From 41ba4668080a344637d4c1da312ea794200aa72d Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 13 Apr 2024 13:27:24 +0200 Subject: [PATCH] patch generated rbac trigger to fix too broad INSERT grants --- .../601-booking-item/6013-hs-booking-item-rbac.sql | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql index 8dd6b954..aa138789 100644 --- a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql @@ -104,25 +104,28 @@ do language plpgsql $$ call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows'); FOR row IN SELECT * FROM hs_office_relation + WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_item'), - hsOfficeRelationADMIN(row)); + createPermission(row.uuid, 'INSERT', 'hs_booking_item'), + hsOfficeRelationADMIN(row)); END LOOP; END; $$; /** - Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows. + Adds hs_booking_item INSERT permission to specified roleNSERT permission to specified role of new hs_office_relation rows. */ create or replace function hs_booking_item_hs_office_relation_insert_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), hsOfficeRelationADMIN(NEW)); + end if; return NEW; end; $$;