fix relationship-related grants (WIP)
This commit is contained in:
parent
ecc91592b0
commit
443b9b4b8a
@ -1,5 +1,5 @@
|
||||
package net.hostsharing.hsadminng.rbac.rbacrole;
|
||||
|
||||
public enum RbacRoleType {
|
||||
owner, admin, agent, tenant, guest
|
||||
owner, admin, agent, tenant, guest, referrer
|
||||
}
|
||||
|
@ -22,5 +22,6 @@ components:
|
||||
- owner
|
||||
- admin
|
||||
- tenant
|
||||
- referrer
|
||||
roleName:
|
||||
type: string
|
||||
|
@ -187,7 +187,7 @@ end; $$;
|
||||
|
||||
*/
|
||||
|
||||
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest');
|
||||
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest', 'referrer');
|
||||
|
||||
create table RbacRole
|
||||
(
|
||||
|
@ -27,10 +27,12 @@ begin
|
||||
perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole');
|
||||
perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser');
|
||||
|
||||
raise notice 'role % grants role % to user %, assumed=%', grantedByRoleUuid, roleUuid, userUuid, doAssume;
|
||||
|
||||
insert
|
||||
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||
values (grantedByRoleUuid, userUuid, roleUuid, doAssume);
|
||||
-- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same?
|
||||
-- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same?
|
||||
-- Most powerful or latest grant wins? What about managed?
|
||||
-- on conflict do nothing; -- allow granting multiple times
|
||||
end; $$;
|
||||
|
@ -136,6 +136,7 @@ begin
|
||||
raise exception '[401] currentUserUuid cannot be determined, please call `defineContext(...)` first;"';
|
||||
end if;
|
||||
end if;
|
||||
raise notice 'currentUserUuid %', currentUserUuid;
|
||||
return currentUserUuid::uuid;
|
||||
end; $$;
|
||||
--//
|
||||
|
@ -46,14 +46,9 @@ begin
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactTenant(NEW),
|
||||
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactGuest(NEW),
|
||||
hsOfficeContactReferrer(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[hsOfficeContactTenant(NEW)]
|
||||
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -45,14 +45,9 @@ begin
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonTenant(NEW),
|
||||
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonGuest(NEW),
|
||||
hsOfficePersonReferrer(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
|
||||
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -28,7 +28,7 @@ begin
|
||||
call defineContext(currentTask, null, emailAddr);
|
||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||
|
||||
raise notice 'creating test person: %', fullName;
|
||||
raise notice 'creating test person: % by %', fullName, emailAddr;
|
||||
insert
|
||||
into hs_office_person (persontype, tradename, givenname, familyname)
|
||||
values (newPersonType, newTradeName, newGivenName, newFamilyName);
|
||||
|
@ -74,9 +74,9 @@ begin
|
||||
hsOfficeRelationshipAdmin(NEW)
|
||||
],
|
||||
outgoingSubRoles => array[
|
||||
-- hsOfficePersonAdmin(newAnchorPerson),
|
||||
-- hsOfficePersonAdmin(newHolderPerson),
|
||||
hsOfficeContactAdmin(newContact)
|
||||
hsOfficePersonReferrer(newAnchorPerson),
|
||||
hsOfficePersonReferrer(newHolderPerson),
|
||||
hsOfficeContactReferrer(newContact)
|
||||
]
|
||||
);
|
||||
|
||||
@ -91,8 +91,8 @@ begin
|
||||
call revokeRoleFromRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(oldContact) );
|
||||
call grantRoleToRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact) );
|
||||
|
||||
call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeRelationshipAgent(NEW) );
|
||||
call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeRelationshipAgent(NEW) );
|
||||
call revokeRoleFromRole( hsOfficeContactAdmin(oldContact), hsOfficeRelationshipAgent(NEW) );
|
||||
call grantRoleToRole( hsOfficeContactAdmin(newContact), hsOfficeRelationshipAgent(NEW) );
|
||||
end if;
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER';
|
||||
|
@ -79,7 +79,7 @@ begin
|
||||
hsOfficeBankAccountAdmin(newBankaccount)],
|
||||
outgoingSubRoles => array[
|
||||
hsOfficeRelationshipTenant(newPartnerRel),
|
||||
hsOfficeContactGuest(newContact),
|
||||
hsOfficeContactReferrer(newContact),
|
||||
hsOfficeBankAccountGuest(newBankaccount)]
|
||||
);
|
||||
|
||||
@ -112,8 +112,8 @@ begin
|
||||
call revokeRoleFromRole(hsOfficeDebitorAgent(OLD), hsOfficeContactAdmin(oldContact));
|
||||
call grantRoleToRole(hsOfficeDebitorAgent(NEW), hsOfficeContactAdmin(newContact));
|
||||
|
||||
call revokeRoleFromRole(hsOfficeContactGuest(oldContact), hsOfficeDebitorTenant(OLD));
|
||||
call grantRoleToRole(hsOfficeContactGuest(newContact), hsOfficeDebitorTenant(NEW));
|
||||
call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeDebitorTenant(OLD));
|
||||
call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeDebitorTenant(NEW));
|
||||
end if;
|
||||
|
||||
if (OLD.refundBankAccountUuid is not null or NEW.refundBankAccountUuid is not null) and
|
||||
|
@ -456,6 +456,7 @@ public class ImportOfficeData extends ContextBasedTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
@Disabled
|
||||
@Order(3000)
|
||||
@Commit
|
||||
void persistEntities() {
|
||||
|
@ -3,6 +3,7 @@ package net.hostsharing.hsadminng.hs.office.relationship;
|
||||
import net.hostsharing.hsadminng.context.Context;
|
||||
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRepository;
|
||||
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRepository;
|
||||
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonType;
|
||||
import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup;
|
||||
import net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantRepository;
|
||||
import net.hostsharing.hsadminng.rbac.rbacrole.RawRbacRoleRepository;
|
||||
@ -146,7 +147,9 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllRelationshipsOfArbitraryPerson() {
|
||||
// given
|
||||
context("superuser-alex@hostsharing.net");
|
||||
final var person = personRepo.findPersonByOptionalNameLike("Second e.K.").stream().findFirst().orElseThrow();
|
||||
final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
|
||||
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
|
||||
.findFirst().orElseThrow();
|
||||
|
||||
// when
|
||||
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());
|
||||
@ -154,15 +157,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
|
||||
// then
|
||||
allTheseRelationshipsAreReturned(
|
||||
result,
|
||||
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='LP Second e.K.', contact='second contact')",
|
||||
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')");
|
||||
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
|
||||
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
|
||||
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void normalUser_canViewRelationshipsOfOwnedPersons() {
|
||||
// given:
|
||||
context("person-FirstGmbH@example.com");
|
||||
final var person = personRepo.findPersonByOptionalNameLike("First").stream().findFirst().orElseThrow();
|
||||
context("person-SmithPeter@example.com");
|
||||
final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
|
||||
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
|
||||
.findFirst().orElseThrow();
|
||||
|
||||
// when:
|
||||
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());
|
||||
|
Loading…
Reference in New Issue
Block a user