From 3d335def187f4743efc0a13191e1eaa5b56aa0cb Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 14 Sep 2024 13:19:41 +0200 Subject: [PATCH] amend rbac generators and re-generate --- .../booking/item/HsBookingItemRbacEntity.java | 5 ++- .../hs/booking/project/HsBookingProject.java | 3 +- .../project/HsBookingProjectRbacEntity.java | 3 +- .../HsOfficeBankAccountEntity.java | 2 +- .../office/debitor/HsOfficeDebitorEntity.java | 3 +- .../membership/HsOfficeMembershipEntity.java | 3 +- .../partner/HsOfficePartnerDetailsEntity.java | 3 +- .../office/partner/HsOfficePartnerEntity.java | 3 +- .../office/person/HsOfficePersonEntity.java | 2 +- .../rbac/rbacdef/InsertTriggerGenerator.java | 44 ++++++++++--------- .../rbacdef/RbacIdentityViewGenerator.java | 2 +- .../rbac/rbacdef/RbacObjectGenerator.java | 2 +- .../rbacdef/RbacRestrictedViewGenerator.java | 2 +- .../rbacdef/RbacRoleDescriptorsGenerator.java | 2 +- .../hsadminng/rbac/rbacdef/RbacView.java | 32 ++++++++++++-- .../rbacdef/RbacViewPostgresGenerator.java | 2 +- .../RolesGrantsAndPermissionsGenerator.java | 18 ++++---- .../2013-test-customer-rbac.sql | 14 +++--- .../2023-test-package-rbac.sql | 2 +- .../203-test-domain/2033-test-domain-rbac.sql | 2 +- .../502-person/5023-hs-office-person-rbac.sql | 2 +- .../5043-hs-office-partner-rbac.sql | 16 +++---- .../5044-hs-office-partner-details-rbac.sql | 30 ++++++------- .../5053-hs-office-bankaccount-rbac.sql | 2 +- .../5063-hs-office-debitor-rbac.sql | 18 ++++---- .../5073-hs-office-sepamandate-rbac.sql | 8 ++-- .../5103-hs-office-membership-rbac.sql | 18 ++++---- .../5113-hs-office-coopshares-rbac.sql | 6 +-- .../5123-hs-office-coopassets-rbac.sql | 6 +-- 29 files changed, 146 insertions(+), 109 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java index 1b3fc598..e7e3ecc6 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java @@ -17,6 +17,7 @@ import java.io.IOException; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; @@ -45,8 +46,8 @@ public class HsBookingItemRbacEntity extends HsBookingItem { .withIdentityView(SQL.projection("caption")) .withRestrictedViewOrderBy(SQL.expression("validity")) .withUpdatableColumns("version", "caption", "validity", "resources") - .toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data? - .toRole("global", ADMIN).grantPermission(DELETE) + .toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data? + .toRole(GLOBAL, ADMIN).grantPermission(DELETE) .importEntityAlias("project", HsBookingProject.class, usingDefaultCase(), dependsOnColumn("projectUuid"), diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java index 6ca163a3..efda0135 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java @@ -20,6 +20,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType. import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; @@ -91,7 +92,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity { with.incomingSuperRole("debitorRel", AGENT).unassumed(); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRbacEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRbacEntity.java index 5295dfaf..bf955d22 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRbacEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRbacEntity.java @@ -17,6 +17,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType. import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; @@ -63,7 +64,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject { """), NOT_NULL) .toRole("debitorRel", ADMIN).grantPermission(INSERT) - .toRole("global", ADMIN).grantPermission(DELETE) + .toRole(GLOBAL, ADMIN).grantPermission(DELETE) .createRole(OWNER, (with) -> { with.incomingSuperRole("debitorRel", AGENT).unassumed(); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java index e58361b7..093795f2 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java @@ -62,7 +62,7 @@ public class HsOfficeBankAccountEntity implements BaseEntity { with.owningUser(CREATOR); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java index 192f3f2e..82e5473f 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java @@ -43,6 +43,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType. import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; @@ -188,7 +189,7 @@ public class HsOfficeDebitorEntity implements BaseEntity, "vatBusiness", "vatReverseCharge", "defaultPrefix") - .toRole("global", ADMIN).grantPermission(INSERT) + .toRole(GLOBAL, ADMIN).grantPermission(INSERT) .importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR), directlyFetchedByDependsOnColumn(), diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java index 447d92ba..e5e99803 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java @@ -40,6 +40,7 @@ import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateR import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; @@ -174,7 +175,7 @@ public class HsOfficeMembershipEntity implements BaseEntity { with.owningUser(CREATOR); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java index 1ef8cb8f..85ce126a 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java @@ -13,6 +13,7 @@ import java.io.IOException; import java.time.LocalDate; import java.util.UUID; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; @@ -82,7 +83,7 @@ public class HsOfficePartnerDetailsEntity implements BaseEntity, S return rbacViewFor("person", HsOfficePersonEntity.class) .withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)")) .withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName") - .toRole("global", GUEST).grantPermission(INSERT) + .toRole(GLOBAL, GUEST).grantPermission(INSERT) .createRole(OWNER, (with) -> { with.permission(DELETE); diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java index 454a4394..2d6ca831 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java @@ -55,7 +55,7 @@ public class InsertTriggerGenerator { plPgSql.writeLn(""" -- granting INSERT permission to ${rawSubTable} ---------------------------- """, - with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableName())); + with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema())); if (isGrantToADifferentTable(g)) { plPgSql.writeLn( @@ -73,7 +73,7 @@ public class InsertTriggerGenerator { ${whenCondition} LOOP call rbac.grantPermissionToRole( - createPermission(row.uuid, 