hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 2 Activity

rbac.RbacOp, rbac.RoleDescriptor, rbac.roleDescriptorOf and functions

Browse Source
This commit is contained in:
Michael Hoennig 2024-09-14 07:07:54 +02:00
parent 568c1e9a65
commit 5166bb5fc9
22 changed files with 126 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/rbac.md
View File

@ -606,7 +606,7 @@ We have tested two variants of the query for the restricted view,
both utilizing a PostgreSQL function like this: both utilizing a PostgreSQL function like this:
FUNCTION queryAccessibleObjectUuidsOfSubjectIds( FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
requiredOp RbacOp, requiredOp rbac.RbacOp,
forObjectTable varchar, forObjectTable varchar,
subjectIds uuid[], subjectIds uuid[],
maxObjects integer = 16000) maxObjects integer = 16000)

65
src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
View File

@ -156,6 +156,7 @@ begin
end if; end if;
return old; return old;
end; $$; end; $$;
--//
-- ============================================================================ -- ============================================================================
@ -166,13 +167,19 @@ create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST',
create table rbac.role create table rbac.role
( (
uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred
objectUuid uuid not null references rbac.object (uuid) initially deferred, objectUuid uuid not null references rbac.object (uuid) initially deferred,
roleType rbac.RoleType not null, roleType rbac.RoleType not null,
unique (objectUuid, roleType) unique (objectUuid, roleType)
); );
call base.create_journal('rbac.role'); call base.create_journal('rbac.role');
--//
-- ============================================================================
--changeset rbac-base-ROLE-DESCRIPTOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create type rbac.RoleDescriptor as create type rbac.RoleDescriptor as
( (
@ -196,8 +203,7 @@ create or replace function rbac.unassumed()
select false; select false;
$$; $$;
create or replace function rbac.roleDescriptorOf(
create or replace function roleDescriptor(
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType, objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
assumed boolean = true) -- just for DSL readability, belongs actually to the grant assumed boolean = true) -- just for DSL readability, belongs actually to the grant
returns rbac.RoleDescriptor returns rbac.RoleDescriptor
@ -207,7 +213,7 @@ create or replace function roleDescriptor(
select objectTable, objectUuid, roleType::rbac.RoleType, assumed; select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
$$; $$;
create or replace function createRole(roleDescriptor rbac.RoleDescriptor) create or replace function rbac.createRole(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -224,9 +230,14 @@ begin
return referenceId; return referenceId;
end; end;
$$; $$;
--//
create or replace procedure deleteRole(roleUUid uuid) -- ============================================================================
--changeset rbac-base-ROLE-FUNCTIONS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure rbac.deleteRole(roleUUid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
--raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid; --raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid;
@ -234,7 +245,7 @@ begin
end; end;
$$; $$;
create or replace function findRoleId(roleIdName varchar) create or replace function rbac.findRoleId(roleIdName varchar)
returns uuid returns uuid
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -246,7 +257,7 @@ declare
objectUuidOfRole uuid; objectUuidOfRole uuid;
roleUuid uuid; roleUuid uuid;
begin begin
-- TODO.refa: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences -- TODO.refa: extract function rbac.toRoleDescriptor(roleIdName varchar) + find other occurrences
roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':')); roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
objectTableFromRoleIdName = split_part(roleParts, '#', 1); objectTableFromRoleIdName = split_part(roleParts, '#', 1);
objectNameFromRoleIdName = split_part(roleParts, '#', 2); objectNameFromRoleIdName = split_part(roleParts, '#', 2);
@ -261,14 +272,14 @@ begin
return roleUuid; return roleUuid;
end; $$; end; $$;
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor) create or replace function rbac.findRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
returns null on null input returns null on null input
language sql as $$ language sql as $$
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType; select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
$$; $$;
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor) create or replace function rbac.getRoleId(roleDescriptor rbac.RoleDescriptor)
returns uuid returns uuid
