amend rbac generators and re-generate
This commit is contained in:
Michael Hoennig
parent
cde0feaa3f
commit
3d335def18
@ -17,6 +17,7 @@ import java.io.IOException;
|
||||
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||
@ -45,8 +46,8 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
|
||||
.withIdentityView(SQL.projection("caption"))
|
||||
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
||||
.withUpdatableColumns("version", "caption", "validity", "resources")
|
||||
.toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||
|
||||
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
|
||||
dependsOnColumn("projectUuid"),
|
||||
|
||||
@ -20,6 +20,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||
@ -91,7 +92,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
||||
"""),
|
||||
NOT_NULL)
|
||||
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||
|
||||
@ -17,6 +17,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||
@ -63,7 +64,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
|
||||
"""),
|
||||
NOT_NULL)
|
||||
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(DELETE)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||
|
||||
@ -62,7 +62,7 @@ public class HsOfficeBankAccountEntity implements BaseEntity<HsOfficeBankAccount
|
||||
.withIdentityView(SQL.projection("iban"))
|
||||
.withUpdatableColumns("holder", "iban", "bic")
|
||||
|
||||
.toRole("global", GUEST).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.owningUser(CREATOR);
|
||||
|
||||
@ -43,6 +43,7 @@ import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||
@ -188,7 +189,7 @@ public class HsOfficeDebitorEntity implements BaseEntity<HsOfficeDebitorEntity>,
|
||||
"vatBusiness",
|
||||
"vatReverseCharge",
|
||||
"defaultPrefix")
|
||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||
|
||||
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
|
||||
directlyFetchedByDependsOnColumn(),
|
||||
|
||||
@ -40,6 +40,7 @@ import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateR
|
||||
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||
@ -174,7 +175,7 @@ public class HsOfficeMembershipEntity implements BaseEntity<HsOfficeMembershipEn
|
||||
WHERE partner.uuid = ${REF}.partnerUuid
|
||||
"""),
|
||||
NOT_NULL)
|
||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.owningUser(CREATOR);
|
||||
|
||||
@ -13,6 +13,7 @@ import java.io.IOException;
|
||||
import java.time.LocalDate;
|
||||
import java.util.UUID;
|
||||
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||
@ -82,7 +83,7 @@ public class HsOfficePartnerDetailsEntity implements BaseEntity<HsOfficePartnerD
|
||||
"birthName",
|
||||
"birthday",
|
||||
"dateOfDeath")
|
||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||
|
||||
// The grants are defined in HsOfficePartnerEntity.rbac()
|
||||
// because they have to be changed when its partnerRel changes,
|
||||
|
||||
@ -26,6 +26,7 @@ import java.util.UUID;
|
||||
import static jakarta.persistence.CascadeType.*;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||
@ -103,7 +104,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
|
||||
return rbacViewFor("partner", HsOfficePartnerEntity.class)
|
||||
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
|
||||
.withUpdatableColumns("partnerRelUuid")
|
||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, ADMIN).grantPermission(INSERT)
|
||||
|
||||
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationRbacEntity.class,
|
||||
usingDefaultCase(),
|
||||
|
||||
@ -80,7 +80,7 @@ public class HsOfficePersonEntity implements BaseEntity<HsOfficePersonEntity>, S
|
||||
return rbacViewFor("person", HsOfficePersonEntity.class)
|
||||
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
|
||||
.withUpdatableColumns("personType", "title", "salutation", "tradeName", "givenName", "familyName")
|
||||
.toRole("global", GUEST).grantPermission(INSERT)
|
||||
.toRole(GLOBAL, GUEST).grantPermission(INSERT)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.permission(DELETE);
|
||||
|
||||
@ -55,7 +55,7 @@ public class InsertTriggerGenerator {
|
||||
plPgSql.writeLn("""
|
||||
-- granting INSERT permission to ${rawSubTable} ----------------------------
|
||||
""",
|
||||
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()));
|
||||
with("rawSubTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()));
|
||||
|
||||
if (isGrantToADifferentTable(g)) {
|
||||
plPgSql.writeLn(
|
||||
@ -73,7 +73,7 @@ public class InsertTriggerGenerator {
|
||||
${whenCondition}
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
|
||||
${superRoleRef});
|
||||
END LOOP;
|
||||
end;
|
||||
@ -84,40 +84,40 @@ public class InsertTriggerGenerator {
|
||||
? "WHERE type = '${value}'"
|
||||
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
|
||||
: "-- unconditional for all rows in that table"),
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), "row")));
|
||||
} else {
|
||||
plPgSql.writeLn("""
|
||||
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
|
||||
-- because there cannot yet be any pre-existing rows in the same table yet.
