diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index ae68b271..547b0397 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -223,7 +223,7 @@ begin ) select target.* from %1$s as target - where rbac.isGlobalAdmin() or target.uuid in (select * from accessible_uuids) + where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids) order by %2$s; grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index 51cdb6c2..cf303db3 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -35,6 +35,30 @@ end; $$; --// +-- ============================================================================ +--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--// +-- ---------------------------------------------------------------------------- +/* + Returns true if the current user is a global admin and has no assumed role. + */ +create or replace function rbac.hasGlobalAdminRole() + returns boolean + stable -- leakproof + language plpgsql as $$ +declare + currentSubjectOrAssumedRolesUuids text; +begin + begin + currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids'); + exception + when others then + currentSubjectOrAssumedRolesUuids := null; + end; + return currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0; +end; $$; +--// + + -- ============================================================================ --changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--// -- ------------------------------------------------------------------