patch generated rbac trigger to fix too broad INSERT grants

This commit is contained in:
Michael Hoennig 2024-04-13 13:27:24 +02:00
parent e46813bf9c
commit 38b1c20f64

View File

@ -104,25 +104,28 @@ do language plpgsql $$
call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows'); call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');
FOR row IN SELECT * FROM hs_office_relation FOR row IN SELECT * FROM hs_office_relation
WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'), createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsOfficeRelationADMIN(row)); hsOfficeRelationADMIN(row));
END LOOP; END LOOP;
END; END;
$$; $$;
/** /**
Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows. Adds hs_booking_item INSERT permission to specified roleNSERT permission to specified role of new hs_office_relation rows.
*/ */
create or replace function hs_booking_item_hs_office_relation_insert_tf() create or replace function hs_booking_item_hs_office_relation_insert_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
call grantPermissionToRole( if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsOfficeRelationADMIN(NEW)); hsOfficeRelationADMIN(NEW));
end if;
return NEW; return NEW;
end; $$; end; $$;