patch generated rbac trigger to fix too broad INSERT grants

src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.sql

@@ -104,25 +104,28 @@ do language plpgsql $$
         call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');
 
         FOR row IN SELECT * FROM hs_office_relation
+                WHERE type in ('DEBITOR') -- TODO.rbac: currently manually patched, needs to be generated
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
+                createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
-                    hsOfficeRelationADMIN(row));
+                hsOfficeRelationADMIN(row));
             END LOOP;
     END;
 $$;
 
 /**
-    Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
+    Adds hs_booking_item INSERT permission to specified roleNSERT permission to specified role of new hs_office_relation rows.
 */
 create or replace function hs_booking_item_hs_office_relation_insert_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    if NEW.type = 'DEBITOR' then -- TODO.rbac: currently manually patched, needs to be generated
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
             hsOfficeRelationADMIN(NEW));
+    end if;
     return NEW;
 end; $$;