amend rbac generators and re-generate
This commit is contained in:
parent
cde0feaa3f
commit
3d335def18
@ -17,6 +17,7 @@ import java.io.IOException;
|
|||||||
|
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
@ -45,8 +46,8 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
|
|||||||
.withIdentityView(SQL.projection("caption"))
|
.withIdentityView(SQL.projection("caption"))
|
||||||
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
||||||
.withUpdatableColumns("version", "caption", "validity", "resources")
|
.withUpdatableColumns("version", "caption", "validity", "resources")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
||||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
|
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
|
||||||
dependsOnColumn("projectUuid"),
|
dependsOnColumn("projectUuid"),
|
||||||
|
@ -20,6 +20,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
@ -91,7 +92,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
|||||||
"""),
|
"""),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||||
|
@ -17,6 +17,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
@ -63,7 +64,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
|
|||||||
"""),
|
"""),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||||
|
@ -62,7 +62,7 @@ public class HsOfficeBankAccountEntity implements BaseEntity<HsOfficeBankAccount
|
|||||||
.withIdentityView(SQL.projection("iban"))
|
.withIdentityView(SQL.projection("iban"))
|
||||||
.withUpdatableColumns("holder", "iban", "bic")
|
.withUpdatableColumns("holder", "iban", "bic")
|
||||||
|
|
||||||
.toRole("global", GUEST).grantPermission(INSERT)
|
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.owningUser(CREATOR);
|
with.owningUser(CREATOR);
|
||||||
|
@ -43,6 +43,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
@ -188,7 +189,7 @@ public class HsOfficeDebitorEntity implements BaseEntity<HsOfficeDebitorEntity>,
|
|||||||
"vatBusiness",
|
"vatBusiness",
|
||||||
"vatReverseCharge",
|
"vatReverseCharge",
|
||||||
"defaultPrefix")
|
"defaultPrefix")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
|
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
|
||||||
directlyFetchedByDependsOnColumn(),
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
@ -40,6 +40,7 @@ import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateR
|
|||||||
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
|
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
@ -174,7 +175,7 @@ public class HsOfficeMembershipEntity implements BaseEntity<HsOfficeMembershipEn
|
|||||||
WHERE partner.uuid = ${REF}.partnerUuid
|
WHERE partner.uuid = ${REF}.partnerUuid
|
||||||
"""),
|
"""),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.owningUser(CREATOR);
|
with.owningUser(CREATOR);
|
||||||
|
@ -13,6 +13,7 @@ import java.io.IOException;
|
|||||||
import java.time.LocalDate;
|
import java.time.LocalDate;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
@ -82,7 +83,7 @@ public class HsOfficePartnerDetailsEntity implements BaseEntity<HsOfficePartnerD
|
|||||||
"birthName",
|
"birthName",
|
||||||
"birthday",
|
"birthday",
|
||||||
"dateOfDeath")
|
"dateOfDeath")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
// The grants are defined in HsOfficePartnerEntity.rbac()
|
// The grants are defined in HsOfficePartnerEntity.rbac()
|
||||||
// because they have to be changed when its partnerRel changes,
|
// because they have to be changed when its partnerRel changes,
|
||||||
|
@ -26,6 +26,7 @@ import java.util.UUID;
|
|||||||
import static jakarta.persistence.CascadeType.*;
|
import static jakarta.persistence.CascadeType.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
@ -103,7 +104,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
|
|||||||
return rbacViewFor("partner", HsOfficePartnerEntity.class)
|
return rbacViewFor("partner", HsOfficePartnerEntity.class)
|
||||||
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
|
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
|
||||||
.withUpdatableColumns("partnerRelUuid")
|
.withUpdatableColumns("partnerRelUuid")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class,
|
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class,
|
||||||
usingDefaultCase(),
|
usingDefaultCase(),
|
||||||
|
@ -80,7 +80,7 @@ public class HsOfficePersonEntity implements BaseEntity<HsOfficePersonEntity>, S
|
|||||||
return rbacViewFor("person", HsOfficePersonEntity.class)
|
return rbacViewFor("person", HsOfficePersonEntity.class)
|
||||||
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
|
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
|
||||||
.withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName")
|
.withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName")
|
||||||
.toRole("global", GUEST).grantPermission(INSERT)
|
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.permission(DELETE);
|
with.permission(DELETE);
|
||||||
|
@ -55,7 +55,7 @@ public class InsertTriggerGenerator {
|
|||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
-- granting INSERT permission to ${rawSubTable} ----------------------------
|
-- granting INSERT permission to ${rawSubTable} ----------------------------
