patch generated rbac trigger to fix too broad INSERT grants

2024-04-13 13:27:24 +02:00 · 2024-04-13 13:27:24 +02:00 · 38b1c20f64
commit 38b1c20f64
parent e46813bf9c
1 changed files with 7 additions and 4 deletions
--- a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql
+++ b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql
@ -104,25 +104,28 @@ do language plpgsql $$
        call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');

        FOR row IN SELECT * FROM hs_office_relation
+                WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated
            LOOP
                call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
-                    hsOfficeRelationADMIN(row));
+                createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                hsOfficeRelationADMIN(row));
            END LOOP;
    END;
 $$;

 /**
-    Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
+    Adds hs_booking_item INSERT permission to specified roleNSERT permission to specified role of new hs_office_relation rows.
 */
 create or replace function hs_booking_item_hs_office_relation_insert_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
-    call grantPermissionToRole(
+    if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated
+        call grantPermissionToRole(
            createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
            hsOfficeRelationADMIN(NEW));
+    end if;
    return NEW;
 end; $$;