amend rbac generators and re-generate

This commit is contained in:
Michael Hoennig 2024-09-14 13:19:41 +02:00
parent cde0feaa3f
commit 3d335def18
29 changed files with 146 additions and 109 deletions

View File

@ -17,6 +17,7 @@ import java.io.IOException;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -45,8 +46,8 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
.withIdentityView(SQL.projection("caption")) .withIdentityView(SQL.projection("caption"))
.withRestrictedViewOrderBy(SQL.expression("validity")) .withRestrictedViewOrderBy(SQL.expression("validity"))
.withUpdatableColumns("version", "caption", "validity", "resources") .withUpdatableColumns("version", "caption", "validity", "resources")
.toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data? .toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
.toRole("global", ADMIN).grantPermission(DELETE) .toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(), .importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
dependsOnColumn("projectUuid"), dependsOnColumn("projectUuid"),

View File

@ -20,6 +20,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
@ -91,7 +92,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
"""), """),
NOT_NULL) NOT_NULL)
.toRole("debitorRel", ADMIN).grantPermission(INSERT) .toRole("debitorRel", ADMIN).grantPermission(INSERT)
.toRole("global", ADMIN).grantPermission(DELETE) .toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.incomingSuperRole("debitorRel", AGENT).unassumed(); with.incomingSuperRole("debitorRel", AGENT).unassumed();

View File

@ -17,6 +17,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -63,7 +64,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
"""), """),
NOT_NULL) NOT_NULL)
.toRole("debitorRel", ADMIN).grantPermission(INSERT) .toRole("debitorRel", ADMIN).grantPermission(INSERT)
.toRole("global", ADMIN).grantPermission(DELETE) .toRole(GLOBAL, ADMIN).grantPermission(DELETE)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.incomingSuperRole("debitorRel", AGENT).unassumed(); with.incomingSuperRole("debitorRel", AGENT).unassumed();

View File

@ -62,7 +62,7 @@ public class HsOfficeBankAccountEntity implements BaseEntity<HsOfficeBankAccount
.withIdentityView(SQL.projection("iban")) .withIdentityView(SQL.projection("iban"))
.withUpdatableColumns("holder", "iban", "bic") .withUpdatableColumns("holder", "iban", "bic")
.toRole("global", GUEST).grantPermission(INSERT) .toRole(GLOBAL, GUEST).grantPermission(INSERT)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);

View File

@ -43,6 +43,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
@ -188,7 +189,7 @@ public class HsOfficeDebitorEntity implements BaseEntity<HsOfficeDebitorEntity>,
"vatBusiness", "vatBusiness",
"vatReverseCharge", "vatReverseCharge",
"defaultPrefix") "defaultPrefix")
.toRole("global", ADMIN).grantPermission(INSERT) .toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR), .importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
directlyFetchedByDependsOnColumn(), directlyFetchedByDependsOnColumn(),

View File

@ -40,6 +40,7 @@ import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateR
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange; import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
@ -174,7 +175,7 @@ public class HsOfficeMembershipEntity implements BaseEntity<HsOfficeMembershipEn
WHERE partner.uuid = ${REF}.partnerUuid WHERE partner.uuid = ${REF}.partnerUuid
"""), """),
NOT_NULL) NOT_NULL)
.toRole("global", ADMIN).grantPermission(INSERT) .toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);

View File

@ -13,6 +13,7 @@ import java.io.IOException;
import java.time.LocalDate; import java.time.LocalDate;
import java.util.UUID; import java.util.UUID;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@ -82,7 +83,7 @@ public class HsOfficePartnerDetailsEntity implements BaseEntity<HsOfficePartnerD
"birthName", "birthName",
"birthday", "birthday",
"dateOfDeath") "dateOfDeath")
.toRole("global", ADMIN).grantPermission(INSERT) .toRole(GLOBAL, ADMIN).grantPermission(INSERT)
// The grants are defined in HsOfficePartnerEntity.rbac() // The grants are defined in HsOfficePartnerEntity.rbac()
// because they have to be changed when its partnerRel changes, // because they have to be changed when its partnerRel changes,

View File

@ -26,6 +26,7 @@ import java.util.UUID;
import static jakarta.persistence.CascadeType.*; import static jakarta.persistence.CascadeType.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
@ -103,7 +104,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
return rbacViewFor("partner", HsOfficePartnerEntity.class) return rbacViewFor("partner", HsOfficePartnerEntity.class)
.withIdentityView(SQL.projection("'P-' || partnerNumber")) .withIdentityView(SQL.projection("'P-' || partnerNumber"))
.withUpdatableColumns("partnerRelUuid") .withUpdatableColumns("partnerRelUuid")
.toRole("global", ADMIN).grantPermission(INSERT) .toRole(GLOBAL, ADMIN).grantPermission(INSERT)
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class, .importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class,
usingDefaultCase(), usingDefaultCase(),