|
||||
""",
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()));
|
||||
}
|
||||
|
||||
plPgSql.writeLn("""
|
||||
/**
|
||||
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
|
||||
*/
|
||||
create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf()
|
||||
create or replace function ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
${ifConditionThen}
|
||||
call rbac.grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
||||
${superRoleRef});
|
||||
${ifConditionEnd}
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg
|
||||
after insert on ${rawSuperTable}
|
||||
create trigger z_new_${rawSubTable}_grants_after_insert_tg
|
||||
after insert on ${rawSuperTableWithSchema}
|
||||
for each row
|
||||
execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf();
|
||||
execute procedure ${rawSuperTableSchemaName}new_${rawSubTableShortName}_grants_insert_to_${rawSuperTableShortName}_tf();
|
||||
""",
|
||||
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
||||
// TODO.impl: .type needs to be dynamically generated
|
||||
@ -127,8 +127,12 @@ public class InsertTriggerGenerator {
|
||||
? "end if;"
|
||||
: "-- end."),
|
||||
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
|
||||
with("rawSuperTableWithSchema", g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSuperTableShortName", g.getSuperRoleDef().getEntityAlias().getRawTableShortName()),
|
||||
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
||||
with("rawSuperTableSchemaName", g.getSuperRoleDef().getEntityAlias().getRawTableSchemaPrefix()),
|
||||
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableNameWithSchema()),
|
||||
with("rawSubTableShortName", g.getPermDef().getEntityAlias().getRawTableShortName()));
|
||||
|
||||
});
|
||||
}
|
||||
@ -158,7 +162,7 @@ public class InsertTriggerGenerator {
|
||||
for each row
|
||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
||||
""",
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
|
||||
plPgSql.writeLn("--//");
|
||||
}
|
||||
@ -192,7 +196,7 @@ public class InsertTriggerGenerator {
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
""",
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
plPgSql.chopEmptyLines();
|
||||
}
|
||||
|
||||
@ -231,7 +235,7 @@ public class InsertTriggerGenerator {
|
||||
""",
|
||||
with("caseCondition", caseCondition),
|
||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
} else {
|
||||
plPgSql.writeLn(
|
||||
"""
|
||||
@ -243,7 +247,7 @@ public class InsertTriggerGenerator {
|
||||
end if;
|
||||
""",
|
||||
with("caseCondition", caseCondition),
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()),
|
||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
|
||||
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
||||
@ -255,7 +259,7 @@ public class InsertTriggerGenerator {
|
||||
plPgSql.writeLn();
|
||||
plPgSql.writeLn("""
|
||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), currentSubjectOrAssumedRolesUuids();
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||
@ -264,7 +268,7 @@ public class InsertTriggerGenerator {
|
||||
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
||||
--//
|
||||
""",
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableNameWithSchema()));
|
||||
}
|
||||
|
||||
private String toStringList(final Set<RbacView.CaseDef> cases) {
|
||||
@ -272,7 +276,7 @@ public class InsertTriggerGenerator {
|
||||
}
|
||||
|
||||
private boolean isGrantToADifferentTable(final RbacView.RbacGrantDefinition g) {
|
||||
return !rbacDef.getRootEntityAlias().getRawTableName().equals(g.getSuperRoleDef().getEntityAlias().getRawTableName());
|
||||
return !rbacDef.getRootEntityAlias().getRawTableNameWithSchema().equals(g.getSuperRoleDef().getEntityAlias().getRawTableNameWithSchema());
|
||||
}
|
||||
|
||||
private Stream<RbacView.RbacGrantDefinition> getInsertGrants() {
|
||||
|
||||
@ -12,7 +12,7 @@ public class RbacIdentityViewGenerator {
|
||||
this.rbacDef = rbacDef;
|
||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||
}
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
|
||||
@ -9,7 +9,7 @@ public class RbacObjectGenerator {
|
||||
|
||||
public RbacObjectGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||
}
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
|
||||
@ -13,7 +13,7 @@ public class RbacRestrictedViewGenerator {
|
||||
public RbacRestrictedViewGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||
this.rbacDef = rbacDef;
|
||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||
}
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
|
||||
@ -11,7 +11,7 @@ public class RbacRoleDescriptorsGenerator {
|
||||
public RbacRoleDescriptorsGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||
this.simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
||||
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||
}
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
|
||||
@ -548,7 +548,7 @@ public class RbacView {
|
||||
}
|
||||
|
||||
public RbacView grantPermission(final Permission perm) {
|
||||
final var forTable = rootEntityAlias.getRawTableName();
|
||||
final var forTable = rootEntityAlias.getRawTableNameWithSchema();
|
||||
findOrCreateGrantDef(findRbacPerm(rootEntityAlias, perm, forTable), superRoleDef).toCreate();
|
||||
return RbacView.this;
|
||||
}
|
||||
@ -937,7 +937,7 @@ public class RbacView {
|
||||
return switch (fetchSql.part) {
|
||||
case SQL_QUERY -> fetchSql;
|
||||
case AUTO_FETCH ->
|
||||
SQL.query("SELECT * FROM " + getRawTableName() + " WHERE uuid = ${ref}." + dependsOnColum.column);
|
||||
SQL.query("SELECT * FROM " + getRawTableNameWithSchema() + " WHERE uuid = ${ref}." + dependsOnColum.column);
|
||||
default -> throw new IllegalStateException("unexpected SQL definition: " + fetchSql);
|
||||
};
|
||||
}
|
||||
@ -960,13 +960,39 @@ public class RbacView {
|
||||