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()));
|
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()));
|
||||||
|
|
||||||
if (isGrantToADifferentTable(g)) {
|
if (isGrantToADifferentTable(g)) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
@ -73,7 +73,7 @@ public class InsertTriggerGenerator {
|
|||||||
${whenCondition}
|
${whenCondition}
|
||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
|
rbac.createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
|
||||||
${superRoleRef});
|
${superRoleRef});
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -84,40 +84,40 @@ public class InsertTriggerGenerator {
|
|||||||
? "WHERE type = '${value}'"
|
? "WHERE type = '${value}'"
|
||||||
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
|
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
|
||||||
: "-- unconditional for all rows in that table"),
|
: "-- unconditional for all rows in that table"),
|
||||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()),
|
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||||
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row")));
|
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row")));
|
||||||
} else {
|
} else {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
|
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
|
||||||
-- because there cannot yet be any pre-existing rows in the same table yet.
|
-- because there cannot yet be any pre-existing rows in the same table yet.
|
||||||
""",
|
""",
|
||||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()));
|
||||||
}
|
}
|
||||||
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
/**
|
||||||
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
|
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf()
|
create or replace function ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
${ifConditionThen}
|
${ifConditionThen}
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
rbac.createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
||||||
${superRoleRef});
|
${superRoleRef});
|
||||||
${ifConditionEnd}
|
${ifConditionEnd}
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg
|
create trigger z_new_${rawSubTable}_grants_after_insert_tg
|
||||||
after insert on ${rawSuperTable}
|
after insert on ${rawSuperTableWithSchema}
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf();
|
execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf();
|
||||||
""",
|
""",
|
||||||
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
||||||
// TODO.impl: .type needs to be dynamically generated
|
// TODO.impl: .type needs to be dynamically generated
|
||||||
@ -127,8 +127,12 @@ public class InsertTriggerGenerator {
|
|||||||
? "end if;"
|
? "end if;"
|
||||||
: "-- end."),
|
: "-- end."),
|
||||||
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
|
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
|
||||||
|
with("rawSuperTableWithSchema", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||||
|
with("rawSuperTableShortName", g.getSuperRoleDef().getEntityAlias().getRawTableShortName()),
|
||||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()),
|
||||||
|
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||||
|
with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName()));
|
||||||
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@ -158,7 +162,7 @@ public class InsertTriggerGenerator {
|
|||||||
for each row
|
for each row
|
||||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||||
|
|
||||||
plPgSql.writeLn("--//");
|
plPgSql.writeLn("--//");
|
||||||
}
|
}
|
||||||
@ -192,7 +196,7 @@ public class InsertTriggerGenerator {
|
|||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||||
plPgSql.chopEmptyLines();
|
plPgSql.chopEmptyLines();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -231,7 +235,7 @@ public class InsertTriggerGenerator {
|
|||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition),
|
with("caseCondition", caseCondition),
|
||||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||||
} else {
|
} else {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
@ -243,7 +247,7 @@ public class InsertTriggerGenerator {
|
|||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition),
|
with("caseCondition", caseCondition),
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
|
||||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||||
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
|
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
|
||||||
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
||||||
@ -255,7 +259,7 @@ public class InsertTriggerGenerator {
|
|||||||
plPgSql.writeLn();
|
plPgSql.writeLn();
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
|
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
|
||||||
NEW, base.currentSubjects(), currentSubjectOrAssumedRolesUuids();
|
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||||
@ -264,7 +268,7 @@ public class InsertTriggerGenerator {
|
|||||||
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
||||||
--//
|
--//
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||||
}
|
}
|
||||||
|
|
||||||