View File

@ -80,7 +80,7 @@ public class HsOfficePersonEntity implements BaseEntity<HsOfficePersonEntity>, S
return rbacViewFor("person", HsOfficePersonEntity.class) return rbacViewFor("person", HsOfficePersonEntity.class)
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)")) .withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
.withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName") .withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName")
.toRole("global", GUEST).grantPermission(INSERT) .toRole(GLOBAL, GUEST).grantPermission(INSERT)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.permission(DELETE); with.permission(DELETE);

View File

@ -55,7 +55,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn(""" plPgSql.writeLn("""
-- granting INSERT permission to ${rawSubTable} ---------------------------- -- granting INSERT permission to ${rawSubTable} ----------------------------
""", """,
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableName())); with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()));
if (isGrantToADifferentTable(g)) { if (isGrantToADifferentTable(g)) {
plPgSql.writeLn( plPgSql.writeLn(
@ -73,7 +73,7 @@ public class InsertTriggerGenerator {
${whenCondition} ${whenCondition}
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
createPermission(row.uuid, 'INSERT', '${rawSubTable}'), rbac.createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef}); ${superRoleRef});
END LOOP; END LOOP;
end; end;
@ -84,40 +84,40 @@ public class InsertTriggerGenerator {
? "WHERE type = '${value}'" ? "WHERE type = '${value}'"
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value) .replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
: "-- unconditional for all rows in that table"), : "-- unconditional for all rows in that table"),
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()), with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row"))); with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row")));
} else { } else {
plPgSql.writeLn(""" plPgSql.writeLn("""
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped, -- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
-- because there cannot yet be any pre-existing rows in the same table yet. -- because there cannot yet be any pre-existing rows in the same table yet.
""", """,
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName())); with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()));
} }
plPgSql.writeLn(""" plPgSql.writeLn("""
/** /**
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows. Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
*/ */
create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf() create or replace function ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
${ifConditionThen} ${ifConditionThen}
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'), rbac.createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
${superRoleRef}); ${superRoleRef});
${ifConditionEnd} ${ifConditionEnd}
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg create trigger z_new_${rawSubTable}_grants_after_insert_tg
after insert on ${rawSuperTable} after insert on ${rawSuperTableWithSchema}
for each row for each row
execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf(); execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf();
""", """,
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent() with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
// TODO.impl: .type needs to be dynamically generated // TODO.impl: .type needs to be dynamically generated
@ -127,8 +127,12 @@ public class InsertTriggerGenerator {
? "end if;" ? "end if;"
: "-- end."), : "-- end."),
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())), with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
with("rawSuperTableWithSchema", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSuperTableShortName", g.getSuperRoleDef().getEntityAlias().getRawTableShortName()),
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()), with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName())); with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()),
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName()));
}); });
} }
@ -158,7 +162,7 @@ public class InsertTriggerGenerator {
for each row for each row
execute procedure ${rawSubTable}_insert_permission_missing_tf(); execute procedure ${rawSubTable}_insert_permission_missing_tf();
""", """,
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
plPgSql.writeLn("--//"); plPgSql.writeLn("--//");
} }
@ -192,7 +196,7 @@ public class InsertTriggerGenerator {
superObjectUuid uuid; superObjectUuid uuid;
begin begin
""", """,
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
plPgSql.chopEmptyLines(); plPgSql.chopEmptyLines();
} }
@ -231,7 +235,7 @@ public class InsertTriggerGenerator {
""", """,
with("caseCondition", caseCondition), with("caseCondition", caseCondition),
with("refColumn", superRoleEntityAlias.dependsOnColumName()), with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
} else { } else {
plPgSql.writeLn( plPgSql.writeLn(
""" """
@ -243,7 +247,7 @@ public class InsertTriggerGenerator {
end if; end if;
""", """,
with("caseCondition", caseCondition), with("caseCondition", caseCondition),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()), with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
with("refColumn", superRoleEntityAlias.dependsOnColumName()), with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql), with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"), with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
@ -255,7 +259,7 @@ public class InsertTriggerGenerator {
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn(""" plPgSql.writeLn("""
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)', raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
NEW, base.currentSubjects(), currentSubjectOrAssumedRolesUuids(); NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$; end; $$;
create trigger ${rawSubTable}_insert_permission_check_tg create trigger ${rawSubTable}_insert_permission_check_tg
@ -264,7 +268,7 @@ public class InsertTriggerGenerator {
execute procedure ${rawSubTable}_insert_permission_check_tf(); execute procedure ${rawSubTable}_insert_permission_check_tf();
--// --//
""", """,
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
} }
private String toStringList(final Set<RbacView.CaseDef> cases) { private String toStringList(final Set<RbacView.CaseDef> cases) {
@ -272,7 +276,7 @@ public class InsertTriggerGenerator {
} }
private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) { private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) {
return !rbacDef.getRootEntityAlias().getRawTableName().equals(g.getSuperRoleDef().getEntityAlias().getRawTableName()); return !rbacDef.getRootEntityAlias().getRawTableNameWithSchema().equals(g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema());
} }
private Stream<RbacView.RbacGrantDefinition> getInsertGrants() { private Stream<RbacView.RbacGrantDefinition> getInsertGrants() {

