patch generated rbac trigger to fix too broad INSERT grants

This commit is contained in:
Michael Hoennig 2024-04-13 13:27:24 +02:00
parent e46813bf9c
commit 38b1c20f64

View File

@ -104,25 +104,28 @@ do language plpgsql $$
call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');
FOR row IN SELECT * FROM hs_office_relation
WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsOfficeRelationADMIN(row));
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsOfficeRelationADMIN(row));
END LOOP;
END;
$$;
/**
Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
Adds hs_booking_item INSERT permission to specified roleNSERT permission to specified role of new hs_office_relation rows.
*/
create or replace function hs_booking_item_hs_office_relation_insert_tf()
returns trigger
language plpgsql
strict as $$
begin
call grantPermissionToRole(
if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsOfficeRelationADMIN(NEW));
end if;
return NEW;
end; $$;