re-generated all RBAC.sql

src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql

@@ -77,66 +77,82 @@ execute procedure insertTriggerForTestCustomer_tf();
 
 
 -- ============================================================================
---changeset test-customer-rbac-INSERT:1 endDelimiter:--//
+--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to global ----------------------------
+
 /*
-    Creates INSERT INTO test_customer permissions for the related global rows.
+    Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows.
  */
 do language plpgsql $$
     declare
         row global;
     begin
-        call defineContext('create INSERT INTO test_customer permissions for the related global rows');
+        call defineContext('create INSERT INTO test_customer permissions for pre-exising global rows');
 
         FOR row IN SELECT * FROM global
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'test_customer'),
+                        createPermission(row.uuid, 'INSERT', 'test_customer'),
-                    globalADMIN());
+                        globalADMIN());
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds test_customer INSERT permission to specified role of new global rows.
+    Grants test_customer INSERT permission to specified role of new global rows.
 */
-create or replace function test_customer_global_insert_tf()
+create or replace function new_test_customer_grants_insert_to_global_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_customer'),
             globalADMIN());
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_test_customer_global_insert_tg
+create trigger z_new_test_customer_grants_insert_to_global_tg
     after insert on global
     for each row
-execute procedure test_customer_global_insert_tf();
+execute procedure new_test_customer_grants_insert_to_global_tf();
+
+
+-- ============================================================================
+--changeset test_customer-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to test_customer,
+    Checks if the user respectively the assumed roles are allowed to insert a row to test_customer.
-    where only global-admin has that permission.
 */
-create or replace function test_customer_insert_permission_missing_tf()
+create or replace function test_customer_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT INSERT if global ADMIN
+    if isGlobalAdmin() then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger test_customer_insert_permission_check_tg
     before insert on test_customer
     for each row
-    when ( not isGlobalAdmin() )
+        execute procedure test_customer_insert_permission_check_tf();
-        execute procedure test_customer_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -147,6 +163,7 @@ call generateRbacIdentityViewFromProjection('test_customer',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql

@@ -142,68 +142,82 @@ execute procedure updateTriggerForTestPackage_tf();
 
 
 -- ============================================================================
---changeset test-package-rbac-INSERT:1 endDelimiter:--//
+--changeset test-package-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to test_customer ----------------------------
+
 /*
-    Creates INSERT INTO test_package permissions for the related test_customer rows.
+    Grants INSERT INTO test_package permissions to specified role of pre-existing test_customer rows.
  */
 do language plpgsql $$
     declare
         row test_customer;
     begin
-        call defineContext('create INSERT INTO test_package permissions for the related test_customer rows');
+        call defineContext('create INSERT INTO test_package permissions for pre-exising test_customer rows');
 
         FOR row IN SELECT * FROM test_customer
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'test_package'),
+                        createPermission(row.uuid, 'INSERT', 'test_package'),
-                    testCustomerADMIN(row));
+                        testCustomerADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds test_package INSERT permission to specified role of new test_customer rows.
+    Grants test_package INSERT permission to specified role of new test_customer rows.
 */
-create or replace function test_package_test_customer_insert_tf()
+create or replace function new_test_package_grants_insert_to_test_customer_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_package'),
             testCustomerADMIN(NEW));
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_test_package_test_customer_insert_tg
+create trigger z_new_test_package_grants_insert_to_test_customer_tg
     after insert on test_customer
     for each row
-execute procedure test_package_test_customer_insert_tf();
+execute procedure new_test_package_grants_insert_to_test_customer_tf();
+
+
+-- ============================================================================
+--changeset test_package-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to test_package,
+    Checks if the user respectively the assumed roles are allowed to insert a row to test_package.
-    where the check is performed by a direct role.
-
-    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
-create or replace function test_package_insert_permission_missing_tf()
+create or replace function test_package_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT permission via direct foreign key: NEW.customerUuid
+    if hasInsertPermission(NEW.customerUuid, 'test_package') then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into test_package not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger test_package_insert_permission_check_tg
     before insert on test_package
     for each row
-    when ( not hasInsertPermission(NEW.customerUuid, 'test_package') )
+        execute procedure test_package_insert_permission_check_tf();
-        execute procedure test_package_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -214,6 +228,7 @@ call generateRbacIdentityViewFromProjection('test_package',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql

