From 4521c42e21ab26da013e5d14317038fff07a59ec Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 26 Apr 2024 12:27:04 +0200 Subject: [PATCH] re-generated all RBAC.sql --- .../2013-test-customer-rbac.sql | 51 ++++++++---- .../2023-test-package-rbac.sql | 53 ++++++++----- .../203-test-domain/2033-test-domain-rbac.sql | 53 ++++++++----- .../5013-hs-office-contact-rbac.sql | 44 +---------- .../502-person/5023-hs-office-person-rbac.sql | 44 +---------- .../5033-hs-office-relation-rbac.sql | 53 ++++++++----- .../5043-hs-office-partner-rbac.sql | 51 ++++++++---- .../5044-hs-office-partner-details-rbac.sql | 59 +++++++++----- .../5053-hs-office-bankaccount-rbac.sql | 44 +---------- .../5063-hs-office-debitor-rbac.sql | 59 +++++++++----- .../5073-hs-office-sepamandate-rbac.sql | 77 ++++++++++--------- .../5103-hs-office-membership-rbac.sql | 59 +++++++++----- .../5113-hs-office-coopshares-rbac.sql | 53 ++++++++----- .../5123-hs-office-coopassets-rbac.sql | 53 ++++++++----- 14 files changed, 395 insertions(+), 358 deletions(-) diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index 2f9ea4de..14767c4b 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -77,66 +77,82 @@ execute procedure insertTriggerForTestCustomer_tf(); -- ============================================================================ ---changeset test-customer-rbac-INSERT:1 endDelimiter:--// +--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to global ---------------------------- + /* - Creates INSERT INTO test_customer permissions for the related global rows. + Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows. */ do language plpgsql $$ declare row global; begin - call defineContext('create INSERT INTO test_customer permissions for the related global rows'); + call defineContext('create INSERT INTO test_customer permissions for pre-exising global rows'); FOR row IN SELECT * FROM global + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_customer'), - globalADMIN()); + createPermission(row.uuid, 'INSERT', 'test_customer'), + globalADMIN()); END LOOP; - END; + end; $$; /** - Adds test_customer INSERT permission to specified role of new global rows. + Grants test_customer INSERT permission to specified role of new global rows. */ -create or replace function test_customer_global_insert_tf() +create or replace function new_test_customer_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'test_customer'), globalADMIN()); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_test_customer_global_insert_tg +create trigger z_new_test_customer_grants_insert_to_global_tg after insert on global for each row -execute procedure test_customer_global_insert_tf(); +execute procedure new_test_customer_grants_insert_to_global_tf(); + + +-- ============================================================================ +--changeset test_customer-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to test_customer, - where only global-admin has that permission. + Checks if the user respectively the assumed roles are allowed to insert a row to test_customer. */ -create or replace function test_customer_insert_permission_missing_tf() +create or replace function test_customer_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT INSERT if global ADMIN + if isGlobalAdmin() then + return NEW; + end if; + raise exception '[403] insert into test_customer not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger test_customer_insert_permission_check_tg before insert on test_customer for each row - when ( not isGlobalAdmin() ) - execute procedure test_customer_insert_permission_missing_tf(); + execute procedure test_customer_insert_permission_check_tf(); --// + -- ============================================================================ --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -147,6 +163,7 @@ call generateRbacIdentityViewFromProjection('test_customer', $idName$); --// + -- ============================================================================ --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql index 26506b8d..fd832ccf 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql @@ -142,68 +142,82 @@ execute procedure updateTriggerForTestPackage_tf(); -- ============================================================================ ---changeset test-package-rbac-INSERT:1 endDelimiter:--// +--changeset test-package-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to test_customer ---------------------------- + /* - Creates INSERT INTO test_package permissions for the related test_customer rows. + Grants INSERT INTO test_package permissions to specified role of pre-existing test_customer rows. */ do language plpgsql $$ declare row test_customer; begin - call defineContext('create INSERT INTO test_package permissions for the related test_customer rows'); + call defineContext('create INSERT INTO test_package permissions for pre-exising test_customer rows'); FOR row IN SELECT * FROM test_customer + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_package'), - testCustomerADMIN(row)); + createPermission(row.uuid, 'INSERT', 'test_package'), + testCustomerADMIN(row)); END LOOP; - END; + end; $$; /** - Adds test_package INSERT permission to specified role of new test_customer rows. + Grants test_package INSERT permission to specified role of new test_customer rows. */ -create or replace function test_package_test_customer_insert_tf() +create or replace function new_test_package_grants_insert_to_test_customer_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'test_package'), testCustomerADMIN(NEW)); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_test_package_test_customer_insert_tg +create trigger z_new_test_package_grants_insert_to_test_customer_tg after insert on test_customer for each row -execute procedure test_package_test_customer_insert_tf(); +execute procedure