View File

@ -12,7 +12,7 @@ public class RbacIdentityViewGenerator {
this.rbacDef = rbacDef; this.rbacDef = rbacDef;
this.liquibaseTagPrefix = liquibaseTagPrefix; this.liquibaseTagPrefix = liquibaseTagPrefix;
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
} }
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {

View File

@ -9,7 +9,7 @@ public class RbacObjectGenerator {
public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.liquibaseTagPrefix = liquibaseTagPrefix; this.liquibaseTagPrefix = liquibaseTagPrefix;
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
} }
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {

View File

@ -13,7 +13,7 @@ public class RbacRestrictedViewGenerator {
public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.rbacDef = rbacDef; this.rbacDef = rbacDef;
this.liquibaseTagPrefix = liquibaseTagPrefix; this.liquibaseTagPrefix = liquibaseTagPrefix;
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
} }
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {

View File

@ -11,7 +11,7 @@ public class RbacRoleDescriptorsGenerator {
public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) { public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
this.liquibaseTagPrefix = liquibaseTagPrefix; this.liquibaseTagPrefix = liquibaseTagPrefix;
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
} }
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {

View File

@ -548,7 +548,7 @@ public class RbacView {
} }
public RbacView grantPermission(final Permission perm) { public RbacView grantPermission(final Permission perm) {
final var forTable = rootEntityAlias.getRawTableName(); final var forTable = rootEntityAlias.getRawTableNameWithSchema();
findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate(); findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate();
return RbacView.this; return RbacView.this;
} }
@ -937,7 +937,7 @@ public class RbacView {
return switch (fetchSql.part) { return switch (fetchSql.part) {
case SQL_QUERY -> fetchSql; case SQL_QUERY -> fetchSql;
case AUTO_FETCH -> case AUTO_FETCH ->
SQL.query("SELECT * FROM " + getRawTableName() + " WHERE uuid = ${ref}." + dependsOnColum.column); SQL.query("SELECT * FROM " + getRawTableNameWithSchema() + " WHERE uuid = ${ref}." + dependsOnColum.column);
default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql); default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql);
}; };
} }
@ -960,13 +960,39 @@ public class RbacView {
: uncapitalize(withoutEntitySuffix(entityClass.getSimpleName())); : uncapitalize(withoutEntitySuffix(entityClass.getSimpleName()));
} }
String getRawTableName() { String getRawTableNameWithSchema() {
if ( aliasName.equals("rbac.global")) { if ( aliasName.equals("rbac.global")) {
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class? return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
} }
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name()); return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
} }
String getRawTableSchemaPrefix() {
final var rawTableNameWithSchema = getRawTableNameWithSchema();
final var parts = rawTableNameWithSchema.split("\\.");
final var rawTableSchemaPrefix = parts.length > 1 ? parts[0] + "." : "";
return rawTableSchemaPrefix;
}
String getRawTableName() {
final var rawTableNameWithSchema = getRawTableNameWithSchema();
final var parts = rawTableNameWithSchema.split("\\.");
final var rawTableName = parts.length > 1 ? parts[1] : rawTableNameWithSchema;
return rawTableName;
}
String getRawTableShortName() {
// TODO.impl: some combined function and trigger names are too long
// maybe we should shorten the table name e.g. hs_office_coopsharestransaction -> hsof.coopsharetx
// this is just a workaround:
return getRawTableName()
.replace("hs_office_", "hsof_")
.replace("hs_booking_", "hsbk_")
.replace("hs_hosting_", "hsho_")
.replace("coopsharestransaction", "coopsharetx")
.replace("coopassetstransaction", "coopassettx");
}
String dependsOnColumName() { String dependsOnColumName() {
if (dependsOnColum == null) { if (dependsOnColum == null) {
throw new IllegalStateException( throw new IllegalStateException(

