hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 3 Activity
hs.hsadmin.ng/src/main/resources/db/changelog/213-hs-office-person-rbac.sql

139 lines
4.7 KiB
MySQL
Raw Normal View History

add person business object at db level
2022-09-07 20:24:35 +02:00
--liquibase formatted sql
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
call generateRelatedRbacObject('hs_office_person');
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
consolidating role deletion from business objects to rbac system
2022-09-13 10:58:54 +02:00
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
introduce 058-rbac-generators.sql with generateRelatedRbacObject+generateRbacRoleDescriptors
2022-09-16 15:25:58 +02:00
call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-ROLES-CREATION:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
/*
Creates the roles and their assignments for a new person for the AFTER INSERT TRIGGER.
*/
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
create or replace function createRbacRolesForHsOfficePerson()
add person business object at db level
2022-09-07 20:24:35 +02:00
returns trigger
language plpgsql
strict as $$
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
perform createRoleWithGrants(
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
hsOfficePersonOwner(NEW),
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
permissions => array['*'],
incomingSuperRoles => array[globalAdmin()],
userUuids => array[currentUserUuid()],
grantedByRole => globalAdmin()
add person business object at db level
2022-09-07 20:24:35 +02:00
);
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
perform createRoleWithGrants(
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
hsOfficePersonAdmin(NEW),
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
permissions => array['edit'],
incomingSuperRoles => array[hsOfficePersonOwner(NEW)]
add partner business object at repo level (WIP)
2022-09-09 17:43:43 +02:00
);
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
perform createRoleWithGrants(
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
hsOfficePersonTenant(NEW),
introduces agent+guest role for role-system around debitor+partner
2022-10-12 15:48:56 +02:00
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
);
perform createRoleWithGrants(
hsOfficePersonGuest(NEW),
permissions => array['view'],
incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
add person business object at db level
2022-09-07 20:24:35 +02:00
);
return NEW;
end; $$;
/*
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
*/
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
create trigger createRbacRolesForHsOfficePerson_Trigger
add person business object at db level
2022-09-07 20:24:35 +02:00
after insert
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
on hs_office_person
add person business object at db level
2022-09-07 20:24:35 +02:00
for each row
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
execute procedure createRbacRolesForHsOfficePerson();
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
introduces generateRbacIdentityView to generate identity views
2022-09-16 16:14:39 +02:00
call generateRbacIdentityView('hs_office_person', $idName$
concat(target.tradeName, target.familyName, target.givenName)
$idName$);
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
introduces generateRbacRestrictedView to generate restricted view + triggers
2022-09-19 20:43:14 +02:00
call generateRbacRestrictedView('hs_office_person', 'concat(target.tradeName, target.familyName, target.givenName)',
$updates$
personType = new.personType,
tradeName = new.tradeName,
givenName = new.givenName,
familyName = new.familyName
$updates$);
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
-- ============================================================================
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
--changeset hs-office-person-rbac-NEW-PERSON:1 endDelimiter:--//
add person business object at db level
2022-09-07 20:24:35 +02:00
-- ----------------------------------------------------------------------------
/*
Creates a global permission for new-person and assigns it to the hostsharing admins role.
*/
do language plpgsql $$
declare
improve Contact/Partner/Contact Repository integration tests with Raw...Repos
2022-09-12 16:27:17 +02:00
addCustomerPermissions uuid[];
globalObjectUuid uuid;
globalAdminRoleUuid uuid ;
add person business object at db level
2022-09-07 20:24:35 +02:00
begin
call defineContext('granting global new-person permission to global admin role', null, null, null);
globalAdminRoleUuid := findRoleId(globalAdmin());
globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-person']);
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
end;
$$;
/**
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
create or replace function addHsOfficePersonNotAllowedForCurrentSubjects()
add person business object at db level
2022-09-07 20:24:35 +02:00
returns trigger
language PLPGSQL
as $$
begin
raise exception '[403] new-person not permitted for %',
array_to_string(currentSubjects(), ';', 'null');
end; $$;
/**
Checks if the user or assumed roles are allowed to create a new customer.
*/
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
create trigger hs_office_person_insert_trigger
add person business object at db level
2022-09-07 20:24:35 +02:00
before insert
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
on hs_office_person
add person business object at db level
2022-09-07 20:24:35 +02:00
for each row
-- TODO.spec: who is allowed to create new persons
when ( not hasAssumedRole() )
rename hs-admin to hs-office regarding the module name
2022-09-13 13:27:52 +02:00
execute procedure addHsOfficePersonNotAllowedForCurrentSubjects();
add person business object at db level
2022-09-07 20:24:35 +02:00
--//
Copy Permalink