'INSERT', '${rawSubTable}'), + rbac.createPermission(row.uuid, 'INSERT', '${rawSubTable}'), ${superRoleRef}); END LOOP; end; @@ -84,40 +84,40 @@ public class InsertTriggerGenerator { ? "WHERE type = '${value}'" .replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value) : "-- unconditional for all rows in that table"), - with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), - with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()), + with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()), + with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()), with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row"))); } else { plPgSql.writeLn(""" -- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped, -- because there cannot yet be any pre-existing rows in the same table yet. """, - with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), - with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName())); + with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()), + with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema())); } plPgSql.writeLn(""" /** Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows. */ - create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf() + create or replace function ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf() returns trigger language plpgsql strict as $$ begin ${ifConditionThen} call rbac.grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'), + rbac.createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'), ${superRoleRef}); ${ifConditionEnd} return NEW; end; $$; - + -- z_... is to put it at the end of after insert triggers, to make sure the roles exist - create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg - after insert on ${rawSuperTable} + create trigger z_new_${rawSubTable}_grants_after_insert_tg + after insert on ${rawSuperTableWithSchema} for each row - execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf(); + execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf(); """, with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent() // TODO.impl: .type needs to be dynamically generated @@ -127,8 +127,12 @@ public class InsertTriggerGenerator { ? "end if;" : "-- end."), with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())), + with("rawSuperTableWithSchema", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()), + with("rawSuperTableShortName", g.getSuperRoleDef().getEntityAlias().getRawTableShortName()), with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), - with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName())); + with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()), + with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()), + with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName())); }); } @@ -158,7 +162,7 @@ public class InsertTriggerGenerator { for each row execute procedure ${rawSubTable}_insert_permission_missing_tf(); """, - with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); + with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema())); plPgSql.writeLn("--//"); } @@ -192,7 +196,7 @@ public class InsertTriggerGenerator { superObjectUuid uuid; begin """, - with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); + with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema())); plPgSql.chopEmptyLines(); } @@ -231,7 +235,7 @@ public class InsertTriggerGenerator { """, with("caseCondition", caseCondition), with("refColumn", superRoleEntityAlias.dependsOnColumName()), - with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); + with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema())); } else { plPgSql.writeLn( """ @@ -243,7 +247,7 @@ public class InsertTriggerGenerator { end if; """, with("caseCondition", caseCondition), - with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()), + with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()), with("refColumn", superRoleEntityAlias.dependsOnColumName()), with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql), with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"), @@ -255,7 +259,7 @@ public class InsertTriggerGenerator { plPgSql.writeLn(); plPgSql.writeLn(""" raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)', - NEW, base.currentSubjects(), currentSubjectOrAssumedRolesUuids(); + NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); end; $$; create trigger ${rawSubTable}_insert_permission_check_tg @@ -264,7 +268,7 @@ public class InsertTriggerGenerator { execute procedure ${rawSubTable}_insert_permission_check_tf(); --// """, - with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); + with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema())); } private String toStringList(final Set cases) { @@ -272,7 +276,7 @@ public class InsertTriggerGenerator { } private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) { - return !rbacDef.getRootEntityAlias().getRawTableName().equals(g.getSuperRoleDef().getEntityAlias().getRawTableName()); + return !rbacDef.getRootEntityAlias().getRawTableNameWithSchema().equals(g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()); } private Stream getInsertGrants() { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java index f7c4d20d..613a5e94 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java @@ -12,7 +12,7 @@ public class RbacIdentityViewGenerator { this.rbacDef = rbacDef; this.liquibaseTagPrefix = liquibaseTagPrefix; this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); - this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); + this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); } void generateTo(final StringWriter plPgSql) { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java index 45c5cfbe..e685f1df 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java @@ -9,7 +9,7 @@ public class RbacObjectGenerator { public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { this.liquibaseTagPrefix = liquibaseTagPrefix; - this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); + this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); } void generateTo(final StringWriter plPgSql) { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java index b66c8e19..156dc685 