new_test_package_grants_insert_to_test_customer_tf(); + + +-- ============================================================================ +--changeset test_package-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to test_package, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. + Checks if the user respectively the assumed roles are allowed to insert a row to test_package. */ -create or replace function test_package_insert_permission_missing_tf() +create or replace function test_package_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT permission via direct foreign key: NEW.customerUuid + if hasInsertPermission(NEW.customerUuid, 'test_package') then + return NEW; + end if; + raise exception '[403] insert into test_package not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger test_package_insert_permission_check_tg before insert on test_package for each row - when ( not hasInsertPermission(NEW.customerUuid, 'test_package') ) - execute procedure test_package_insert_permission_missing_tf(); + execute procedure test_package_insert_permission_check_tf(); --// + -- ============================================================================ --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -214,6 +228,7 @@ call generateRbacIdentityViewFromProjection('test_package', $idName$); --// + -- ============================================================================ --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql index fab5c04f..d6f32001 100644 --- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql @@ -141,68 +141,82 @@ execute procedure updateTriggerForTestDomain_tf(); -- ============================================================================ ---changeset test-domain-rbac-INSERT:1 endDelimiter:--// +--changeset test-domain-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to test_package ---------------------------- + /* - Creates INSERT INTO test_domain permissions for the related test_package rows. + Grants INSERT INTO test_domain permissions to specified role of pre-existing test_package rows. */ do language plpgsql $$ declare row test_package; begin - call defineContext('create INSERT INTO test_domain permissions for the related test_package rows'); + call defineContext('create INSERT INTO test_domain permissions for pre-exising test_package rows'); FOR row IN SELECT * FROM test_package + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_domain'), - testPackageADMIN(row)); + createPermission(row.uuid, 'INSERT', 'test_domain'), + testPackageADMIN(row)); END LOOP; - END; + end; $$; /** - Adds test_domain INSERT permission to specified role of new test_package rows. + Grants test_domain INSERT permission to specified role of new test_package rows. */ -create or replace function test_domain_test_package_insert_tf() +create or replace function new_test_domain_grants_insert_to_test_package_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'test_domain'), testPackageADMIN(NEW)); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_test_domain_test_package_insert_tg +create trigger z_new_test_domain_grants_insert_to_test_package_tg after insert on test_package for each row -execute procedure test_domain_test_package_insert_tf(); +execute procedure new_test_domain_grants_insert_to_test_package_tf(); + + +-- ============================================================================ +--changeset test_domain-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to test_domain, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. + Checks if the user respectively the assumed roles are allowed to insert a row to test_domain. */ -create or replace function test_domain_insert_permission_missing_tf() +create or replace function test_domain_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT permission via direct foreign key: NEW.packageUuid + if hasInsertPermission(NEW.packageUuid, 'test_domain') then + return NEW; + end if; + raise exception '[403] insert into test_domain not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger test_domain_insert_permission_check_tg before insert on test_domain for each row - when ( not hasInsertPermission(NEW.packageUuid, 'test_domain') ) - execute procedure test_domain_insert_permission_missing_tf(); + execute procedure test_domain_insert_permission_check_tf(); --// + -- ============================================================================ --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -213,6 +227,7 @@ call generateRbacIdentityViewFromProjection('test_domain', $idName$); --// + -- ============================================================================ --changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index 0f53b167..3bbf3ca2 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeContact_tf(); --// --- ============================================================================ ---changeset hs-office-contact-rbac-INSERT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates INSERT INTO hs_office_contact permissions for the related global rows. - */ -do language plpgsql $$ - declare - row global; - begin - call defineContext('create INSERT INTO hs_office_contact permissions for the related global rows'); - - FOR row IN SELECT * FROM global - LOOP - call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_contact'), - globalGUEST()); - END LOOP; - END; -$$; - -/** - Adds hs_office_contact INSERT permission to specified role of new global rows. -*/ -create or replace function hs_office_contact_global_insert_tf() - returns trigger - language plpgsql - strict as $$ -begin - call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_contact'), - globalGUEST()); - return NEW; -end; $$; - --- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_contact_global_insert_tg - after insert on global - for each row -execute procedure