From 5166bb5fc920e294f4bab7d4ba1dc205bdd6904d Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 14 Sep 2024 07:07:54 +0200 Subject: [PATCH] rbac.RbacOp, rbac.RoleDescriptor, rbac.roleDescriptorOf and functions --- doc/rbac.md | 2 +- .../db/changelog/1-rbac/1050-rbac-base.sql | 65 +++++++++++-------- .../db/changelog/1-rbac/1055-rbac-views.sql | 8 +-- .../1-rbac/1057-rbac-role-builder.sql | 14 ++-- .../changelog/1-rbac/1058-rbac-generators.sql | 12 ++-- .../db/changelog/1-rbac/1080-rbac-global.sql | 22 +++---- .../2013-test-customer-rbac.sql | 4 +- .../2018-test-customer-test-data.sql | 4 +- .../2023-test-package-rbac.sql | 4 +- .../2028-test-package-test-data.sql | 4 +- .../203-test-domain/2033-test-domain-rbac.sql | 4 +- .../5033-hs-office-relation-rbac.sql | 4 +- .../5043-hs-office-partner-rbac.sql | 28 ++++---- .../5044-hs-office-partner-details-rbac.sql | 4 +- .../5063-hs-office-debitor-rbac.sql | 10 +-- .../5073-hs-office-sepamandate-rbac.sql | 4 +- .../5103-hs-office-membership-rbac.sql | 4 +- .../5113-hs-office-coopshares-rbac.sql | 8 +-- .../5123-hs-office-coopassets-rbac.sql | 8 +-- .../6203-hs-booking-project-rbac.sql | 6 +- .../6203-hs-booking-item-rbac.sql | 12 ++-- .../6303-hs-booking-item-rbac.sql | 12 ++-- 22 files changed, 126 insertions(+), 117 deletions(-) diff --git a/doc/rbac.md b/doc/rbac.md index f859e2e1..d98669ba 100644 --- a/doc/rbac.md +++ b/doc/rbac.md @@ -606,7 +606,7 @@ We have tested two variants of the query for the restricted view, both utilizing a PostgreSQL function like this: FUNCTION queryAccessibleObjectUuidsOfSubjectIds( - requiredOp RbacOp, + requiredOp rbac.RbacOp, forObjectTable varchar, subjectIds uuid[], maxObjects integer = 16000) diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index 4e47f302..3e894841 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -156,6 +156,7 @@ begin end if; return old; end; $$; +--// -- ============================================================================ @@ -166,13 +167,19 @@ create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST', create table rbac.role ( - uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred + uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred objectUuid uuid not null references rbac.object (uuid) initially deferred, roleType rbac.RoleType not null, unique (objectUuid, roleType) ); call base.create_journal('rbac.role'); +--// + + +-- ============================================================================ +--changeset rbac-base-ROLE-DESCRIPTOR:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- create type rbac.RoleDescriptor as ( @@ -196,8 +203,7 @@ create or replace function rbac.unassumed() select false; $$; - -create or replace function roleDescriptor( +create or replace function rbac.roleDescriptorOf( objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType, assumed boolean = true) -- just for DSL readability, belongs actually to the grant returns rbac.RoleDescriptor @@ -207,7 +213,7 @@ create or replace function roleDescriptor( select objectTable, objectUuid, roleType::rbac.RoleType, assumed; $$; -create or replace function createRole(roleDescriptor rbac.RoleDescriptor) +create or replace function rbac.createRole(roleDescriptor rbac.RoleDescriptor) returns uuid returns null on null input language plpgsql as $$ @@ -224,9 +230,14 @@ begin return referenceId; end; $$; +--// -create or replace procedure deleteRole(roleUUid uuid) +-- ============================================================================ +--changeset rbac-base-ROLE-FUNCTIONS:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- + +create or replace procedure rbac.deleteRole(roleUUid uuid) language plpgsql as $$ begin --raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid; @@ -234,7 +245,7 @@ begin end; $$; -create or replace function findRoleId(roleIdName varchar) +create or replace function rbac.findRoleId(roleIdName varchar) returns uuid returns null on null input language plpgsql as $$ @@ -246,7 +257,7 @@ declare objectUuidOfRole uuid; roleUuid uuid; begin - -- TODO.refa: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences + -- TODO.refa: extract function rbac.toRoleDescriptor(roleIdName varchar) + find other occurrences roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':')); objectTableFromRoleIdName = split_part(roleParts, '#', 1); objectNameFromRoleIdName = split_part(roleParts, '#', 2); @@ -261,14 +272,14 @@ begin return roleUuid; end; $$; -create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor) +create or replace function rbac.findRoleId(roleDescriptor rbac.RoleDescriptor) returns uuid returns null on null input language sql as $$ select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType; $$; -create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor) +create or replace function rbac.getRoleId(roleDescriptor rbac.RoleDescriptor) returns uuid language plpgsql as $$ declare @@ -276,13 +287,14 @@ declare begin assert roleDescriptor is not null, 'roleDescriptor must not be null'; - roleUuid := findRoleId(roleDescriptor); + roleUuid := rbac.findRoleId(roleDescriptor); if (roleUuid is null) then raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType; end if; return roleUuid; end; $$; +--// -- ============================================================================ @@ -351,10 +363,7 @@ create trigger delete_roles_of_object_tg -- ============================================================================ --changeset rbac-base-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -/* - - */ -create domain RbacOp as varchar(6) +create domain rbac.RbacOp as varchar(6) check ( VALUE = 'DELETE' or VALUE = 'UPDATE' @@ -367,7 +376,7 @@ create table rbac.permission ( uuid uuid primary key references rbac.reference (uuid) on delete cascade, objectUuid uuid not null references rbac.object, - op RbacOp not null, + op rbac.RbacOp not null, opTableName varchar(60) ); -- TODO.perf: check if these indexes are really useful @@ -379,7 +388,7 @@ ALTER TABLE rbac.permission call base.create_journal('rbac.permission'); -create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) +create or replace function