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java @@ -13,7 +13,7 @@ public class RbacRestrictedViewGenerator { public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { this.rbacDef = rbacDef; this.liquibaseTagPrefix = liquibaseTagPrefix; - this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); + this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); } void generateTo(final StringWriter plPgSql) { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java index 894a5e6e..23c1bbd7 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java @@ -11,7 +11,7 @@ public class RbacRoleDescriptorsGenerator { public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { this.liquibaseTagPrefix = liquibaseTagPrefix; this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); - this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); + this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); } void generateTo(final StringWriter plPgSql) { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java index 03f7d4cb..de787301 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java @@ -548,7 +548,7 @@ public class RbacView { } public RbacView grantPermission(final Permission perm) { - final var forTable = rootEntityAlias.getRawTableName(); + final var forTable = rootEntityAlias.getRawTableNameWithSchema(); findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate(); return RbacView.this; } @@ -937,7 +937,7 @@ public class RbacView { return switch (fetchSql.part) { case SQL_QUERY -> fetchSql; case AUTO_FETCH -> - SQL.query("SELECT * FROM " + getRawTableName() + " WHERE uuid = ${ref}." + dependsOnColum.column); + SQL.query("SELECT * FROM " + getRawTableNameWithSchema() + " WHERE uuid = ${ref}." + dependsOnColum.column); default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql); }; } @@ -960,13 +960,39 @@ public class RbacView { : uncapitalize(withoutEntitySuffix(entityClass.getSimpleName())); } - String getRawTableName() { + String getRawTableNameWithSchema() { if ( aliasName.equals("rbac.global")) { return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class? } return withoutRvSuffix(entityClass.getAnnotation(Table.class).name()); } + String getRawTableSchemaPrefix() { + final var rawTableNameWithSchema = getRawTableNameWithSchema(); + final var parts = rawTableNameWithSchema.split("\\."); + final var rawTableSchemaPrefix = parts.length > 1 ? parts[0] + "." : ""; + return rawTableSchemaPrefix; + } + + String getRawTableName() { + final var rawTableNameWithSchema = getRawTableNameWithSchema(); + final var parts = rawTableNameWithSchema.split("\\."); + final var rawTableName = parts.length > 1 ? parts[1] : rawTableNameWithSchema; + return rawTableName; + } + + String getRawTableShortName() { + // TODO.impl: some combined function and trigger names are too long + // maybe we should shorten the table name e.g. hs_office_coopsharestransaction -> hsof.coopsharetx + // this is just a workaround: + return getRawTableName() + .replace("hs_office_", "hsof_") + .replace("hs_booking_", "hsbk_") + .replace("hs_hosting_", "hsho_") + .replace("coopsharestransaction", "coopsharetx") + .replace("coopassetstransaction", "coopassettx"); + } + String dependsOnColumName() { if (dependsOnColum == null) { throw new IllegalStateException( diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java index 5a3b2be8..cf80c443 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java @@ -17,7 +17,7 @@ public class RbacViewPostgresGenerator { public RbacViewPostgresGenerator(final RbacView forRbacDef) { rbacDef = forRbacDef; - liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-"); + liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableNameWithSchema().replace("_", "-"); plPgSql.writeLn(""" --liquibase formatted sql -- This code generated was by ${generator}, do not amend manually. diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java index 7c1faccf..865e9a3b 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java @@ -40,7 +40,7 @@ class RolesGrantsAndPermissionsGenerator { simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); simpleEntityName = capitalize(simpleEntityVarName); - rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); + rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema(); } void generateTo(final StringWriter plPgSql) { @@ -77,7 +77,7 @@ class RolesGrantsAndPermissionsGenerator { plPgSql.writeLn("declare"); plPgSql.indented(() -> { referencedEntityAliases() - .forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";")); + .forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";")); }); plPgSql.writeLn(); @@ -145,8 +145,8 @@ class RolesGrantsAndPermissionsGenerator { plPgSql.indented(() -> { referencedEntityAliases() .forEach((ea) -> { - plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableName() + ";"); - plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";"); + plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableNameWithSchema() + ";"); + plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";"); }); }); @@ -322,7 +322,7 @@ class RolesGrantsAndPermissionsGenerator { final var grantSql = switch (grantDef.grantType()) { case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant"); case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});" - .replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()") + .replace("${assumed}", grantDef.isAssumed() ? "" : ", rbac.unassumed()") .replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef())) .