hs_office_contact_global_insert_tf(); ---// - -- ============================================================================ --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact', $idName$); --// + -- ============================================================================ --changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index 0d983725..bdaca63c 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficePerson_tf(); --// --- ============================================================================ ---changeset hs-office-person-rbac-INSERT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates INSERT INTO hs_office_person permissions for the related global rows. - */ -do language plpgsql $$ - declare - row global; - begin - call defineContext('create INSERT INTO hs_office_person permissions for the related global rows'); - - FOR row IN SELECT * FROM global - LOOP - call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_person'), - globalGUEST()); - END LOOP; - END; -$$; - -/** - Adds hs_office_person INSERT permission to specified role of new global rows. -*/ -create or replace function hs_office_person_global_insert_tf() - returns trigger - language plpgsql - strict as $$ -begin - call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_person'), - globalGUEST()); - return NEW; -end; $$; - --- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_person_global_insert_tg - after insert on global - for each row -execute procedure hs_office_person_global_insert_tf(); ---// - -- ============================================================================ --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person', $idName$); --// + -- ============================================================================ --changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index 9aca367d..63c2061a 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -151,68 +151,82 @@ execute procedure updateTriggerForHsOfficeRelation_tf(); -- ============================================================================ ---changeset hs-office-relation-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-relation-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to hs_office_person ---------------------------- + /* - Creates INSERT INTO hs_office_relation permissions for the related hs_office_person rows. + Grants INSERT INTO hs_office_relation permissions to specified role of pre-existing hs_office_person rows. */ do language plpgsql $$ declare row hs_office_person; begin - call defineContext('create INSERT INTO hs_office_relation permissions for the related hs_office_person rows'); + call defineContext('create INSERT INTO hs_office_relation permissions for pre-exising hs_office_person rows'); FOR row IN SELECT * FROM hs_office_person + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_relation'), - hsOfficePersonADMIN(row)); + createPermission(row.uuid, 'INSERT', 'hs_office_relation'), + hsOfficePersonADMIN(row)); END LOOP; - END; + end; $$; /** - Adds hs_office_relation INSERT permission to specified role of new hs_office_person rows. + Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows. */ -create or replace function hs_office_relation_hs_office_person_insert_tf() +create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'), hsOfficePersonADMIN(NEW)); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_relation_hs_office_person_insert_tg +create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg after insert on hs_office_person for each row -execute procedure hs_office_relation_hs_office_person_insert_tf(); +execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf(); + + +-- ============================================================================ +--changeset hs_office_relation-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_relation, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_relation. */ -create or replace function hs_office_relation_insert_permission_missing_tf() +create or replace function hs_office_relation_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT permission via direct foreign key: NEW.anchorUuid + if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then + return NEW; + end if; + raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_relation_insert_permission_check_tg before insert on hs_office_relation for each row - when ( not hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') ) - execute procedure hs_office_relation_insert_permission_missing_tf(); + execute procedure hs_office_relation_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -225,6 +239,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation', $idName$); --// + -- ============================================================================ --changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index 7d263dbd..520ef180 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -154,66 +154,82 @@ execute procedure updateTriggerForHsOfficePartner_tf(); -- ============================================================================ ---changeset hs-office-partner-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to global ---------------------------- + /* - Creates INSERT INTO hs_office_partner permissions for the related global rows. + Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows. */ do language plpgsql $$ declare row global; begin - call defineContext('create INSERT INTO hs_office_partner permissions for the related global rows'); + call defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows'); FOR row IN SELECT * FROM global + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_partner'), - globalADMIN()); + createPermission(row.uuid, 'INSERT', 'hs_office_partner'), + globalADMIN()); END LOOP; - END; + end; $$; /** - Adds hs_office_partner INSERT permission to specified role of new global rows. + Grants hs_office_partner INSERT permission to specified role of new global rows. */ -create or replace function hs_office_partner_global_insert_tf() +create or replace function new_hs_office_partner_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), globalADMIN()); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_partner_global_insert_tg +create trigger z_new_hs_office_partner_grants_insert_to_global_tg after insert on global for each row -execute procedure hs_office_partner_global_insert_tf(); +execute procedure new_hs_office_partner_grants_insert_to_global_tf(); + + +-- ============================================================================ +--changeset hs_office_partner-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_partner, - where only global-admin has that permission. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner. */ -create or replace function hs_office_partner_insert_permission_missing_tf() +create or replace function hs_office_partner_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT INSERT if global ADMIN + if isGlobalAdmin() then + return NEW; + end if; + raise exception '[403] insert into hs_office_partner not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_partner_insert_permission_check_tg before insert on hs_office_partner for each row - when ( not isGlobalAdmin() ) - execute procedure hs_office_partner_insert_permission_missing_tf(); + execute procedure hs_office_partner_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -224,6 +240,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner', $idName$); --// + -- ============================================================================ --changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index c99639bb..bf0fe164 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -58,79 +58,96 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf(); -- ============================================================================ ---changeset hs-office-partner-details-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to global ---------------------------- + /* - Creates INSERT INTO hs_office_partner_details permissions for the related global rows. + Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows. */ do language plpgsql $$ declare row global; begin - call defineContext('create INSERT INTO hs_office_partner_details permissions for the related global rows'); + call defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); FOR row IN SELECT * FROM global + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), - globalADMIN()); + createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), + globalADMIN()); END LOOP; - END; + end; $$; /** - Adds hs_office_partner_details INSERT permission to specified role of new global rows. + Grants hs_office_partner_details INSERT permission to specified role of new global rows. */ -create or replace function hs_office_partner_details_global_insert_tf() +create or replace function new_hs_office_partner_details_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), globalADMIN()); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_partner_details_global_insert_tg +create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg after insert on global for each row -execute procedure hs_office_partner_details_global_insert_tf(); +execute procedure new_hs_office_partner_details_grants_insert_to_global_tf(); + + +-- ============================================================================ +--changeset hs_office_partner_details-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_partner_details, - where only global-admin has that permission. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner_details. */ -create or replace function hs_office_partner_details_insert_permission_missing_tf() +create or replace function hs_office_partner_details_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT INSERT if global ADMIN + if isGlobalAdmin() then + return NEW; + end if; + raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_partner_details_insert_permission_check_tg before insert on hs_office_partner_details for each row - when ( not isGlobalAdmin() ) - execute procedure hs_office_partner_details_insert_permission_missing_tf(); + execute procedure hs_office_partner_details_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacIdentityViewFromQuery('hs_office_partner_details', - $idName$ - SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName +call generateRbacIdentityViewFromQuery('hs_office_partner_details', + $idName$ + SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName FROM hs_office_partner_details AS partnerDetails JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid - $idName$); + $idName$); --// + -- ============================================================================ --changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index c12c4c88..724dd658 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf(); --// --- ============================================================================ ---changeset hs-office-bankaccount-rbac-INSERT:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates INSERT INTO hs_office_bankaccount permissions for the related global rows. - */ -do language plpgsql $$ - declare - row global; - begin - call defineContext('create INSERT INTO hs_office_bankaccount permissions for the related global rows'); - - FOR row IN SELECT * FROM global - LOOP - call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_bankaccount'), - globalGUEST()); - END LOOP; - END; -$$; - -/** - Adds hs_office_bankaccount INSERT permission to specified role of new global rows. -*/ -create or replace function hs_office_bankaccount_global_insert_tf() - returns trigger - language plpgsql - strict as $$ -begin - call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_bankaccount'), - globalGUEST()); - return