View File

@ -17,7 +17,7 @@ public class RbacViewPostgresGenerator {
public RbacViewPostgresGenerator(final RbacView forRbacDef) { public RbacViewPostgresGenerator(final RbacView forRbacDef) {
rbacDef = forRbacDef; rbacDef = forRbacDef;
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-"); liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableNameWithSchema().replace("_", "-");
plPgSql.writeLn(""" plPgSql.writeLn("""
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by ${generator}, do not amend manually. -- This code generated was by ${generator}, do not amend manually.

View File

@ -40,7 +40,7 @@ class RolesGrantsAndPermissionsGenerator {
simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName(); simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
simpleEntityName = capitalize(simpleEntityVarName); simpleEntityName = capitalize(simpleEntityVarName);
rawTableName = rbacDef.getRootEntityAlias().getRawTableName(); rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
} }
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {
@ -77,7 +77,7 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.writeLn("declare"); plPgSql.writeLn("declare");
plPgSql.indented(() -> { plPgSql.indented(() -> {
referencedEntityAliases() referencedEntityAliases()
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";")); .forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";"));
}); });
plPgSql.writeLn(); plPgSql.writeLn();
@ -145,8 +145,8 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.indented(() -> { plPgSql.indented(() -> {
referencedEntityAliases() referencedEntityAliases()
.forEach((ea) -> { .forEach((ea) -> {
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableName() + ";"); plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableNameWithSchema() + ";");
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";"); plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";");
}); });
}); });
@ -322,7 +322,7 @@ class RolesGrantsAndPermissionsGenerator {
final var grantSql = switch (grantDef.grantType()) { final var grantSql = switch (grantDef.grantType()) {
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant"); case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});" case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()") .replace("${assumed}", grantDef.isAssumed() ? "" : ", rbac.unassumed()")
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> case PERM_TO_ROLE ->
@ -343,7 +343,7 @@ class RolesGrantsAndPermissionsGenerator {
} }
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("createPermission", ref, permDef); return permRef("rbac.createPermission", ref, permDef);
} }
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
@ -580,7 +580,7 @@ class RolesGrantsAndPermissionsGenerator {
private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) { private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) {
return switch (userRef.role) { return switch (userRef.role) {
case CREATOR -> "currentSubjectUuid()"; case CREATOR -> "rbac.currentSubjectUuid()";
default -> throw new IllegalArgumentException("unknown user role: " + userRef); default -> throw new IllegalArgumentException("unknown user role: " + userRef);
}; };
} }
@ -589,9 +589,9 @@ class RolesGrantsAndPermissionsGenerator {
final PostgresTriggerReference triggerRef, final PostgresTriggerReference triggerRef,
final RbacView.RbacRoleDefinition roleDef, final RbacView.RbacRoleDefinition roleDef,
final boolean assumed) { final boolean assumed) {
final var assumedArg = assumed ? "" : ", unassumed()"; final var assumedArg = assumed ? "" : ", rbac.unassumed()";
return toRoleRef(roleDef) + return toRoleRef(roleDef) +
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(unassumed())") (roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(rbac.unassumed())")
: rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")") : rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")")
: "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")"); : "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")");
} }

View File

@ -87,7 +87,7 @@ execute procedure insertTriggerForTestCustomer_tf();
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row rbac.global%ROWTYPE; row rbac.global;
begin begin
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows'); call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
@ -96,15 +96,15 @@ do language plpgsql $$
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin()); rbac.globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
Grants test_customer INSERT permission to specified role of new rbac.global rows. Grants test_customer INSERT permission to specified role of new global rows.
*/ */
create or replace function new_test_customer_grants_insert_to_global_tf() create or replace function rbac.new_test_customer_grants_insert_to_global_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -112,16 +112,16 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
rbac.globalAdmin()); rbac.globalADMIN());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_customer_grants_insert_to_global_tg create trigger z_new_test_customer_grants_after_insert_tg
after insert on rbac.global after insert on rbac.global
for each row for each row
execute procedure new_test_customer_grants_insert_to_global_tf(); execute procedure rbac.new_test_customer_grants_insert_to_global_tf();
-- ============================================================================ -- ============================================================================