@@ -141,68 +141,82 @@ execute procedure updateTriggerForTestDomain_tf();
 
 
 -- ============================================================================
---changeset test-domain-rbac-INSERT:1 endDelimiter:--//
+--changeset test-domain-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to test_package ----------------------------
+
 /*
-    Creates INSERT INTO test_domain permissions for the related test_package rows.
+    Grants INSERT INTO test_domain permissions to specified role of pre-existing test_package rows.
  */
 do language plpgsql $$
     declare
         row test_package;
     begin
-        call defineContext('create INSERT INTO test_domain permissions for the related test_package rows');
+        call defineContext('create INSERT INTO test_domain permissions for pre-exising test_package rows');
 
         FOR row IN SELECT * FROM test_package
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'test_domain'),
+                        createPermission(row.uuid, 'INSERT', 'test_domain'),
-                    testPackageADMIN(row));
+                        testPackageADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds test_domain INSERT permission to specified role of new test_package rows.
+    Grants test_domain INSERT permission to specified role of new test_package rows.
 */
-create or replace function test_domain_test_package_insert_tf()
+create or replace function new_test_domain_grants_insert_to_test_package_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'test_domain'),
             testPackageADMIN(NEW));
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_test_domain_test_package_insert_tg
+create trigger z_new_test_domain_grants_insert_to_test_package_tg
     after insert on test_package
     for each row
-execute procedure test_domain_test_package_insert_tf();
+execute procedure new_test_domain_grants_insert_to_test_package_tf();
+
+
+-- ============================================================================
+--changeset test_domain-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to test_domain,
+    Checks if the user respectively the assumed roles are allowed to insert a row to test_domain.
-    where the check is performed by a direct role.
-
-    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
-create or replace function test_domain_insert_permission_missing_tf()
+create or replace function test_domain_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT permission via direct foreign key: NEW.packageUuid
+    if hasInsertPermission(NEW.packageUuid, 'test_domain') then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger test_domain_insert_permission_check_tg
     before insert on test_domain
     for each row
-    when ( not hasInsertPermission(NEW.packageUuid, 'test_domain') )
+        execute procedure test_domain_insert_permission_check_tf();
-        execute procedure test_domain_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -213,6 +227,7 @@ call generateRbacIdentityViewFromProjection('test_domain',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql

@@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeContact_tf();
 --//
 
 
--- ============================================================================
---changeset hs-office-contact-rbac-INSERT:1 endDelimiter:--//
--- ----------------------------------------------------------------------------
-
-/*
-    Creates INSERT INTO hs_office_contact permissions for the related global rows.
- */
-do language plpgsql $$
-    declare
-        row global;
-    begin
-        call defineContext('create INSERT INTO hs_office_contact permissions for the related global rows');
-
-        FOR row IN SELECT * FROM global
-            LOOP
-                call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_contact'),
-                    globalGUEST());
-            END LOOP;
-    END;
-$$;
-
-/**
-    Adds hs_office_contact INSERT permission to specified role of new global rows.
-*/
-create or replace function hs_office_contact_global_insert_tf()
-    returns trigger
-    language plpgsql
-    strict as $$
-begin
-    call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_contact'),
-            globalGUEST());
-    return NEW;
-end; $$;
-
--- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_contact_global_insert_tg
-    after insert on global
-    for each row
-execute procedure hs_office_contact_global_insert_tf();
---//
-
 -- ============================================================================
 --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql

@@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficePerson_tf();
 --//
 
 
--- ============================================================================
---changeset hs-office-person-rbac-INSERT:1 endDelimiter:--//
--- ----------------------------------------------------------------------------
-
-/*
-    Creates INSERT INTO hs_office_person permissions for the related global rows.
- */
-do language plpgsql $$
-    declare
-        row global;
-    begin
-        call defineContext('create INSERT INTO hs_office_person permissions for the related global rows');
-
-        FOR row IN SELECT * FROM global
-            LOOP
-                call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_person'),
-                    globalGUEST());
-            END LOOP;
-    END;
-$$;
-
-/**
-    Adds hs_office_person INSERT permission to specified role of new global rows.
-*/
-create or replace function hs_office_person_global_insert_tf()
-    returns trigger
-    language plpgsql
-    strict as $$
-begin
-    call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_person'),
-            globalGUEST());
-    return NEW;
-end; $$;
-
--- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_person_global_insert_tg
-    after insert on global
-    for each row
-execute procedure hs_office_person_global_insert_tf();
---//
-
 -- ============================================================================
 --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql

@@ -151,68 +151,82 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
 
 
 -- ============================================================================
---changeset hs-office-relation-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-relation-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to hs_office_person ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_relation permissions for the related hs_office_person rows.
+    Grants INSERT INTO hs_office_relation permissions to specified role of pre-existing hs_office_person rows.
  */
 do language plpgsql $$
     declare
         row hs_office_person;
     begin
-        call defineContext('create INSERT INTO hs_office_relation permissions for the related hs_office_person rows');
+        call defineContext('create INSERT INTO hs_office_relation permissions for pre-exising hs_office_person rows');
 
         FOR row IN SELECT * FROM hs_office_person
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
-                    hsOfficePersonADMIN(row));
+                        hsOfficePersonADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_relation INSERT permission to specified role of new hs_office_person rows.
+    Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
 */
-create or replace function hs_office_relation_hs_office_person_insert_tf()
+create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
             hsOfficePersonADMIN(NEW));
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_relation_hs_office_person_insert_tg
+create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
     after insert on hs_office_person
     for each row
-execute procedure hs_office_relation_hs_office_person_insert_tf();
+execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
+
+
+-- ============================================================================
+--changeset hs_office_relation-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_relation,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_relation.
-    where the check is performed by a direct role.
-
-    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
-create or replace function hs_office_relation_insert_permission_missing_tf()
+create or replace function hs_office_relation_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT permission via direct foreign key: NEW.anchorUuid
+    if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_relation_insert_permission_check_tg
     before insert on hs_office_relation
     for each row
-    when ( not hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') )
+        execute procedure hs_office_relation_insert_permission_check_tf();
-        execute procedure hs_office_relation_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -225,6 +239,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql

@@ -154,66 +154,82 @@ execute procedure updateTriggerForHsOfficePartner_tf();
 
 
 -- ============================================================================
---changeset hs-office-partner-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to global ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_partner permissions for the related global rows.
+    Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows.
  */
 do language plpgsql $$
     declare
         row global;
     begin
-        call defineContext('create INSERT INTO hs_office_partner permissions for the related global rows');
+        call defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows');
 
         FOR row IN SELECT * FROM global
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
-                    globalADMIN());
+                        globalADMIN());
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_partner INSERT permission to specified role of new global rows.
+    Grants hs_office_partner INSERT permission to specified role of new global rows.
 */
-create or replace function hs_office_partner_global_insert_tf()
+create or replace function new_hs_office_partner_grants_insert_to_global_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
             globalADMIN());
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_partner_global_insert_tg
+create trigger z_new_hs_office_partner_grants_insert_to_global_tg
     after insert on global
     for each row
-execute procedure hs_office_partner_global_insert_tf();
+execute procedure new_hs_office_partner_grants_insert_to_global_tf();
+
+
+-- ============================================================================
+--changeset hs_office_partner-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_partner,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner.
-    where only global-admin has that permission.
 */
-create or replace function hs_office_partner_insert_permission_missing_tf()
+create or replace function hs_office_partner_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT INSERT if global ADMIN
+    if isGlobalAdmin() then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_partner not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_partner_insert_permission_check_tg
     before insert on hs_office_partner
     for each row
-    when ( not isGlobalAdmin() )
+        execute procedure hs_office_partner_insert_permission_check_tf();
-        execute procedure hs_office_partner_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -224,6 +240,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql

@@ -58,79 +58,96 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
 
 
 -- ============================================================================
---changeset hs-office-partner-details-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to global ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_partner_details permissions for the related global rows.
+    Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows.
  */
 do language plpgsql $$
     declare
         row global;
     begin
-        call defineContext('create INSERT INTO hs_office_partner_details permissions for the related global rows');
+        call defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
 