NEW; -end; $$; - --- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_bankaccount_global_insert_tg - after insert on global - for each row -execute procedure hs_office_bankaccount_global_insert_tf(); ---// - -- ============================================================================ --changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount', $idName$); --// + -- ============================================================================ --changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index 59ac43e8..12f4f09d 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -127,73 +127,89 @@ execute procedure updateTriggerForHsOfficeDebitor_tf(); -- ============================================================================ ---changeset hs-office-debitor-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to global ---------------------------- + /* - Creates INSERT INTO hs_office_debitor permissions for the related global rows. + Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows. */ do language plpgsql $$ declare row global; begin - call defineContext('create INSERT INTO hs_office_debitor permissions for the related global rows'); + call defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows'); FOR row IN SELECT * FROM global + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), - globalADMIN()); + createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), + globalADMIN()); END LOOP; - END; + end; $$; /** - Adds hs_office_debitor INSERT permission to specified role of new global rows. + Grants hs_office_debitor INSERT permission to specified role of new global rows. */ -create or replace function hs_office_debitor_global_insert_tf() +create or replace function new_hs_office_debitor_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), globalADMIN()); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_debitor_global_insert_tg +create trigger z_new_hs_office_debitor_grants_insert_to_global_tg after insert on global for each row -execute procedure hs_office_debitor_global_insert_tf(); +execute procedure new_hs_office_debitor_grants_insert_to_global_tf(); + + +-- ============================================================================ +--changeset hs_office_debitor-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_debitor, - where only global-admin has that permission. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_debitor. */ -create or replace function hs_office_debitor_insert_permission_missing_tf() +create or replace function hs_office_debitor_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT INSERT if global ADMIN + if isGlobalAdmin() then + return NEW; + end if; + raise exception '[403] insert into hs_office_debitor not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_debitor_insert_permission_check_tg before insert on hs_office_debitor for each row - when ( not isGlobalAdmin() ) - execute procedure hs_office_debitor_insert_permission_missing_tf(); + execute procedure hs_office_debitor_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacIdentityViewFromQuery('hs_office_debitor', - $idName$ - SELECT debitor.uuid AS uuid, +call generateRbacIdentityViewFromQuery('hs_office_debitor', + $idName$ + SELECT debitor.uuid AS uuid, 'D-' || (SELECT partner.partnerNumber FROM hs_office_partner partner JOIN hs_office_relation partnerRel @@ -203,9 +219,10 @@ create trigger hs_office_debitor_insert_permission_check_tg WHERE debitorRel.uuid = debitor.debitorRelUuid) || debitorNumberSuffix as idName FROM hs_office_debitor AS debitor - $idName$); + $idName$); --// + -- ============================================================================ --changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index ff2c3876..3fb20baf 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -102,78 +102,79 @@ execute procedure insertTriggerForHsOfficeSepaMandate_tf(); -- ============================================================================ ---changeset hs-office-sepamandate-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to hs_office_relation ---------------------------- + /* - Creates INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows. + Grants INSERT INTO hs_office_sepamandate permissions to specified role of pre-existing hs_office_relation rows. */ do language plpgsql $$ declare row hs_office_relation; begin - call defineContext('create INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows'); + call defineContext('create INSERT INTO hs_office_sepamandate permissions for pre-exising hs_office_relation rows'); FOR row IN SELECT * FROM hs_office_relation - WHERE type = 'DEBITOR' + WHERE type = 'DEBITOR' LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), - hsOfficeRelationADMIN(row)); + createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), + hsOfficeRelationADMIN(row)); END LOOP; - END; + end; $$; /** - Adds hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows. + Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows. */ -create or replace function hs_office_sepamandate_hs_office_relation_insert_tf() +create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf() returns trigger language plpgsql strict as $$ begin if NEW.type = 'DEBITOR' then - call grantPermissionToRole( + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'), hsOfficeRelationADMIN(NEW)); - end if; + end if; return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_sepamandate_hs_office_relation_insert_tg +create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg after insert on hs_office_relation for each row -execute procedure hs_office_sepamandate_hs_office_relation_insert_tf(); +execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf(); + + +-- ============================================================================ +--changeset hs_office_sepamandate-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_sepamandate, - where the check is performed by an indirect role. - - An indirect role is a role which depends on an object uuid which is not a direct foreign key - of the source entity, but needs to be fetched via joined tables. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_sepamandate. */ create or replace function hs_office_sepamandate_insert_permission_check_tf() returns trigger language plpgsql as $$ - declare - superRoleObjectUuid uuid; - + superObjectUuid uuid; begin - superRoleObjectUuid := (SELECT debitorRel.uuid - FROM hs_office_relation debitorRel - JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid - WHERE debitor.uuid = NEW.debitorUuid - ); - assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null'; - - if ( not hasInsertPermission(superRoleObjectUuid, 'hs_office_sepamandate') ) then - raise exception - '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + -- check INSERT permission via indirect foreign key: NEW.debitorUuid + superObjectUuid := (SELECT debitorRel.uuid + FROM hs_office_relation debitorRel + JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid + WHERE debitor.uuid = NEW.debitorUuid + ); + assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL'; + if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then + return NEW; end if; - return NEW; + + raise exception '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)', + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_sepamandate_insert_permission_check_tg @@ -182,18 +183,20 @@ create trigger hs_office_sepamandate_insert_permission_check_tg execute procedure hs_office_sepamandate_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacIdentityViewFromQuery('hs_office_sepamandate', - $idName$ - select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName +call generateRbacIdentityViewFromQuery('hs_office_sepamandate', + $idName$ + select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName from hs_office_sepamandate sm join hs_office_bankaccount ba on ba.uuid = sm.bankAccountUuid - $idName$); + $idName$); --// + -- ============================================================================ --changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index 139a2294..bc998fa3 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -89,79 +89,96 @@ execute procedure insertTriggerForHsOfficeMembership_tf(); -- ============================================================================ ---changeset hs-office-membership-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to global ---------------------------- + /* - Creates INSERT INTO hs_office_membership permissions for the related global rows. + Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows. */ do language plpgsql $$ declare row global; begin - call defineContext('create INSERT INTO hs_office_membership permissions for the related global rows'); + call defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows'); FOR row IN SELECT * FROM global + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_membership'), - globalADMIN()); + createPermission(row.uuid, 'INSERT', 'hs_office_membership'), + globalADMIN()); END LOOP; - END; + end; $$; /** - Adds hs_office_membership INSERT permission to specified role of new global rows. + Grants hs_office_membership INSERT permission to specified role of new global rows. */ -create or replace function hs_office_membership_global_insert_tf() +create or replace function new_hs_office_membership_grants_insert_to_global_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), globalADMIN()); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_membership_global_insert_tg +create trigger z_new_hs_office_membership_grants_insert_to_global_tg after insert on global for each row -execute procedure hs_office_membership_global_insert_tf(); +execute procedure new_hs_office_membership_grants_insert_to_global_tf(); + + +-- ============================================================================ +--changeset hs_office_membership-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_membership, - where only global-admin has that permission. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_membership. */ -create or replace function hs_office_membership_insert_permission_missing_tf() +create or replace function hs_office_membership_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT INSERT if global ADMIN + if isGlobalAdmin() then + return NEW; + end if; + raise exception '[403] insert into hs_office_membership not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_membership_insert_permission_check_tg before insert on hs_office_membership for each row - when ( not isGlobalAdmin() ) - execute procedure hs_office_membership_insert_permission_missing_tf(); + execute procedure hs_office_membership_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacIdentityViewFromQuery('hs_office_membership', - $idName$ - SELECT m.uuid AS uuid, +call generateRbacIdentityViewFromQuery('hs_office_membership', + $idName$ + SELECT m.uuid AS uuid, 'M-' || p.partnerNumber || m.memberNumberSuffix as idName FROM hs_office_membership AS m JOIN hs_office_partner AS p ON p.uuid = m.partnerUuid - $idName$); + $idName$); --// + -- ============================================================================ --changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index 0d95175e..1270fd69 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -65,68 +65,82 @@ execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf(); -- ============================================================================ ---changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-coopsharestransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to hs_office_membership ---------------------------- + /* - Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows. + Grants INSERT INTO