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef())); case PERM_TO_ROLE -> @@ -343,7 +343,7 @@ class RolesGrantsAndPermissionsGenerator { } private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { - return permRef("createPermission", ref, permDef); + return permRef("rbac.createPermission", ref, permDef); } private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { @@ -580,7 +580,7 @@ class RolesGrantsAndPermissionsGenerator { private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) { return switch (userRef.role) { - case CREATOR -> "currentSubjectUuid()"; + case CREATOR -> "rbac.currentSubjectUuid()"; default -> throw new IllegalArgumentException("unknown user role: " + userRef); }; } @@ -589,9 +589,9 @@ class RolesGrantsAndPermissionsGenerator { final PostgresTriggerReference triggerRef, final RbacView.RbacRoleDefinition roleDef, final boolean assumed) { - final var assumedArg = assumed ? "" : ", unassumed()"; + final var assumedArg = assumed ? "" : ", rbac.unassumed()"; return toRoleRef(roleDef) + - (roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(unassumed())") + (roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(rbac.unassumed())") : rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")") : "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")"); } diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index acd8994c..37b4ea9e 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -87,7 +87,7 @@ execute procedure insertTriggerForTestCustomer_tf(); */ do language plpgsql $$ declare - row rbac.global%ROWTYPE; + row rbac.global; begin call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows'); @@ -96,15 +96,15 @@ do language plpgsql $$ LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), - rbac.globalAdmin()); + rbac.globalADMIN()); END LOOP; end; $$; /** - Grants test_customer INSERT permission to specified role of new rbac.global rows. + Grants test_customer INSERT permission to specified role of new global rows. */ -create or replace function new_test_customer_grants_insert_to_global_tf() +create or replace function rbac.new_test_customer_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ @@ -112,16 +112,16 @@ begin -- unconditional for all rows in that table call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), - rbac.globalAdmin()); + rbac.globalADMIN()); -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_test_customer_grants_insert_to_global_tg +create trigger z_new_test_customer_grants_after_insert_tg after insert on rbac.global for each row -execute procedure new_test_customer_grants_insert_to_global_tf(); +execute procedure rbac.new_test_customer_grants_insert_to_global_tf(); -- ============================================================================ diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql index 20f98256..f857d51a 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql @@ -183,7 +183,7 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_test_package_grants_insert_to_test_customer_tg +create trigger z_new_test_package_grants_after_insert_tg after insert on test_customer for each row execute procedure new_test_package_grants_insert_to_test_customer_tf(); diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql index 561ea5a7..a09dc12a 100644 --- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql @@ -182,7 +182,7 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_test_domain_grants_insert_to_test_package_tg +create trigger z_new_test_domain_grants_after_insert_tg after insert on test_package for each row execute procedure new_test_domain_grants_insert_to_test_package_tf(); diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index 16b624cb..48e3c280 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficePersonOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[rbac.globalAdmin()], + incomingSuperRoles => array[rbac.globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index 1cd6335a..183be0b2 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -164,24 +164,24 @@ execute procedure updateTriggerForHsOfficePartner_tf(); */ do language plpgsql $$ declare - row rbac.global%ROWTYPE; + row rbac.global; begin - call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows'); + call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows'); FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), - rbac.globalAdmin()); + rbac.globalADMIN()); END LOOP; end; $$; /** - Grants hs_office_partner INSERT permission to specified role of new rbac.global rows. + Grants hs_office_partner INSERT permission to specified role of new global rows. */ -create or replace function new_hs_office_partner_grants_insert_to_global_tf() +create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ @@ -189,16 +189,16 @@ begin -- unconditional for all rows in that table call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), - rbac.globalAdmin()); + rbac.globalADMIN()); -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_partner_grants_insert_to_global_tg +create trigger z_new_hs_office_partner_grants_after_insert_tg after insert on rbac.global for each row -execute procedure new_hs_office_partner_grants_insert_to_global_tf(); +execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf(); -- ============================================================================ diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index 26b4e243..79386023 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -67,25 +67,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf(); Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ -declare - row rbac.global; -begin - call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); + declare + row rbac.global; + begin + call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows'); - FOR row IN SELECT * FROM rbac.global - -- unconditional for all rows in that table - LOOP + FOR row IN SELECT * FROM rbac.global + -- unconditional for all rows in that table + LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), - rbac.globalAdmin()); - END LOOP; -end; + rbac.globalADMIN()); + END LOOP; + end; $$; /** Grants hs_office_partner_details INSERT permission to specified role of new global rows. */ -create or replace function new_hs_office_partner_details_grants_insert_to_global_tf() +create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ @@ -93,16 +93,16 @@ begin -- unconditional for all rows in that table call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), - rbac.globalAdmin()); + rbac.globalADMIN()); -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg +create trigger z_new_hs_office_partner_details_grants_after_insert_tg after insert on rbac.global for each row -execute procedure new_hs_office_partner_details_grants_insert_to_global_tf(); +execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf(); -- ============================================================================ @@ -118,7 +118,7 @@ create or replace function hs_office_partner_details_insert_permission_check_tf( declare