diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java index be550b70..5509442d 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java @@ -95,7 +95,7 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid { return rbacViewFor("partner", HsOfficePartnerEntity.class) .withIdentityView(SQL.projection("'P-' || partnerNumber")) .withUpdatableColumns("partnerRelUuid") - .toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor? + .toRole("global", ADMIN).grantPermission(INSERT) .importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class, directlyFetchedByDependsOnColumn(), diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java index c71418db..719c8ab4 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java @@ -7,6 +7,7 @@ import java.util.List; import java.util.Set; import java.util.stream.Stream; +import static java.util.Optional.ofNullable; import static java.util.stream.Collectors.joining; import static java.util.stream.Collectors.toSet; import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW; @@ -245,14 +246,11 @@ class RolesGrantsAndPermissionsGenerator { } } - private boolean isUpdatable(final RbacView.Column c) { - return rbacDef.getUpdatableColumns().contains(c); - } - private void updateGrantsDependingOn(final StringWriter plPgSql, final String columnName) { rbacDef.getGrantDefs().stream() .filter(RbacView.RbacGrantDefinition::isToCreate) .filter(g -> g.dependsOnColumn(columnName)) + .filter(g -> !isInsertPermissionGrant(g)) .forEach(g -> { plPgSql.ensureSingleEmptyLine(); plPgSql.writeLn(generateRevoke(g)); @@ -261,6 +259,11 @@ class RolesGrantsAndPermissionsGenerator { }); } + private static Boolean isInsertPermissionGrant(final RbacView.RbacGrantDefinition g) { + final var isInsertPermissionGrant = ofNullable(g.getPermDef()).map(RbacPermissionDefinition::getPermission).map(p -> p == INSERT).orElse(false); + return isInsertPermissionGrant; + } + private void generateGrants(final StringWriter plPgSql, final RbacView.RbacGrantDefinition.GrantType grantType) { plPgSql.ensureSingleEmptyLine(); rbacGrants.stream() @@ -407,7 +410,7 @@ class RolesGrantsAndPermissionsGenerator { if (!incomingGrants.isEmpty()) { final var arrayElements = incomingGrants.stream() .map(g -> toPlPgSqlReference(NEW, g.getSuperRoleDef(), g.isAssumed())) - .toList(); + .sorted().toList(); plPgSql.indented(() -> plPgSql.writeLn("incomingSuperRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n")); rbacGrants.removeAll(incomingGrants); @@ -419,7 +422,7 @@ class RolesGrantsAndPermissionsGenerator { if (!outgoingGrants.isEmpty()) { final var arrayElements = outgoingGrants.stream() .map(g -> toPlPgSqlReference(NEW, g.getSubRoleDef(), g.isAssumed())) - .toList(); + .sorted().toList(); plPgSql.indented(() -> plPgSql.writeLn("outgoingSubRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n")); rbacGrants.removeAll(outgoingGrants); diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql index 6b8e2c80..070d3fcc 100644 --- a/src/main/resources/db/changelog/123-test-package-rbac.sql +++ b/src/main/resources/db/changelog/123-test-package-rbac.sql @@ -110,8 +110,6 @@ begin if NEW.customerUuid <> OLD.customerUuid then - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer)); - call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer)); call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer)); diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql index 63f1391d..bef72697 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql @@ -106,8 +106,6 @@ begin if NEW.packageUuid <> OLD.packageUuid then - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage)); - call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage)); call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage)); diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql index ec831467..1e10350e 100644 --- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql @@ -65,8 +65,8 @@ begin perform createRoleWithGrants( hsOfficeRelationAgent(NEW), incomingSuperRoles => array[ - hsOfficeRelationAdmin(NEW), - hsOfficePersonAdmin(newHolderPerson)] + hsOfficePersonAdmin(newHolderPerson), + hsOfficeRelationAdmin(NEW)] ); perform createRoleWithGrants( @@ -74,12 +74,12 @@ begin permissions => array['SELECT'], incomingSuperRoles => array[ hsOfficeContactAdmin(newContact), - hsOfficeRelationAgent(NEW), - hsOfficePersonAdmin(newHolderPerson)], + hsOfficePersonAdmin(newHolderPerson), + hsOfficeRelationAgent(NEW)], outgoingSubRoles => array[ + hsOfficeContactReferrer(newContact), hsOfficePersonReferrer(newAnchorPerson), - hsOfficePersonReferrer(newHolderPerson), - hsOfficeContactReferrer(newContact)] + hsOfficePersonReferrer(newHolderPerson)] ); call leaveTriggerForObjectUuid(NEW.uuid); diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql index 9ff47369..666d4759 100644 --- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql @@ -64,17 +64,17 @@ begin hsOfficeSepaMandateAgent(NEW), incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)], outgoingSubRoles => array[ - hsOfficeRelationAgent(newDebitorRel), - hsOfficeBankAccountReferrer(newBankAccount)] + hsOfficeBankAccountReferrer(newBankAccount), + hsOfficeRelationAgent(newDebitorRel)] ); perform createRoleWithGrants( hsOfficeSepaMandateReferrer(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ + hsOfficeBankAccountAdmin(newBankAccount), hsOfficeRelationAgent(newDebitorRel), - hsOfficeSepaMandateAgent(NEW), - hsOfficeBankAccountAdmin(newBankAccount)], + hsOfficeSepaMandateAgent(NEW)], outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)] ); diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql index b494ca72..1344821c 100644 --- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql @@ -54,8 +54,8 @@ begin hsOfficeMembershipAdmin(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[ - hsOfficeRelationAgent(newPartnerRel), - hsOfficeMembershipOwner(NEW)] + hsOfficeMembershipOwner(NEW), + hsOfficeRelationAgent(newPartnerRel)] ); perform createRoleWithGrants(