hs_office_coopsharestransaction permissions to specified role of pre-existing hs_office_membership rows. */ do language plpgsql $$ declare row hs_office_membership; begin - call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows'); + call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for pre-exising hs_office_membership rows'); FOR row IN SELECT * FROM hs_office_membership + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), - hsOfficeMembershipADMIN(row)); + createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), + hsOfficeMembershipADMIN(row)); END LOOP; - END; + end; $$; /** - Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows. + Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows. */ -create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf() +create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), hsOfficeMembershipADMIN(NEW)); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg +create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg after insert on hs_office_membership for each row -execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf(); +execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf(); + + +-- ============================================================================ +--changeset hs_office_coopsharestransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopsharestransaction. */ -create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf() +create or replace function hs_office_coopsharestransaction_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT permission via direct foreign key: NEW.membershipUuid + if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then + return NEW; + end if; + raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_coopsharestransaction_insert_permission_check_tg before insert on hs_office_coopsharestransaction for each row - when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') ) - execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf(); + execute procedure hs_office_coopsharestransaction_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', $idName$); --// + -- ============================================================================ --changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index 6c09c109..ce9926b2 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -65,68 +65,82 @@ execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf(); -- ============================================================================ ---changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--// +--changeset hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +-- granting INSERT permission to hs_office_membership ---------------------------- + /* - Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows. + Grants INSERT INTO hs_office_coopassetstransaction permissions to specified role of pre-existing hs_office_membership rows. */ do language plpgsql $$ declare row hs_office_membership; begin - call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows'); + call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows'); FOR row IN SELECT * FROM hs_office_membership + -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), - hsOfficeMembershipADMIN(row)); + createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), + hsOfficeMembershipADMIN(row)); END LOOP; - END; + end; $$; /** - Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows. + Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows. */ -create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf() +create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf() returns trigger language plpgsql strict as $$ begin - call grantPermissionToRole( + -- unconditional for all rows in that table + call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), hsOfficeMembershipADMIN(NEW)); + -- end. return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg +create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg after insert on hs_office_membership for each row -execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf(); +execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf(); + + +-- ============================================================================ +--changeset hs_office_coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- /** - Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction, - where the check is performed by a direct role. - - A direct role is a role depending on a foreign key directly available in the NEW row. + Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopassetstransaction. */ -create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf() +create or replace function hs_office_coopassetstransaction_insert_permission_check_tf() returns trigger language plpgsql as $$ +declare + superObjectUuid uuid; begin + -- check INSERT permission via direct foreign key: NEW.membershipUuid + if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then + return NEW; + end if; + raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + currentSubjects(), currentSubjectsUuids(); end; $$; create trigger hs_office_coopassetstransaction_insert_permission_check_tg before insert on hs_office_coopassetstransaction for each row - when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') ) - execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf(); + execute procedure hs_office_coopassetstransaction_insert_permission_check_tf(); --// + -- ============================================================================ --changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- @@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', $idName$); --// + -- ============================================================================ --changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ----------------------------------------------------------------------------