         FOR row IN SELECT * FROM global
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
-                    globalADMIN());
+                        globalADMIN());
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_partner_details INSERT permission to specified role of new global rows.
+    Grants hs_office_partner_details INSERT permission to specified role of new global rows.
 */
-create or replace function hs_office_partner_details_global_insert_tf()
+create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
             globalADMIN());
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_partner_details_global_insert_tg
+create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
     after insert on global
     for each row
-execute procedure hs_office_partner_details_global_insert_tf();
+execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
+
+
+-- ============================================================================
+--changeset hs_office_partner_details-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_partner_details,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner_details.
-    where only global-admin has that permission.
 */
-create or replace function hs_office_partner_details_insert_permission_missing_tf()
+create or replace function hs_office_partner_details_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT INSERT if global ADMIN
+    if isGlobalAdmin() then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_partner_details_insert_permission_check_tg
     before insert on hs_office_partner_details
     for each row
-    when ( not isGlobalAdmin() )
+        execute procedure hs_office_partner_details_insert_permission_check_tf();
-        execute procedure hs_office_partner_details_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_partner_details',
+call generateRbacIdentityViewFromQuery('hs_office_partner_details',
-        $idName$
+    $idName$
-            SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
+        SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
             FROM hs_office_partner_details AS partnerDetails
             JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
             JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
-        $idName$);
+    $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql

@@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf();
 --//
 
 
--- ============================================================================
---changeset hs-office-bankaccount-rbac-INSERT:1 endDelimiter:--//
--- ----------------------------------------------------------------------------
-
-/*
-    Creates INSERT INTO hs_office_bankaccount permissions for the related global rows.
- */
-do language plpgsql $$
-    declare
-        row global;
-    begin
-        call defineContext('create INSERT INTO hs_office_bankaccount permissions for the related global rows');
-
-        FOR row IN SELECT * FROM global
-            LOOP
-                call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_bankaccount'),
-                    globalGUEST());
-            END LOOP;
-    END;
-$$;
-
-/**
-    Adds hs_office_bankaccount INSERT permission to specified role of new global rows.
-*/
-create or replace function hs_office_bankaccount_global_insert_tf()
-    returns trigger
-    language plpgsql
-    strict as $$
-begin
-    call grantPermissionToRole(
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_bankaccount'),
-            globalGUEST());
-    return NEW;
-end; $$;
-
--- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_bankaccount_global_insert_tg
-    after insert on global
-    for each row
-execute procedure hs_office_bankaccount_global_insert_tf();
---//
-
 -- ============================================================================
 --changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql

@@ -127,73 +127,89 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
 
 
 -- ============================================================================
---changeset hs-office-debitor-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to global ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_debitor permissions for the related global rows.
+    Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows.
  */
 do language plpgsql $$
     declare
         row global;
     begin
-        call defineContext('create INSERT INTO hs_office_debitor permissions for the related global rows');
+        call defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows');
 
         FOR row IN SELECT * FROM global
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
-                    globalADMIN());
+                        globalADMIN());
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_debitor INSERT permission to specified role of new global rows.
+    Grants hs_office_debitor INSERT permission to specified role of new global rows.
 */
-create or replace function hs_office_debitor_global_insert_tf()
+create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
             globalADMIN());
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_debitor_global_insert_tg
+create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
     after insert on global
     for each row
-execute procedure hs_office_debitor_global_insert_tf();
+execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
+
+
+-- ============================================================================
+--changeset hs_office_debitor-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_debitor,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_debitor.
-    where only global-admin has that permission.
 */
-create or replace function hs_office_debitor_insert_permission_missing_tf()
+create or replace function hs_office_debitor_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT INSERT if global ADMIN
+    if isGlobalAdmin() then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_debitor not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_debitor_insert_permission_check_tg
     before insert on hs_office_debitor
     for each row
-    when ( not isGlobalAdmin() )
+        execute procedure hs_office_debitor_insert_permission_check_tf();
-        execute procedure hs_office_debitor_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_debitor',
+call generateRbacIdentityViewFromQuery('hs_office_debitor',
-        $idName$
+    $idName$
-            SELECT debitor.uuid AS uuid,
+        SELECT debitor.uuid AS uuid,
                     'D-' || (SELECT partner.partnerNumber
                             FROM hs_office_partner partner
                             JOIN hs_office_relation partnerRel
@@ -203,9 +219,10 @@ create trigger hs_office_debitor_insert_permission_check_tg
                             WHERE debitorRel.uuid = debitor.debitorRelUuid)
                          || debitorNumberSuffix as idName
         FROM hs_office_debitor AS debitor
-        $idName$);
+    $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql

@@ -102,78 +102,79 @@ execute procedure insertTriggerForHsOfficeSepaMandate_tf();
 
 
 -- ============================================================================
---changeset hs-office-sepamandate-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to hs_office_relation ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows.
+    Grants INSERT INTO hs_office_sepamandate permissions to specified role of pre-existing hs_office_relation rows.
  */
 do language plpgsql $$
     declare
         row hs_office_relation;
     begin
-        call defineContext('create INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows');
+        call defineContext('create INSERT INTO hs_office_sepamandate permissions for pre-exising hs_office_relation rows');
 
         FOR row IN SELECT * FROM hs_office_relation
-			WHERE type = 'DEBITOR'
+            WHERE type = 'DEBITOR'
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
-                    hsOfficeRelationADMIN(row));
+                        hsOfficeRelationADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
+    Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
 */
-create or replace function hs_office_sepamandate_hs_office_relation_insert_tf()
+create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
     if NEW.type = 'DEBITOR' then
-		call grantPermissionToRole(
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
             hsOfficeRelationADMIN(NEW));
-	end if;
+    end if;
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_sepamandate_hs_office_relation_insert_tg
+create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
     after insert on hs_office_relation
     for each row
-execute procedure hs_office_sepamandate_hs_office_relation_insert_tf();
+execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
+
+
+-- ============================================================================
+--changeset hs_office_sepamandate-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_sepamandate,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_sepamandate.
-    where the check is performed by an indirect role.
-
-    An indirect role is a role which depends on an object uuid which is not a direct foreign key
-    of the source entity, but needs to be fetched via joined tables.
 */
 create or replace function hs_office_sepamandate_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
-
 declare
-    superRoleObjectUuid uuid;
+    superObjectUuid uuid;
-
 begin
-        superRoleObjectUuid := (SELECT debitorRel.uuid
+    -- check INSERT permission via indirect foreign key: NEW.debitorUuid
-            FROM hs_office_relation debitorRel
+    superObjectUuid := (SELECT debitorRel.uuid
-            JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
+        FROM hs_office_relation debitorRel
-            WHERE debitor.uuid = NEW.debitorUuid
+        JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
-        );
+        WHERE debitor.uuid = NEW.debitorUuid
-        assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
+    );
-
+    assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL';
-        if ( not hasInsertPermission(superRoleObjectUuid, 'hs_office_sepamandate') ) then
+    if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
-            raise exception
+        return NEW;
-                '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
-                currentSubjects(), currentSubjectsUuids();
     end if;
-    return NEW;
+
+    raise exception '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_sepamandate_insert_permission_check_tg
@@ -182,18 +183,20 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
         execute procedure hs_office_sepamandate_insert_permission_check_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
+call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
-        $idName$
+    $idName$
-            select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
+        select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
             from hs_office_sepamandate sm
             join hs_office_bankaccount ba on ba.uuid = sm.bankAccountUuid
-        $idName$);
+    $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql

@@ -89,79 +89,96 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
 
 
 -- ============================================================================
---changeset hs-office-membership-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to global ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_membership permissions for the related global rows.
+    Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows.
  */
 do language plpgsql $$
     declare
         row global;
     begin
-        call defineContext('create INSERT INTO hs_office_membership permissions for the related global rows');
+        call defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows');
 
         FOR row IN SELECT * FROM global
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
-                    globalADMIN());
+                        globalADMIN());
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_membership INSERT permission to specified role of new global rows.
+    Grants hs_office_membership INSERT permission to specified role of new global rows.
 */
-create or replace function hs_office_membership_global_insert_tf()
+create or replace function new_hs_office_membership_grants_insert_to_global_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
             globalADMIN());
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_membership_global_insert_tg
+create trigger z_new_hs_office_membership_grants_insert_to_global_tg
     after insert on global
     for each row
-execute procedure hs_office_membership_global_insert_tf();
+execute procedure new_hs_office_membership_grants_insert_to_global_tf();
+
+
+-- ============================================================================
+--changeset hs_office_membership-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_membership,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_membership.
-    where only global-admin has that permission.
 */
-create or replace function hs_office_membership_insert_permission_missing_tf()
+create or replace function hs_office_membership_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT INSERT if global ADMIN
+    if isGlobalAdmin() then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_membership not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_membership_insert_permission_check_tg
     before insert on hs_office_membership
     for each row
-    when ( not isGlobalAdmin() )
+        execute procedure hs_office_membership_insert_permission_check_tf();
-        execute procedure hs_office_membership_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-    call generateRbacIdentityViewFromQuery('hs_office_membership',
+call generateRbacIdentityViewFromQuery('hs_office_membership',
-        $idName$
+    $idName$
-            SELECT m.uuid AS uuid,
+        SELECT m.uuid AS uuid,
                 'M-' || p.partnerNumber || m.memberNumberSuffix as idName
         FROM hs_office_membership AS m
         JOIN hs_office_partner AS p ON p.uuid = m.partnerUuid
-        $idName$);
+    $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql

@@ -65,68 +65,82 @@ execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf();
 
 
 -- ============================================================================
---changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-coopsharestransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to hs_office_membership ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows.
+    Grants INSERT INTO hs_office_coopsharestransaction permissions to specified role of pre-existing hs_office_membership rows.
  */
 do language plpgsql $$
     declare
         row hs_office_membership;
     begin
-        call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows');
+        call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for pre-exising hs_office_membership rows');
 
         FOR row IN SELECT * FROM hs_office_membership
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
-                    hsOfficeMembershipADMIN(row));
+                        hsOfficeMembershipADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
+    Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
 */
-create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf()
+create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
             hsOfficeMembershipADMIN(NEW));
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg
+create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
     after insert on hs_office_membership
     for each row
-execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf();
+execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
+
+
+-- ============================================================================
+--changeset hs_office_coopsharestransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopsharestransaction.
-    where the check is performed by a direct role.
-
-    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
-create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf()
+create or replace function hs_office_coopsharestransaction_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT permission via direct foreign key: NEW.membershipUuid
+    if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_coopsharestransaction_insert_permission_check_tg
     before insert on hs_office_coopsharestransaction
     for each row
-    when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') )
+        execute procedure hs_office_coopsharestransaction_insert_permission_check_tf();
-        execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------

src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql

@@ -65,68 +65,82 @@ execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
 
 
 -- ============================================================================
---changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--//
+--changeset hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
+-- granting INSERT permission to hs_office_membership ----------------------------
+
 /*
-    Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows.
+    Grants INSERT INTO hs_office_coopassetstransaction permissions to specified role of pre-existing hs_office_membership rows.
  */
 do language plpgsql $$
     declare
         row hs_office_membership;
     begin
-        call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows');
+        call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows');
 
         FOR row IN SELECT * FROM hs_office_membership
+            -- unconditional for all rows in that table
             LOOP
                 call grantPermissionToRole(
-                    createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
+                        createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
-                    hsOfficeMembershipADMIN(row));
+                        hsOfficeMembershipADMIN(row));
             END LOOP;
-    END;
+    end;
 $$;
 
 /**
-    Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
+    Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
 */
-create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf()
+create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
     returns trigger
     language plpgsql
     strict as $$
 begin
-    call grantPermissionToRole(
+    -- unconditional for all rows in that table
+        call grantPermissionToRole(
             createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
             hsOfficeMembershipADMIN(NEW));
+    -- end.
     return NEW;
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg
+create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
     after insert on hs_office_membership
     for each row
-execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf();
+execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
+
+
+-- ============================================================================
+--changeset hs_office_coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
+-- ----------------------------------------------------------------------------
 
 /**
-    Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction,
+    Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopassetstransaction.
-    where the check is performed by a direct role.
-
-    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
-create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf()
+create or replace function hs_office_coopassetstransaction_insert_permission_check_tf()
     returns trigger
     language plpgsql as $$
+declare
+    superObjectUuid uuid;
 begin
+    -- check INSERT permission via direct foreign key: NEW.membershipUuid
+    if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
+        return NEW;
+    end if;
+
     raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+            currentSubjects(), currentSubjectsUuids();
 end; $$;
 
 create trigger hs_office_coopassetstransaction_insert_permission_check_tg
     before insert on hs_office_coopassetstransaction
     for each row
-    when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') )
+        execute procedure hs_office_coopassetstransaction_insert_permission_check_tf();
-        execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf();
 --//
 
+
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
@@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
     $idName$);
 --//
 
+
 -- ============================================================================
 --changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------