private String toStringList(final Set<RbacView.CaseDef> cases) {
|
private String toStringList(final Set<RbacView.CaseDef> cases) {
|
||||||
@ -272,7 +276,7 @@ public class InsertTriggerGenerator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) {
|
private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) {
|
||||||
return !rbacDef.getRootEntityAlias().getRawTableName().equals(g.getSuperRoleDef().getEntityAlias().getRawTableName());
|
return !rbacDef.getRootEntityAlias().getRawTableNameWithSchema().equals(g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema());
|
||||||
}
|
}
|
||||||
|
|
||||||
private Stream<RbacView.RbacGrantDefinition> getInsertGrants() {
|
private Stream<RbacView.RbacGrantDefinition> getInsertGrants() {
|
||||||
|
@ -12,7 +12,7 @@ public class RbacIdentityViewGenerator {
|
|||||||
this.rbacDef = rbacDef;
|
this.rbacDef = rbacDef;
|
||||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||||
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
|
@ -9,7 +9,7 @@ public class RbacObjectGenerator {
|
|||||||
|
|
||||||
public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
|
@ -13,7 +13,7 @@ public class RbacRestrictedViewGenerator {
|
|||||||
public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||||
this.rbacDef = rbacDef;
|
this.rbacDef = rbacDef;
|
||||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
|
@ -11,7 +11,7 @@ public class RbacRoleDescriptorsGenerator {
|
|||||||
public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||||
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
|
@ -548,7 +548,7 @@ public class RbacView {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public RbacView grantPermission(final Permission perm) {
|
public RbacView grantPermission(final Permission perm) {
|
||||||
final var forTable = rootEntityAlias.getRawTableName();
|
final var forTable = rootEntityAlias.getRawTableNameWithSchema();
|
||||||
findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate();
|
findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate();
|
||||||
return RbacView.this;
|
return RbacView.this;
|
||||||
}
|
}
|
||||||
@ -937,7 +937,7 @@ public class RbacView {
|
|||||||
return switch (fetchSql.part) {
|
return switch (fetchSql.part) {
|
||||||
case SQL_QUERY -> fetchSql;
|
case SQL_QUERY -> fetchSql;
|
||||||
case AUTO_FETCH ->
|
case AUTO_FETCH ->
|
||||||
SQL.query("SELECT * FROM " + getRawTableName() + " WHERE uuid = ${ref}." + dependsOnColum.column);
|
SQL.query("SELECT * FROM " + getRawTableNameWithSchema() + " WHERE uuid = ${ref}." + dependsOnColum.column);
|
||||||
default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql);
|
default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -960,13 +960,39 @@ public class RbacView {
|
|||||||
: uncapitalize(withoutEntitySuffix(entityClass.getSimpleName()));
|
: uncapitalize(withoutEntitySuffix(entityClass.getSimpleName()));
|
||||||
}
|
}
|
||||||
|
|
||||||
String getRawTableName() {
|
String getRawTableNameWithSchema() {
|
||||||
if ( aliasName.equals("rbac.global")) {
|
if ( aliasName.equals("rbac.global")) {
|
||||||
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||||
}
|
}
|
||||||
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String getRawTableSchemaPrefix() {
|
||||||
|
final var rawTableNameWithSchema = getRawTableNameWithSchema();
|
||||||
|
final var parts = rawTableNameWithSchema.split("\\.");
|
||||||
|
final var rawTableSchemaPrefix = parts.length > 1 ? parts[0] + "." : "";
|
||||||
|
return rawTableSchemaPrefix;
|
||||||
|
}
|
||||||
|
|
||||||
|
String getRawTableName() {
|
||||||
|
final var rawTableNameWithSchema = getRawTableNameWithSchema();
|
||||||
|
final var parts = rawTableNameWithSchema.split("\\.");
|
||||||
|
final var rawTableName = parts.length > 1 ? parts[1] : rawTableNameWithSchema;
|
||||||
|
return rawTableName;
|
||||||
|
}
|
||||||
|
|
||||||
|
String getRawTableShortName() {
|
||||||
|
// TODO.impl: some combined function and trigger names are too long
|
||||||
|
// maybe we should shorten the table name e.g. hs_office_coopsharestransaction -> hsof.coopsharetx
|
||||||
|
// this is just a workaround:
|
||||||
|
return getRawTableName()
|
||||||
|
.replace("hs_office_", "hsof_")
|
||||||
|
.replace("hs_booking_", "hsbk_")
|
||||||
|
.replace("hs_hosting_", "hsho_")
|
||||||
|
.replace("coopsharestransaction", "coopsharetx")
|
||||||
|
.replace("coopassetstransaction", "coopassettx");
|
||||||
|
}
|
||||||
|
|
||||||
String dependsOnColumName() {
|
String dependsOnColumName() {
|
||||||
if (dependsOnColum == null) {
|
if (dependsOnColum == null) {
|
||||||
throw new IllegalStateException(
|
throw new IllegalStateException(
|
||||||
|
@ -17,7 +17,7 @@ public class RbacViewPostgresGenerator {
|
|||||||
|
|
||||||
public RbacViewPostgresGenerator(final RbacView forRbacDef) {
|
public RbacViewPostgresGenerator(final RbacView forRbacDef) {
|
||||||
rbacDef = forRbacDef;
|
rbacDef = forRbacDef;
|
||||||
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-");
|
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableNameWithSchema().replace("_", "-");
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
-- This code generated was by ${generator}, do not amend manually.