: uncapitalize(withoutEntitySuffix(entityClass.getSimpleName()));
|
||||
}
|
||||
|
||||
String getRawTableName() {
|
||||
String getRawTableNameWithSchema() {
|
||||
if ( aliasName.equals("rbac.global")) {
|
||||
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||
}
|
||||
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
||||
}
|
||||
|
||||
String getRawTableSchemaPrefix() {
|
||||
final var rawTableNameWithSchema = getRawTableNameWithSchema();
|
||||
final var parts = rawTableNameWithSchema.split("\\.");
|
||||
final var rawTableSchemaPrefix = parts.length > 1 ? parts[0] + "." : "";
|
||||
return rawTableSchemaPrefix;
|
||||
}
|
||||
|
||||
String getRawTableName() {
|
||||
final var rawTableNameWithSchema = getRawTableNameWithSchema();
|
||||
final var parts = rawTableNameWithSchema.split("\\.");
|
||||
final var rawTableName = parts.length > 1 ? parts[1] : rawTableNameWithSchema;
|
||||
return rawTableName;
|
||||
}
|
||||
|
||||
String getRawTableShortName() {
|
||||
// TODO.impl: some combined function and trigger names are too long
|
||||
// maybe we should shorten the table name e.g. hs_office_coopsharestransaction -> hsof.coopsharetx
|
||||
// this is just a workaround:
|
||||
return getRawTableName()
|
||||
.replace("hs_office_", "hsof_")
|
||||
.replace("hs_booking_", "hsbk_")
|
||||
.replace("hs_hosting_", "hsho_")
|
||||
.replace("coopsharestransaction", "coopsharetx")
|
||||
.replace("coopassetstransaction", "coopassettx");
|
||||
}
|
||||
|
||||
String dependsOnColumName() {
|
||||
if (dependsOnColum == null) {
|
||||
throw new IllegalStateException(
|
||||
|
||||
@ -17,7 +17,7 @@ public class RbacViewPostgresGenerator {
|
||||
|
||||
public RbacViewPostgresGenerator(final RbacView forRbacDef) {
|
||||
rbacDef = forRbacDef;
|
||||
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-");
|
||||
liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableNameWithSchema().replace("_", "-");
|
||||
plPgSql.writeLn("""
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by ${generator}, do not amend manually.
|
||||
|
||||
@ -40,7 +40,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
|
||||
simpleEntityVarName = rbacDef.getRootEntityAlias().simpleName();
|
||||
simpleEntityName = capitalize(simpleEntityVarName);
|
||||
rawTableName = rbacDef.getRootEntityAlias().getRawTableName();
|
||||
rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||
}
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
@ -77,7 +77,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
plPgSql.writeLn("declare");
|
||||
plPgSql.indented(() -> {
|
||||
referencedEntityAliases()
|
||||
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";"));
|
||||
.forEach((ea) -> plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";"));
|
||||
});
|
||||
|
||||
plPgSql.writeLn();
|
||||
@ -145,8 +145,8 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
plPgSql.indented(() -> {
|
||||
referencedEntityAliases()
|
||||
.forEach((ea) -> {
|
||||
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableName() + ";");
|
||||
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableName() + ";");
|
||||
plPgSql.writeLn(entityRefVar(OLD, ea) + " " + ea.getRawTableNameWithSchema() + ";");
|
||||
plPgSql.writeLn(entityRefVar(NEW, ea) + " " + ea.getRawTableNameWithSchema() + ";");
|
||||
});
|
||||
});
|
||||
|
||||
@ -322,7 +322,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
final var grantSql = switch (grantDef.grantType()) {
|
||||
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
|
||||
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
|
||||
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()")
|
||||
.replace("${assumed}", grantDef.isAssumed() ? "" : ", rbac.unassumed()")
|
||||
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
|
||||
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
||||
case PERM_TO_ROLE ->
|
||||
@ -343,7 +343,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
}
|
||||
|
||||
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||
return permRef("createPermission", ref, permDef);
|
||||
return permRef("rbac.createPermission", ref, permDef);
|
||||
}
|
||||
|
||||
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||
@ -580,7 +580,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
|
||||
private String toPlPgSqlReference(final RbacView.RbacSubjectReference userRef) {
|
||||
return switch (userRef.role) {
|
||||
case CREATOR -> "currentSubjectUuid()";
|
||||
case CREATOR -> "rbac.currentSubjectUuid()";
|
||||
default -> throw new IllegalArgumentException("unknown user role: " + userRef);
|
||||
};
|
||||
}
|
||||
@ -589,9 +589,9 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
final PostgresTriggerReference triggerRef,
|
||||
final RbacView.RbacRoleDefinition roleDef,
|
||||
final boolean assumed) {
|
||||
final var assumedArg = assumed ? "" : ", unassumed()";
|
||||
final var assumedArg = assumed ? "" : ", rbac.unassumed()";
|
||||
return toRoleRef(roleDef) +
|
||||
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(unassumed())")
|
||||
(roleDef.getEntityAlias().isGlobal() ? ( assumed ? "()" : "(rbac.unassumed())")
|
||||
: rbacDef.isRootEntityAlias(roleDef.getEntityAlias()) ? ("(" + triggerRef.name() + ")")
|
||||
: "(" + toTriggerReference(triggerRef, roleDef.getEntityAlias()) + assumedArg + ")");
|
||||
}
|
||||
|
||||
@ -87,7 +87,7 @@ execute procedure insertTriggerForTestCustomer_tf();
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row rbac.global%ROWTYPE;
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
||||
|
||||
@ -96,15 +96,15 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants test_customer INSERT permission to specified role of new rbac.global rows.
|
||||
Grants test_customer INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||
