP = 'INSERT' then
|
|
|
|
|
|
|
|
|
|
-- the owner role with full access for the global admins
|
|
|
|
|
ownerRole = createRole(
|
|
|
|
|
hsOfficeDebitorOwner(NEW),
|
|
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
|
|
|
|
beneathRole(globalAdmin())
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
-- the admin role with full access for owner
|
|
|
|
|
adminRole = createRole(
|
|
|
|
|
hsOfficeDebitorAdmin(NEW),
|
2022-10-05 17:22:33 +02:00
|
|
|
withoutPermissions(),
|
|
|
|
|
beneathRoles(array [
|
|
|
|
|
hsOfficeDebitorOwner(NEW),
|
|
|
|
|
hsOfficePartnerAdmin(newPartner),
|
|
|
|
|
hsOfficePersonAdmin(newPerson),
|
|
|
|
|
hsOfficeContactAdmin(newContact),
|
|
|
|
|
hsOfficeBankAccountAdmin(newBankAccount)]),
|
|
|
|
|
withSubRoles(array [
|
|
|
|
|
hsOfficePartnerTenant(newPartner),
|
|
|
|
|
hsOfficePersonTenant(newPerson),
|
|
|
|
|
hsOfficeContactTenant(newContact),
|
|
|
|
|
hsOfficeBankAccountTenant(newBankAccount)])
|
2022-10-03 11:09:36 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
-- the tenant role for those related users who can view the data
|
|
|
|
|
perform createRole(
|
|
|
|
|
hsOfficeDebitorTenant,
|
|
|
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
2022-10-05 17:22:33 +02:00
|
|
|
beneathRole(hsOfficeDebitorAdmin(NEW))
|
2022-10-03 11:09:36 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
elsif TG_OP = 'UPDATE' then
|
|
|
|
|
|
|
|
|
|
if OLD.partnerUuid <> NEW.partnerUuid then
|
|
|
|
|
select * from hs_office_partner as p where p.uuid = OLD.partnerUuid into oldPartner;
|
|
|
|
|
|
2022-10-05 17:22:33 +02:00
|
|
|
call revokeRoleFromRole(hsOfficeDebitorAdmin(OLD), hsOfficePartnerAdmin(oldPartner));
|
|
|
|
|
call grantRoleToRole(hsOfficeDebitorAdmin(NEW), hsOfficePartnerAdmin(newPartner));
|
|
|
|
|
|
|
|
|
|
call revokeRoleFromRole(hsOfficePartnerTenant(oldPartner), hsOfficeDebitorAdmin(OLD));
|
|
|
|
|
call grantRoleToRole(hsOfficePartnerTenant(newPartner), hsOfficeDebitorAdmin(NEW));
|
2022-10-03 11:09:36 +02:00
|
|
|
|
2022-10-05 17:22:33 +02:00
|
|
|
-- TODO: What about the person of the partner? And what if the person of the partner changes?
|
2022-10-03 11:09:36 +02:00
|
|
|
end if;
|
|
|
|
|
|
|
|
|
|
if OLD.billingContactUuid <> NEW.billingContactUuid then
|
|
|
|
|
select * from hs_office_contact as c where c.uuid = OLD.billingContactUuid into oldContact;
|
|
|
|
|
|
2022-10-05 17:22:33 +02:00
|
|
|
call revokeRoleFromRole(hsOfficeDebitorAdmin(OLD), hsOfficeContactAdmin(oldContact));
|
|
|
|
|
call grantRoleToRole(hsOfficeDebitorAdmin(NEW), hsOfficeContactAdmin(newContact));
|
2022-10-03 11:09:36 +02:00
|
|
|
|
2022-10-05 17:22:33 +02:00
|
|
|
call revokeRoleFromRole(hsOfficeContactTenant(oldContact), hsOfficeDebitorAdmin(OLD));
|
|
|
|
|
call grantRoleToRole(hsOfficeContactTenant(newContact), hsOfficeDebitorAdmin(NEW));
|
2022-10-03 11:09:36 +02:00
|
|
|
end if;
|
|
|
|
|
else
|
|
|
|
|
raise exception 'invalid usage of TRIGGER';
|
|
|
|
|
end if;
|
|
|
|
|
|
|
|
|
|
return NEW;
|
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
An AFTER INSERT TRIGGER which creates the role structure for a new debitor.