|
-- This code generated was by ${generator}, do not amend manually.
|
||||||
|
@ -40,7 +40,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
|
|
||||||
simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||||
simpleEntityName = capitalize(simpleEntityVarName);
|
simpleEntityName = capitalize(simpleEntityVarName);
|
||||||
rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
@ -77,7 +77,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
plPgSql.writeLn("declare");
|
plPgSql.writeLn("declare");
|
||||||
plPgSql.indented(() -> {
|
plPgSql.indented(() -> {
|
||||||
referencedEntityAliases()
|
referencedEntityAliases()
|
||||||
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";"));
|
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";"));
|
||||||
});
|
});
|
||||||
|
|
||||||
plPgSql.writeLn();
|
plPgSql.writeLn();
|
||||||
@ -145,8 +145,8 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
plPgSql.indented(() -> {
|
plPgSql.indented(() -> {
|
||||||
referencedEntityAliases()
|
referencedEntityAliases()
|
||||||
.forEach((ea) -> {
|
.forEach((ea) -> {
|
||||||
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableName() + ";");
|
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableNameWithSchema() + ";");
|
||||||
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";");
|
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";");
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -322,7 +322,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
final var grantSql = switch (grantDef.grantType()) {
|
final var grantSql = switch (grantDef.grantType()) {
|
||||||
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
|
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
|
||||||
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
|
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
|
||||||
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()")
|
.replace("${assumed}", grantDef.isAssumed() ? "" : ", rbac.unassumed()")
|
||||||
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
|
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
|
||||||
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
||||||
case PERM_TO_ROLE ->
|
case PERM_TO_ROLE ->
|
||||||
@ -343,7 +343,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||||
return permRef("createPermission", ref, permDef);
|
return permRef("rbac.createPermission", ref, permDef);
|
||||||
}
|
}
|
||||||
|
|
||||||
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||||
@ -580,7 +580,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
|
|
||||||
private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) {
|
private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) {
|
||||||
return switch (userRef.role) {
|
return switch (userRef.role) {
|
||||||
case CREATOR -> "currentSubjectUuid()";
|
case CREATOR -> "rbac.currentSubjectUuid()";
|
||||||
default -> throw new IllegalArgumentException("unknown user role: " + userRef);
|
default -> throw new IllegalArgumentException("unknown user role: " + userRef);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -589,9 +589,9 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
final PostgresTriggerReference triggerRef,
|
final PostgresTriggerReference triggerRef,
|
||||||
final RbacView.RbacRoleDefinition roleDef,
|
final RbacView.RbacRoleDefinition roleDef,
|
||||||
final boolean assumed) {
|
final boolean assumed) {
|
||||||
final var assumedArg = assumed ? "" : ", unassumed()";
|
final var assumedArg = assumed ? "" : ", rbac.unassumed()";
|
||||||
return toRoleRef(roleDef) +
|
return toRoleRef(roleDef) +
|
||||||
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(unassumed())")
|
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(rbac.unassumed())")
|
||||||
: rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")")
|
: rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")")
|
||||||
: "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")");
|
: "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")");
|
||||||
}
|
}
|
||||||
|
@ -87,7 +87,7 @@ execute procedure insertTriggerForTestCustomer_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row rbac.global%ROWTYPE;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
@ -96,15 +96,15 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants test_customer INSERT permission to specified role of new rbac.global rows.