rbac.createPermission(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) returns uuid language plpgsql as $$ declare @@ -415,7 +424,7 @@ begin return permissionUuid; end; $$; -create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) +create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) returns uuid returns null on null input stable -- leakproof @@ -423,11 +432,11 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R select uuid from rbac.permission p where p.objectUuid = forObjectUuid - and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT' + and (forOp = 'SELECT' or p.op = forOp) -- all other rbac.RbacOp include 'SELECT' and p.opTableName = forOpTableName $$; -create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) +create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) returns uuid returns null on null input stable -- leakproof @@ -439,7 +448,7 @@ select uuid and p.opTableName = forOpTableName $$; -create or replace function getPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) +create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null) returns uuid stable -- leakproof language plpgsql as $$ @@ -567,7 +576,7 @@ create or replace function hasInsertPermission(objectUuid uuid, tableName text ) declare permissionUuid uuid; begin - permissionUuid = findPermissionId(objectUuid, 'INSERT'::RbacOp, tableName); + permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName); return permissionUuid is not null; end; $$; @@ -602,7 +611,7 @@ $$; create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor) language plpgsql as $$ begin - call grantPermissionToRole(permissionUuid, findRoleId(roleDesc)); + call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc)); end; $$; @@ -634,8 +643,8 @@ begin return; end if; - superRoleId := findRoleId(superRole); - subRoleId := findRoleId(subRole); + superRoleId := rbac.findRoleId(superRole); + subRoleId := rbac.findRoleId(subRole); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); @@ -656,8 +665,8 @@ declare superRoleId uuid; subRoleId uuid; begin - superRoleId := findRoleId(superRole); - subRoleId := findRoleId(subRole); + superRoleId := rbac.findRoleId(superRole); + subRoleId := rbac.findRoleId(subRole); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); @@ -678,7 +687,7 @@ declare objectTable text; objectUuid uuid; begin - superRoleId := findRoleId(superRole); + superRoleId := rbac.findRoleId(superRole); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); @@ -705,7 +714,7 @@ end; $$; */ create or replace function queryAccessibleObjectUuidsOfSubjectIds( - requiredOp RbacOp, + requiredOp rbac.RbacOp, forObjectTable varchar, subjectIds uuid[], maxObjects integer = 8000) diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index 610040f8..7243b3b2 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -344,7 +344,7 @@ grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_ which are also visible to the current user or assumed roles. */ create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid) - returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) + returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns null on null input language plpgsql as $$ declare @@ -380,13 +380,13 @@ begin end; $$; create or replace function rbac.grantedPermissions(targetSubjectUuid uuid) - returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) + returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns null on null input language sql as $$ select * from rbac.grantedPermissionsRaw(targetSubjectUuid) union all - select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid + select roleUuid, roleName, permissionUuid, 'SELECT'::rbac.RbacOp, opTableName, objectTable, objectIdName, objectUuid from rbac.grantedPermissionsRaw(targetSubjectUuid) - where op <> 'SELECT'::RbacOp; + where op <> 'SELECT'::rbac.RbacOp; $$; --// diff --git a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql index 7adf4adc..7316e376 100644 --- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql +++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql @@ -8,7 +8,7 @@ create or replace function rbac.defineRoleWithGrants( roleDescriptor rbac.RoleDescriptor, - permissions RbacOp[] = array[]::RbacOp[], + permissions rbac.RbacOp[] = array[]::rbac.RbacOp[], incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], subjectUuids uuid[] = array[]::uuid[], @@ -19,7 +19,7 @@ create or replace function rbac.defineRoleWithGrants( language plpgsql as $$ declare roleUuid uuid; - permission RbacOp; + permission rbac.RbacOp; permissionUuid uuid; subRoleDesc rbac.RoleDescriptor; superRoleDesc rbac.RoleDescriptor; @@ -28,23 +28,23 @@ declare subjectUuid uuid; userGrantsByRoleUuid uuid; begin - roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor)); + roleUuid := coalesce(rbac.findRoleId(roleDescriptor), rbac.createRole(roleDescriptor)); foreach permission in array permissions loop - permissionUuid := createPermission(roleDescriptor.objectuuid, permission); + permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission); call grantPermissionToRole(permissionUuid, roleUuid); end loop; foreach superRoleDesc in array array_remove(incomingSuperRoles, null) loop - superRoleUuid := getRoleId(superRoleDesc); + superRoleUuid := rbac.getRoleId(superRoleDesc); call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed); end loop; foreach subRoleDesc in array array_remove(outgoingSubRoles, null) loop - subRoleUuid := getRoleId(subRoleDesc); + subRoleUuid := rbac.getRoleId(subRoleDesc); call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed); end loop; @@ -53,7 +53,7 @@ begin if grantedByRole is null then userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid? else - userGrantsByRoleUuid := getRoleId(grantedByRole); + userGrantsByRoleUuid := rbac.getRoleId(grantedByRole); end if; foreach subjectUuid in array subjectUuids loop diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index d1f19dae..5f2c7122 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -46,7 +46,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed); end; $f$; create or replace function %1$sAdmin(entity %2$s, assumed boolean = true) @@ -54,7 +54,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed); end; $f$; create or replace function %1$sAgent(entity %2$s, assumed boolean = true) @@ -62,7 +62,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed); end; $f$; create or replace function %1$sTenant(entity %2$s, assumed boolean = true) @@ -70,7 +70,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed); end; $f$; -- TODO: remove guest role @@ -79,7 +79,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed); end; $f$; create or replace function %1$sReferrer(entity %2$s) @@ -87,7 +87,7 @@ begin language plpgsql strict as $f$ begin - return roleDescriptor('%2$s', entity.uuid, 'REFERRER'); + return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER'); end; $f$; $sql$, prefix, targetTable); diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index ada5f5dc..8accfb53 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -30,16 +30,16 @@ create or replace function rbac.isGlobalAdmin() returns boolean language plpgsql as $$ begin - return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), findRoleId(globalAdmin())); + return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin())); end; $$; --// -- ============================================================================ ---changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--// +--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--// -- ------------------------------------------------------------------ -create or replace function rbac.hasGlobalPermission(op RbacOp) +create or replace function rbac.hasGlobalPermission(op rbac.RbacOp) returns boolean language sql as $$ @@ -87,7 +87,7 @@ $$; --liquibase formatted sql -- ============================================================================ ---changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--// +--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /** @@ -104,7 +104,7 @@ commit; -- ============================================================================ ---changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--// +--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* A rbac.Global administrator role. @@ -119,13 +119,13 @@ $$; begin transaction; call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null); - select createRole(globalAdmin()); + select rbac.createRole(globalAdmin()); commit; --// -- ============================================================================ ---changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--// +--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* A rbac.Global guest role. @@ -140,13 +140,13 @@ $$; begin transaction; call base.defineContext('creating role:rbac.global#global:guest', null, null, null); - select createRole(globalGuest()); + select rbac.createRole(globalGuest()); commit; --// -- ============================================================================ ---changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--// +--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- /* Create two users and assign both to the administrators' role. @@ -157,7 +157,7 @@ do language plpgsql $$ begin call base.defineContext('creating fake test-realm admin users', null, null, null); - admins = findRoleId(globalAdmin()); + admins = rbac.findRoleId(globalAdmin()); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); @@ -168,7 +168,7 @@ $$; -- ============================================================================ ---changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--// +--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--// -- ---------------------------------------------------------------------------- /* diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index 21aec61a..f6844048 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -95,7 +95,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_customer'), + rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), globalADMIN()); END LOOP; end; @@ -111,7 +111,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'test_customer'), + rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), globalADMIN()); -- end. return NEW; diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql index e5a53dab..b1139e53 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql @@ -41,8 +41,8 @@ begin select * into newCust from test_customer where reference=custReference; call rbac.grantRoleToSubject( - getRoleId(testCustomerOwner(newCust)), - getRoleId(testCustomerAdmin(newCust)), + rbac.getRoleId(testCustomerOwner(newCust)), + rbac.getRoleId(testCustomerAdmin(newCust)), custAdminUuid, true); end; $$; diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql index 6f421963..26e3384d 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql @@ -160,7 +160,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_package'), + rbac.createPermission(row.uuid, 'INSERT', 'test_package'), testCustomerADMIN(row)); END LOOP; end; @@ -176,7 +176,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'test_package'), + rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'), testCustomerADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql index 1faf52a6..84da3839 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql @@ -30,8 +30,8 @@ begin returning * into pac; call rbac.grantRoleToSubject( - getRoleId(testCustomerAdmin(cust)), - findRoleId(testPackageAdmin(pac)), + rbac.getRoleId(testCustomerAdmin(cust)), + rbac.findRoleId(testPackageAdmin(pac)), rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), true); diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql index 98e76047..e07e64d8 100644 --- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql @@ -159,7 +159,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'test_domain'), + rbac.createPermission(row.uuid, 'INSERT', 'test_domain'), testPackageADMIN(row)); END LOOP; end; @@ -175,7 +175,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'test_domain'), + rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'), testPackageADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index b0769dec..52ee285e 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -169,7 +169,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_relation'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'), hsOfficePersonADMIN(row)); END LOOP; end; @@ -185,7 +185,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'), hsOfficePersonADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index f9e62eeb..50a66a9a 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -42,12 +42,12 @@ begin SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -111,22 +111,22 @@ begin if NEW.partnerRelUuid <> OLD.partnerRelUuid then call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); - call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); + call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); end if; @@ -172,7 +172,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_partner'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), globalADMIN()); END LOOP; end; @@ -188,7 +188,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), globalADMIN()); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index 9a3dfbe1..b53a2e2f 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -76,7 +76,7 @@ begin -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), globalADMIN()); END LOOP; end; @@ -92,7 +92,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), globalADMIN()); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index 58175132..a2ca4c80 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -57,9 +57,9 @@ begin call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel)); call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel)); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -145,7 +145,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), globalADMIN()); END LOOP; end; @@ -161,7 +161,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), globalADMIN()); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index 40b6224e..c5f91a9c 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -120,7 +120,7 @@ do language plpgsql $$ WHERE type = 'DEBITOR' LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), hsOfficeRelationADMIN(row)); END LOOP; end; @@ -136,7 +136,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_ begin if NEW.type = 'DEBITOR' then call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'), hsOfficeRelationADMIN(NEW)); end if; return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index 0218f68c..2d42a51d 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -107,7 +107,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_membership'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), globalADMIN()); END LOOP; end; @@ -123,7 +123,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), globalADMIN()); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index f8d72a7f..96f22285 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -38,8 +38,8 @@ begin SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -83,7 +83,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), hsOfficeMembershipADMIN(row)); END LOOP; end; @@ -99,7 +99,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_ begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), hsOfficeMembershipADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index 2be9891c..c289af2d 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -38,8 +38,8 @@ begin SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -83,7 +83,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), hsOfficeMembershipADMIN(row)); END LOOP; end; @@ -99,7 +99,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_ begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), hsOfficeMembershipADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index ff6a9054..c4cd9175 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -70,7 +70,7 @@ begin outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)] ); - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -114,7 +114,7 @@ do language plpgsql $$ WHERE type = 'DEBITOR' LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_project'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'), hsOfficeRelationADMIN(row)); END LOOP; end; @@ -130,7 +130,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel begin if NEW.type = 'DEBITOR' then call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'), hsOfficeRelationADMIN(NEW)); end if; return NEW; diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql index 2accb407..0ae4bcfa 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql @@ -69,7 +69,7 @@ begin - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -113,7 +113,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), globalADMIN()); END LOOP; end; @@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), globalADMIN()); -- end. return NEW; @@ -156,7 +156,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), hsBookingProjectADMIN(row)); END LOOP; end; @@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), hsBookingProjectADMIN(NEW)); -- end. return NEW; @@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_ begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), hsBookingItemADMIN(NEW)); -- end. return NEW; diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index 2accb407..0ae4bcfa 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -69,7 +69,7 @@ begin - call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -113,7 +113,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), globalADMIN()); END LOOP; end; @@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf() begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), globalADMIN()); -- end. return NEW; @@ -156,7 +156,7 @@ do language plpgsql $$ -- unconditional for all rows in that table LOOP call grantPermissionToRole( - createPermission(row.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), hsBookingProjectADMIN(row)); END LOOP; end; @@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), hsBookingProjectADMIN(NEW)); -- end. return NEW; @@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_ begin -- unconditional for all rows in that table call grantPermissionToRole( - createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), + rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), hsBookingItemADMIN(NEW)); -- end. return NEW;