superObjectUuid uuid; begin - -- check INSERT INSERT if rbac.Global ADMIN + -- check INSERT INSERT if rbac.global ADMIN if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index 5a11bc81..77d4edfa 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeBankAccountOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[rbac.globalAdmin()], + incomingSuperRoles => array[rbac.globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index 4f000bb0..027e56d4 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -130,31 +130,31 @@ execute procedure updateTriggerForHsOfficeDebitor_tf(); --changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to rbac.Global ---------------------------- +-- granting INSERT permission to rbac.global ---------------------------- /* Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ declare - row rbac.global%ROWTYPE; + row rbac.global; begin - call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows'); + call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows'); FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), - rbac.globalAdmin()); + rbac.globalADMIN()); END LOOP; end; $$; /** - Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows. + Grants hs_office_debitor INSERT permission to specified role of new global rows. */ -create or replace function new_hs_office_debitor_grants_insert_to_global_tf() +create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ @@ -162,16 +162,16 @@ begin -- unconditional for all rows in that table call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), - rbac.globalAdmin()); + rbac.globalADMIN()); -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_debitor_grants_insert_to_global_tg +create trigger z_new_hs_office_debitor_grants_after_insert_tg after insert on rbac.global for each row -execute procedure new_hs_office_debitor_grants_insert_to_global_tf(); +execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf(); -- ============================================================================ diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index ff1d7343..2048bafe 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -50,7 +50,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeSepaMandateOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[rbac.globalAdmin()], + incomingSuperRoles => array[rbac.globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); @@ -129,7 +129,7 @@ $$; /** Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows. */ -create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf() +create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf() returns trigger language plpgsql strict as $$ @@ -143,10 +143,10 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg +create trigger z_new_hs_office_sepamandate_grants_after_insert_tg after insert on hs_office_relation for each row -execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf(); +execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf(); -- ============================================================================ diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index a3ca38ba..66a55a28 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -99,24 +99,24 @@ execute procedure insertTriggerForHsOfficeMembership_tf(); */ do language plpgsql $$ declare - row rbac.global%ROWTYPE; + row rbac.global; begin - call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows'); + call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows'); FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), - rbac.globalAdmin()); + rbac.globalADMIN()); END LOOP; end; $$; /** - Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows. + Grants hs_office_membership INSERT permission to specified role of new global rows. */ -create or replace function new_hs_office_membership_grants_insert_to_global_tf() +create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ @@ -124,16 +124,16 @@ begin -- unconditional for all rows in that table call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), - rbac.globalAdmin()); + rbac.globalADMIN()); -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_membership_grants_insert_to_global_tg +create trigger z_new_hs_office_membership_grants_after_insert_tg after insert on rbac.global for each row -execute procedure new_hs_office_membership_grants_insert_to_global_tf(); +execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf(); -- ============================================================================ @@ -149,7 +149,7 @@ create or replace function hs_office_membership_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if rbac.Global ADMIN + -- check INSERT INSERT if rbac.global ADMIN if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index e0a9bd0c..6a10ff93 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -92,7 +92,7 @@ $$; /** Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows. */ -create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf() +create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf() returns trigger language plpgsql strict as $$ @@ -106,10 +106,10 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg +create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg after insert on hs_office_membership for each row -execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf(); +execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf(); -- ============================================================================ diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index a0351650..f77d8303 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -92,7 +92,7 @@ $$; /** Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows. */ -create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf() +create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf() returns trigger language plpgsql strict as $$ @@ -106,10 +106,10 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg +create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg after insert on hs_office_membership for each row -execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf(); +execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf(); -- ============================================================================