language plpgsql as $$ language plpgsql as $$
declare declare
@ -276,13 +287,14 @@ declare
begin begin
assert roleDescriptor is not null, 'roleDescriptor must not be null'; assert roleDescriptor is not null, 'roleDescriptor must not be null';
roleUuid := findRoleId(roleDescriptor); roleUuid := rbac.findRoleId(roleDescriptor);
if (roleUuid is null) then if (roleUuid is null) then
raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType; raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
end if; end if;
return roleUuid; return roleUuid;
end; end;
$$; $$;
--//
-- ============================================================================ -- ============================================================================
@ -351,10 +363,7 @@ create trigger delete_roles_of_object_tg
-- ============================================================================ -- ============================================================================
--changeset rbac-base-PERMISSION:1 endDelimiter:--// --changeset rbac-base-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* create domain rbac.RbacOp as varchar(6)
*/
create domain RbacOp as varchar(6)
check ( check (
VALUE = 'DELETE' VALUE = 'DELETE'
or VALUE = 'UPDATE' or VALUE = 'UPDATE'
@ -367,7 +376,7 @@ create table rbac.permission
( (
uuid uuid primary key references rbac.reference (uuid) on delete cascade, uuid uuid primary key references rbac.reference (uuid) on delete cascade,
objectUuid uuid not null references rbac.object, objectUuid uuid not null references rbac.object,
op RbacOp not null, op rbac.RbacOp not null,
opTableName varchar(60) opTableName varchar(60)
); );
-- TODO.perf: check if these indexes are really useful -- TODO.perf: check if these indexes are really useful
@ -379,7 +388,7 @@ ALTER TABLE rbac.permission
call base.create_journal('rbac.permission'); call base.create_journal('rbac.permission');
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function rbac.createPermission(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
language plpgsql as $$ language plpgsql as $$
declare declare
@ -415,7 +424,7 @@ begin
return permissionUuid; return permissionUuid;
end; $$; end; $$;
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -423,11 +432,11 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
select uuid select uuid
from rbac.permission p from rbac.permission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT' and (forOp = 'SELECT' or p.op = forOp) -- all other rbac.RbacOp include 'SELECT'
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
$$; $$;
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -439,7 +448,7 @@ select uuid
and p.opTableName = forOpTableName and p.opTableName = forOpTableName
$$; $$;
create or replace function getPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
returns uuid returns uuid
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -567,7 +576,7 @@ create or replace function hasInsertPermission(objectUuid uuid, tableName text )
declare declare
permissionUuid uuid; permissionUuid uuid;
begin begin
permissionUuid = findPermissionId(objectUuid, 'INSERT'::RbacOp, tableName); permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
return permissionUuid is not null; return permissionUuid is not null;
end; end;
$$; $$;
@ -602,7 +611,7 @@ $$;
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor) create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
language plpgsql as $$ language plpgsql as $$
begin begin
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc)); call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
end; end;
$$; $$;
@ -634,8 +643,8 @@ begin
return; return;
end if; end if;
superRoleId := findRoleId(superRole); superRoleId := rbac.findRoleId(superRole);
subRoleId := findRoleId(subRole); subRoleId := rbac.findRoleId(subRole);
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
@ -656,8 +665,8 @@ declare
superRoleId uuid; superRoleId uuid;
subRoleId uuid; subRoleId uuid;
begin begin
superRoleId := findRoleId(superRole); superRoleId := rbac.findRoleId(superRole);
subRoleId := findRoleId(subRole); subRoleId := rbac.findRoleId(subRole);
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
@ -678,7 +687,7 @@ declare
objectTable text; objectTable text;
objectUuid uuid; objectUuid uuid;
begin begin
superRoleId := findRoleId(superRole); superRoleId := rbac.findRoleId(superRole);
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role'); perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
@ -705,7 +714,7 @@ end; $$;
*/ */
create or replace function queryAccessibleObjectUuidsOfSubjectIds( create or replace function queryAccessibleObjectUuidsOfSubjectIds(
requiredOp RbacOp, requiredOp rbac.RbacOp,
forObjectTable varchar, forObjectTable varchar,
subjectIds uuid[], subjectIds uuid[],
maxObjects integer = 8000) maxObjects integer = 8000)