View File

@ -183,7 +183,7 @@ begin
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_package_grants_insert_to_test_customer_tg create trigger z_new_test_package_grants_after_insert_tg
after insert on test_customer after insert on test_customer
for each row for each row
execute procedure new_test_package_grants_insert_to_test_customer_tf(); execute procedure new_test_package_grants_insert_to_test_customer_tf();

View File

@ -182,7 +182,7 @@ begin
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_domain_grants_insert_to_test_package_tg create trigger z_new_test_domain_grants_after_insert_tg
after insert on test_package after insert on test_package
for each row for each row
execute procedure new_test_domain_grants_insert_to_test_package_tf(); execute procedure new_test_domain_grants_insert_to_test_package_tf();

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW), hsOfficePersonOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()], incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -164,24 +164,24 @@ execute procedure updateTriggerForHsOfficePartner_tf();
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row rbac.global%ROWTYPE; row rbac.global;
begin begin
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows'); call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin()); rbac.globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows. Grants hs_office_partner INSERT permission to specified role of new global rows.
*/ */
create or replace function new_hs_office_partner_grants_insert_to_global_tf() create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -189,16 +189,16 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalAdmin()); rbac.globalADMIN());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_grants_insert_to_global_tg create trigger z_new_hs_office_partner_grants_after_insert_tg
after insert on rbac.global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_partner_grants_insert_to_global_tf(); execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
-- ============================================================================ -- ============================================================================

View File

@ -67,25 +67,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows. Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row rbac.global; row rbac.global;
begin begin
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin()); rbac.globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
Grants hs_office_partner_details INSERT permission to specified role of new global rows. Grants hs_office_partner_details INSERT permission to specified role of new global rows.
*/ */
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf() create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -93,16 +93,16 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalAdmin()); rbac.globalADMIN());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg create trigger z_new_hs_office_partner_details_grants_after_insert_tg
after insert on rbac.global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf(); execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf();
-- ============================================================================ -- ============================================================================
@ -118,7 +118,7 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if rbac.Global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW), hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()], incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -130,31 +130,31 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to rbac.Global ---------------------------- -- granting INSERT permission to rbac.global ----------------------------
/* /*
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows. Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row rbac.global%ROWTYPE; row rbac.global;
begin begin
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows'); call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin()); rbac.globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows. Grants hs_office_debitor INSERT permission to specified role of new global rows.
*/ */
create or replace function new_hs_office_debitor_grants_insert_to_global_tf() create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -162,16 +162,16 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalAdmin()); rbac.globalADMIN());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg create trigger z_new_hs_office_debitor_grants_after_insert_tg
after insert on rbac.global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_debitor_grants_insert_to_global_tf(); execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf();
-- ============================================================================ -- ============================================================================

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW), hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()], incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
@ -129,7 +129,7 @@ $$;
/** /**
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows. Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
*/ */
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf() create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -143,10 +143,10 @@ begin
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg create trigger z_new_hs_office_sepamandate_grants_after_insert_tg
after insert on hs_office_relation after insert on hs_office_relation
for each row for each row
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf(); execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf();
-- ============================================================================ -- ============================================================================

View File

@ -99,24 +99,24 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row rbac.global%ROWTYPE; row rbac.global;
begin begin
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows'); call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM rbac.global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin()); rbac.globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows. Grants hs_office_membership INSERT permission to specified role of new global rows.
*/ */
create or replace function new_hs_office_membership_grants_insert_to_global_tf() create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -124,16 +124,16 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call rbac.grantPermissionToRole( call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalAdmin()); rbac.globalADMIN());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_membership_grants_insert_to_global_tg create trigger z_new_hs_office_membership_grants_after_insert_tg
after insert on rbac.global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_membership_grants_insert_to_global_tf(); execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf();
-- ============================================================================ -- ============================================================================
@ -149,7 +149,7 @@ create or replace function hs_office_membership_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if rbac.Global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -92,7 +92,7 @@ $$;
/** /**
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows. Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
*/ */
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf() create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -106,10 +106,10 @@ begin
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg
after insert on hs_office_membership after insert on hs_office_membership
for each row for each row
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf(); execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf();
-- ============================================================================ -- ============================================================================

View File

@ -92,7 +92,7 @@ $$;
/** /**
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows. Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
*/ */
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf() create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
@ -106,10 +106,10 @@ begin
end; $$; end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
after insert on hs_office_membership after insert on hs_office_membership
for each row for each row
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf(); execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
-- ============================================================================ -- ============================================================================