|
Grants test_customer INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_test_customer_grants_insert_to_global_tf()
|
create or replace function rbac.new_test_customer_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -112,16 +112,16 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_test_customer_grants_insert_to_global_tg
|
create trigger z_new_test_customer_grants_after_insert_tg
|
||||||
after insert on rbac.global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_test_customer_grants_insert_to_global_tf();
|
execute procedure rbac.new_test_customer_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -183,7 +183,7 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_test_package_grants_insert_to_test_customer_tg
|
create trigger z_new_test_package_grants_after_insert_tg
|
||||||
after insert on test_customer
|
after insert on test_customer
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_test_package_grants_insert_to_test_customer_tf();
|
execute procedure new_test_package_grants_insert_to_test_customer_tf();
|
||||||
|
@ -182,7 +182,7 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_test_domain_grants_insert_to_test_package_tg
|
create trigger z_new_test_domain_grants_after_insert_tg
|
||||||
after insert on test_package
|
after insert on test_package
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_test_domain_grants_insert_to_test_package_tf();
|
execute procedure new_test_domain_grants_insert_to_test_package_tf();
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficePersonOWNER(NEW),
|
hsOfficePersonOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -164,24 +164,24 @@ execute procedure updateTriggerForHsOfficePartner_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row rbac.global%ROWTYPE;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
|
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbac.global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
|
Grants hs_office_partner INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -189,16 +189,16 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
create trigger z_new_hs_office_partner_grants_after_insert_tg
|
||||||
after insert on rbac.global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -67,25 +67,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
|
|||||||
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
|
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row rbac.global;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbac.global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
|
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
|
create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -93,16 +93,16 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
create trigger z_new_hs_office_partner_details_grants_after_insert_tg
|
||||||
after insert on rbac.global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -118,7 +118,7 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if rbac.Global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if rbac.isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeBankAccountOWNER(NEW),
|
hsOfficeBankAccountOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -130,31 +130,31 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
|
|||||||
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to rbac.Global ----------------------------
|
-- granting INSERT permission to rbac.global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
|
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row rbac.global%ROWTYPE;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
|
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbac.global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
|
Grants hs_office_debitor INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -162,16 +162,16 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
create trigger z_new_hs_office_debitor_grants_after_insert_tg
|
||||||
after insert on rbac.global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -50,7 +50,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeSepaMandateOWNER(NEW),
|
hsOfficeSepaMandateOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -129,7 +129,7 @@ $$;
|
|||||||
/**
|
/**
|
||||||
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
|
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
|
create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -143,10 +143,10 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
|
create trigger z_new_hs_office_sepamandate_grants_after_insert_tg
|
||||||
after insert on hs_office_relation
|
after insert on hs_office_relation
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
|
execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -99,24 +99,24 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row rbac.global%ROWTYPE;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
|
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbac.global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
|
Grants hs_office_membership INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -124,16 +124,16 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call rbac.grantPermissionToRole(
|
call rbac.grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
rbac.globalAdmin());
|
rbac.globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
create trigger z_new_hs_office_membership_grants_after_insert_tg
|
||||||
after insert on rbac.global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -149,7 +149,7 @@ create or replace function hs_office_membership_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if rbac.Global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if rbac.isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
@ -92,7 +92,7 @@ $$;
|
|||||||
/**
|
/**
|
||||||
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
|
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
|
create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -106,10 +106,10 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
|
create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg
|
||||||
after insert on hs_office_membership
|
after insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
|
execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
@ -92,7 +92,7 @@ $$;
|
|||||||
/**
|
/**
|
||||||
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
|
create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -106,10 +106,10 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
|
create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
|
||||||
after insert on hs_office_membership
|
after insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
|
execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
|
Loading…
Reference in New Issue
Block a user