8
src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
View File

@ -344,7 +344,7 @@ grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_
which are also visible to the current user or assumed roles. which are also visible to the current user or assumed roles.
*/ */
create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid) create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
declare declare
@ -380,13 +380,13 @@ begin
end; $$; end; $$;
create or replace function rbac.grantedPermissions(targetSubjectUuid uuid) create or replace function rbac.grantedPermissions(targetSubjectUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input returns null on null input
language sql as $$ language sql as $$
select * from rbac.grantedPermissionsRaw(targetSubjectUuid) select * from rbac.grantedPermissionsRaw(targetSubjectUuid)
union all union all
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid select roleUuid, roleName, permissionUuid, 'SELECT'::rbac.RbacOp, opTableName, objectTable, objectIdName, objectUuid
from rbac.grantedPermissionsRaw(targetSubjectUuid) from rbac.grantedPermissionsRaw(targetSubjectUuid)
where op <> 'SELECT'::RbacOp; where op <> 'SELECT'::rbac.RbacOp;
$$; $$;
--// --//

14
src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
View File

@ -8,7 +8,7 @@
create or replace function rbac.defineRoleWithGrants( create or replace function rbac.defineRoleWithGrants(
roleDescriptor rbac.RoleDescriptor, roleDescriptor rbac.RoleDescriptor,
permissions RbacOp[] = array[]::RbacOp[], permissions rbac.RbacOp[] = array[]::rbac.RbacOp[],
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[], outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
subjectUuids uuid[] = array[]::uuid[], subjectUuids uuid[] = array[]::uuid[],
@ -19,7 +19,7 @@ create or replace function rbac.defineRoleWithGrants(
language plpgsql as $$ language plpgsql as $$
declare declare
roleUuid uuid; roleUuid uuid;
permission RbacOp; permission rbac.RbacOp;
permissionUuid uuid; permissionUuid uuid;
subRoleDesc rbac.RoleDescriptor; subRoleDesc rbac.RoleDescriptor;
superRoleDesc rbac.RoleDescriptor; superRoleDesc rbac.RoleDescriptor;
@ -28,23 +28,23 @@ declare
subjectUuid uuid; subjectUuid uuid;
userGrantsByRoleUuid uuid; userGrantsByRoleUuid uuid;
begin begin
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor)); roleUuid := coalesce(rbac.findRoleId(roleDescriptor), rbac.createRole(roleDescriptor));
foreach permission in array permissions foreach permission in array permissions
loop loop
permissionUuid := createPermission(roleDescriptor.objectuuid, permission); permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
call grantPermissionToRole(permissionUuid, roleUuid); call grantPermissionToRole(permissionUuid, roleUuid);
end loop; end loop;
foreach superRoleDesc in array array_remove(incomingSuperRoles, null) foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
loop loop
superRoleUuid := getRoleId(superRoleDesc); superRoleUuid := rbac.getRoleId(superRoleDesc);
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed); call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
end loop; end loop;
foreach subRoleDesc in array array_remove(outgoingSubRoles, null) foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
loop loop
subRoleUuid := getRoleId(subRoleDesc); subRoleUuid := rbac.getRoleId(subRoleDesc);
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed); call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
end loop; end loop;
@ -53,7 +53,7 @@ begin
if grantedByRole is null then if grantedByRole is null then
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid? userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
else else
userGrantsByRoleUuid := getRoleId(grantedByRole); userGrantsByRoleUuid := rbac.getRoleId(grantedByRole);
end if; end if;
foreach subjectUuid in array subjectUuids foreach subjectUuid in array subjectUuids
loop loop

