From 2cdee9f6932491929054328400a6282b2507d29c Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sat, 23 Nov 2024 10:30:21 +0100
Subject: [PATCH] introduce hasGlobalAdminRole to optimize rbac select queries
 for global admins

---
 .../changelog/1-rbac/1058-rbac-generators.sql |  2 +-
 .../db/changelog/1-rbac/1080-rbac-global.sql  | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
index b8af04f4..547b0397 100644
--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@@ -223,7 +223,7 @@ begin
             )
             select target.*
                 from %1$s as target
-                where target.uuid in (select * from accessible_uuids)
+                where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids)
                 order by %2$s;
 
         grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
index 51cdb6c2..cf303db3 100644
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@@ -35,6 +35,30 @@ end; $$;
 --//
 
 
+-- ============================================================================
+--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--//
+-- ----------------------------------------------------------------------------
+/*
+    Returns true if the current user is a global admin and has no assumed role.
+ */
+create or replace function rbac.hasGlobalAdminRole()
+    returns boolean
+    stable -- leakproof
+    language plpgsql as $$
+declare
+    currentSubjectOrAssumedRolesUuids text;
+begin
+    begin
+        currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids');
+    exception
+        when others then
+            currentSubjectOrAssumedRolesUuids := null;
+    end;
+    return  currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0;
+end; $$;
+--//
+
+
 -- ============================================================================
 --changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
 -- ------------------------------------------------------------------