create or replace function rbac.new_test_customer_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -112,16 +112,16 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_customer_grants_insert_to_global_tg
|
||||
create trigger z_new_test_customer_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_test_customer_grants_insert_to_global_tf();
|
||||
execute procedure rbac.new_test_customer_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
@ -183,7 +183,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_package_grants_insert_to_test_customer_tg
|
||||
create trigger z_new_test_package_grants_after_insert_tg
|
||||
after insert on test_customer
|
||||
for each row
|
||||
execute procedure new_test_package_grants_insert_to_test_customer_tf();
|
||||
|
||||
@ -182,7 +182,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_domain_grants_insert_to_test_package_tg
|
||||
create trigger z_new_test_domain_grants_after_insert_tg
|
||||
after insert on test_package
|
||||
for each row
|
||||
execute procedure new_test_domain_grants_insert_to_test_package_tf();
|
||||
|
||||
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficePersonOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
||||
@ -164,24 +164,24 @@ execute procedure updateTriggerForHsOfficePartner_tf();
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row rbac.global%ROWTYPE;
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
|
||||
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
|
||||
Grants hs_office_partner INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||
create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -189,16 +189,16 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
||||
create trigger z_new_hs_office_partner_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
||||
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
@ -70,14 +70,14 @@ do language plpgsql $$
|
||||
declare
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
||||
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -85,7 +85,7 @@ $$;
|
||||
/**
|
||||
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
|
||||
create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -93,16 +93,16 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
||||
create trigger z_new_hs_office_partner_details_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
||||
execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -118,7 +118,7 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeBankAccountOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
||||
@ -130,31 +130,31 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
|
||||
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to rbac.Global ----------------------------
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row rbac.global%ROWTYPE;
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
|
||||
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
|
||||
Grants hs_office_debitor INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||
create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -162,16 +162,16 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
||||
create trigger z_new_hs_office_debitor_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
||||
execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
@ -50,7 +50,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeSepaMandateOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
@ -129,7 +129,7 @@ $$;
|
||||
/**
|
||||
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
|
||||
*/
|
||||
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
|
||||
create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -143,10 +143,10 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
|
||||
create trigger z_new_hs_office_sepamandate_grants_after_insert_tg
|
||||
after insert on hs_office_relation
|
||||
for each row
|
||||
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
|
||||
execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
@ -99,24 +99,24 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row rbac.global%ROWTYPE;
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
|
||||
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
|
||||
Grants hs_office_membership INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||
create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -124,16 +124,16 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.globalAdmin());
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
||||
create trigger z_new_hs_office_membership_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
||||
execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -149,7 +149,7 @@ create or replace function hs_office_membership_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
@ -92,7 +92,7 @@ $$;
|
||||
/**
|
||||
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||
*/
|
||||
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
|
||||
create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -106,10 +106,10 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
|
||||
create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg
|
||||
after insert on hs_office_membership
|
||||
for each row
|
||||
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
|
||||
execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
@ -92,7 +92,7 @@ $$;
|
||||
/**
|
||||
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||
*/
|
||||
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
|
||||
create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -106,10 +106,10 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
|
||||
create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
|
||||
after insert on hs_office_membership
|
||||
for each row
|
||||
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
|
||||
execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
|
||||
Loading…
Reference in New Issue
Block a user