12
src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
View File

@ -46,7 +46,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed);
end; $f$; end; $f$;
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true) create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
@ -54,7 +54,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed);
end; $f$; end; $f$;
create or replace function %1$sAgent(entity %2$s, assumed boolean = true) create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
@ -62,7 +62,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed);
end; $f$; end; $f$;
create or replace function %1$sTenant(entity %2$s, assumed boolean = true) create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
@ -70,7 +70,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed);
end; $f$; end; $f$;
-- TODO: remove guest role -- TODO: remove guest role
@ -79,7 +79,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed);
end; $f$; end; $f$;
create or replace function %1$sReferrer(entity %2$s) create or replace function %1$sReferrer(entity %2$s)
@ -87,7 +87,7 @@ begin
language plpgsql language plpgsql
strict as $f$ strict as $f$
begin begin
return roleDescriptor('%2$s', entity.uuid, 'REFERRER'); return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER');
end; $f$; end; $f$;
$sql$, prefix, targetTable); $sql$, prefix, targetTable);

22
src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
View File

@ -30,16 +30,16 @@ create or replace function rbac.isGlobalAdmin()
returns boolean returns boolean
language plpgsql as $$ language plpgsql as $$
begin begin
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), findRoleId(globalAdmin())); return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
end; $$; end; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--// --changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
-- ------------------------------------------------------------------ -- ------------------------------------------------------------------
create or replace function rbac.hasGlobalPermission(op RbacOp) create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
returns boolean returns boolean
language sql as language sql as
$$ $$
@ -87,7 +87,7 @@ $$;
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--// --changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
@ -104,7 +104,7 @@ commit;
-- ============================================================================ -- ============================================================================
--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--// --changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A rbac.Global administrator role. A rbac.Global administrator role.
@ -119,13 +119,13 @@ $$;
begin transaction; begin transaction;
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null); call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
select createRole(globalAdmin()); select rbac.createRole(globalAdmin());
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--// --changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A rbac.Global guest role. A rbac.Global guest role.
@ -140,13 +140,13 @@ $$;
begin transaction; begin transaction;
call base.defineContext('creating role:rbac.global#global:guest', null, null, null); call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
select createRole(globalGuest()); select rbac.createRole(globalGuest());
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--// --changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Create two users and assign both to the administrators' role. Create two users and assign both to the administrators' role.
@ -157,7 +157,7 @@ do language plpgsql $$
begin begin
call base.defineContext('creating fake test-realm admin users', null, null, null); call base.defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(globalAdmin()); admins = rbac.findRoleId(globalAdmin());
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
@ -168,7 +168,7 @@ $$;
-- ============================================================================ -- ============================================================================
--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--// --changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*

4
src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
View File

@ -95,7 +95,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'test_customer'), rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -111,7 +111,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'test_customer'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;

4
src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql
View File

@ -41,8 +41,8 @@ begin
select * into newCust select * into newCust
from test_customer where reference=custReference; from test_customer where reference=custReference;
call rbac.grantRoleToSubject( call rbac.grantRoleToSubject(
getRoleId(testCustomerOwner(newCust)), rbac.getRoleId(testCustomerOwner(newCust)),
getRoleId(testCustomerAdmin(newCust)), rbac.getRoleId(testCustomerAdmin(newCust)),
custAdminUuid, custAdminUuid,
true); true);
end; $$; end; $$;

4
src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql
View File

@ -160,7 +160,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'test_package'), rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
testCustomerADMIN(row)); testCustomerADMIN(row));
END LOOP; END LOOP;
end; end;
@ -176,7 +176,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'test_package'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
testCustomerADMIN(NEW)); testCustomerADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

4
src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql
View File

@ -30,8 +30,8 @@ begin
returning * into pac; returning * into pac;
call rbac.grantRoleToSubject( call rbac.grantRoleToSubject(
getRoleId(testCustomerAdmin(cust)), rbac.getRoleId(testCustomerAdmin(cust)),
findRoleId(testPackageAdmin(pac)), rbac.findRoleId(testPackageAdmin(pac)),
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
true); true);