|
|
|
|
|
*/
|
|
|
|
|
create trigger createRbacRolesForHsOfficeDebitor_Trigger
|
|
|
|
|
after insert
|
|
|
|
|
on hs_office_debitor
|
|
|
|
|
for each row
|
|
|
|
|
execute procedure hsOfficeDebitorRbacRolesTrigger();
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
An AFTER UPDATE TRIGGER which updates the role structure of a debitor.
|
|
|
|
|
*/
|
|
|
|
|
create trigger updateRbacRolesForHsOfficeDebitor_Trigger
|
|
|
|
|
after update
|
|
|
|
|
on hs_office_debitor
|
|
|
|
|
for each row
|
|
|
|
|
execute procedure hsOfficeDebitorRbacRolesTrigger();
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
call generateRbacIdentityView('hs_office_debitor', $idName$
|
|
|
|
|
'#' || debitorNumber || ':' ||
|
|
|
|
|
(select idName from hs_office_partner_iv p where p.uuid = target.partnerUuid)
|
|
|
|
|
$idName$);
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
call generateRbacRestrictedView('hs_office_debitor',
|
2022-10-05 17:22:33 +02:00
|
|
|
'target.debitorNumber',
|
|
|
|
|
$updates$
|
2022-10-03 11:09:36 +02:00
|
|
|
billingContactUuid = new.billingContactUuid,
|
|
|
|
|
vatId = new.vatId,
|
|
|
|
|
vatCountryCode = new.vatCountryCode,
|
|
|
|
|
vatBusiness = new.vatBusiness
|
|
|
|
|
$updates$);
|
|
|
|
|
--//
|
|
|
|
|
|
|
|
|
|
-- ============================================================================
|
|
|
|
|
--changeset hs-office-debitor-rbac-NEW-DEBITOR:1 endDelimiter:--//
|
|
|
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
|
/*
|
|
|
|
|
Creates a global permission for new-debitor and assigns it to the hostsharing admins role.
|
|
|
|
|
*/
|
|
|
|
|
do language plpgsql $$
|
|
|
|
|
declare
|
2022-10-05 17:22:33 +02:00
|
|
|
addDebitorPermissions uuid[];
|
|
|
|
|
globalObjectUuid uuid;
|
|
|
|
|
globalAdminRoleUuid uuid ;
|
2022-10-03 11:09:36 +02:00
|
|
|
begin
|
|
|
|
|
call defineContext('granting global new-debitor permission to global admin role', null, null, null);
|
|
|
|
|
|
|
|
|
|
globalAdminRoleUuid := findRoleId(globalAdmin());
|
|
|
|
|
globalObjectUuid := (select uuid from global);
|
|
|
|
|
addDebitorPermissions := createPermissions(globalObjectUuid, array ['new-debitor']);
|
|
|
|
|
call grantPermissionsToRole(globalAdminRoleUuid, addDebitorPermissions);
|
|
|
|
|
end;
|
|
|
|
|
$$;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Used by the trigger to prevent the add-debitor to current user respectively assumed roles.
|
|
|
|
|
*/
|
|
|
|
|
create or replace function addHsOfficeDebitorNotAllowedForCurrentSubjects()
|
|
|
|
|
returns trigger
|
|
|
|
|
language PLPGSQL
|
|
|
|
|
as $$
|
|
|
|
|
begin
|
|
|
|
|
raise exception '[403] new-debitor not permitted for %',
|
|
|
|
|
array_to_string(currentSubjects(), ';', 'null');
|
|
|
|
|
end; $$;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Checks if the user or assumed roles are allowed to create a new debitor.
|
|
|
|
|
*/
|
|
|
|
|
create trigger hs_office_debitor_insert_trigger
|
|
|
|
|
before insert
|
|
|
|
|
on hs_office_debitor
|
|
|
|
|
for each row
|
|
|
|
|
-- TODO.spec: who is allowed to create new debitors
|
|
|
|
|
when ( not hasAssumedRole() )
|
|
|
|
|
execute procedure addHsOfficeDebitorNotAllowedForCurrentSubjects();
|
|
|
|
|
--//
|
|
|
|
|
|