4
src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql
View File

@ -159,7 +159,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'test_domain'), rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
testPackageADMIN(row)); testPackageADMIN(row));
END LOOP; END LOOP;
end; end;
@ -175,7 +175,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'test_domain'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
testPackageADMIN(NEW)); testPackageADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

4
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
View File

@ -169,7 +169,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_relation'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(row)); hsOfficePersonADMIN(row));
END LOOP; END LOOP;
end; end;
@ -185,7 +185,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(NEW)); hsOfficePersonADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

28
src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
View File

@ -42,12 +42,12 @@ begin
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -111,22 +111,22 @@ begin
if NEW.partnerRelUuid <> OLD.partnerRelUuid then if NEW.partnerRelUuid <> OLD.partnerRelUuid then
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
end if; end if;
@ -172,7 +172,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -188,7 +188,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;

4
src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql
View File

@ -76,7 +76,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -92,7 +92,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;

10
src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql
View File

@ -57,9 +57,9 @@ begin
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel)); call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel)); call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -145,7 +145,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -161,7 +161,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;

4
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
View File

@ -120,7 +120,7 @@ do language plpgsql $$
WHERE type = 'DEBITOR' WHERE type = 'DEBITOR'
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(row)); hsOfficeRelationADMIN(row));
END LOOP; END LOOP;
end; end;
@ -136,7 +136,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
begin begin
if NEW.type = 'DEBITOR' then if NEW.type = 'DEBITOR' then
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(NEW)); hsOfficeRelationADMIN(NEW));
end if; end if;
return NEW; return NEW;

4
src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
View File

@ -107,7 +107,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -123,7 +123,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;

8
src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
View File

@ -38,8 +38,8 @@ begin
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -83,7 +83,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(row)); hsOfficeMembershipADMIN(row));
END LOOP; END LOOP;
end; end;
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(NEW)); hsOfficeMembershipADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

8
src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
View File

@ -38,8 +38,8 @@ begin
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -83,7 +83,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(row)); hsOfficeMembershipADMIN(row));
END LOOP; END LOOP;
end; end;
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(NEW)); hsOfficeMembershipADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

6
src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql
View File

@ -70,7 +70,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)] outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
); );
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -114,7 +114,7 @@ do language plpgsql $$
WHERE type = 'DEBITOR' WHERE type = 'DEBITOR'
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_project'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
hsOfficeRelationADMIN(row)); hsOfficeRelationADMIN(row));
END LOOP; END LOOP;
end; end;
@ -130,7 +130,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
begin begin
if NEW.type = 'DEBITOR' then if NEW.type = 'DEBITOR' then
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
hsOfficeRelationADMIN(NEW)); hsOfficeRelationADMIN(NEW));
end if; end if;
return NEW; return NEW;

12
src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -113,7 +113,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;
@ -156,7 +156,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(row)); hsBookingProjectADMIN(row));
END LOOP; END LOOP;
end; end;
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(NEW)); hsBookingProjectADMIN(NEW));
-- end. -- end.
return NEW; return NEW;
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingItemADMIN(NEW)); hsBookingItemADMIN(NEW));
-- end. -- end.
return NEW; return NEW;

12
src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -113,7 +113,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); globalADMIN());
-- end. -- end.
return NEW; return NEW;
@ -156,7 +156,7 @@ do language plpgsql $$
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(row)); hsBookingProjectADMIN(row));
END LOOP; END LOOP;
end; end;
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingProjectADMIN(NEW)); hsBookingProjectADMIN(NEW));
-- end. -- end.
return NEW; return NEW;
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
begin begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
hsBookingItemADMIN(NEW)); hsBookingItemADMIN(NEW));
-- end. -- end.
return NEW; return NEW;