From 55c498350926bd904391602071a582f40efdb3f9 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 13 Sep 2024 17:38:27 +0200 Subject: [PATCH] rbac schema in 1057-rbac-role-builder.sql und 1058-rbac-generators.sql --- .../rbac/rbacdef/RbacIdentityViewGenerator.java | 4 ++-- .../rbac/rbacdef/RbacObjectGenerator.java | 2 +- .../rbacdef/RbacRestrictedViewGenerator.java | 2 +- .../rbacdef/RbacRoleDescriptorsGenerator.java | 2 +- .../RolesGrantsAndPermissionsGenerator.java | 2 +- .../changelog/1-rbac/1057-rbac-role-builder.sql | 5 ++--- .../db/changelog/1-rbac/1058-rbac-generators.sql | 12 ++++++------ .../2013-test-customer-rbac.sql | 14 +++++++------- .../202-test-package/2023-test-package-rbac.sql | 14 +++++++------- .../203-test-domain/2033-test-domain-rbac.sql | 12 ++++++------ .../501-contact/5013-hs-office-contact-rbac.sql | 14 +++++++------- .../502-person/5023-hs-office-person-rbac.sql | 14 +++++++------- .../5033-hs-office-relation-rbac.sql | 16 ++++++++-------- .../504-partner/5043-hs-office-partner-rbac.sql | 8 ++++---- .../5044-hs-office-partner-details-rbac.sql | 8 ++++---- .../5053-hs-office-bankaccount-rbac.sql | 14 +++++++------- .../506-debitor/5063-hs-office-debitor-rbac.sql | 8 ++++---- .../5073-hs-office-sepamandate-rbac.sql | 16 ++++++++-------- .../5103-hs-office-membership-rbac.sql | 14 +++++++------- .../5113-hs-office-coopshares-rbac.sql | 8 ++++---- .../5123-hs-office-coopassets-rbac.sql | 8 ++++---- .../6203-hs-booking-project-rbac.sql | 16 ++++++++-------- .../6203-hs-booking-item-rbac.sql | 16 ++++++++-------- .../6303-hs-booking-item-rbac.sql | 16 ++++++++-------- .../7013-hs-hosting-asset-rbac.sql | 16 ++++++++-------- 25 files changed, 130 insertions(+), 131 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java index 50b404eb..f7c4d20d 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacIdentityViewGenerator.java @@ -26,13 +26,13 @@ public class RbacIdentityViewGenerator { plPgSql.writeLn( switch (rbacDef.getIdentityViewSqlQuery().part) { case SQL_PROJECTION -> """ - call generateRbacIdentityViewFromProjection('${rawTableName}', + call rbac.generateRbacIdentityViewFromProjection('${rawTableName}', $idName$ ${identityViewSqlPart} $idName$); """; case SQL_QUERY -> """ - call generateRbacIdentityViewFromQuery('${rawTableName}', + call rbac.generateRbacIdentityViewFromQuery('${rawTableName}', $idName$ ${identityViewSqlPart} $idName$); diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java index a7377301..45c5cfbe 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacObjectGenerator.java @@ -17,7 +17,7 @@ public class RbacObjectGenerator { -- ============================================================================ --changeset ${liquibaseTagPrefix}-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRelatedRbacObject('${rawTableName}'); + call rbac.generateRelatedRbacObject('${rawTableName}'); --// """, diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java index b5757865..b66c8e19 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRestrictedViewGenerator.java @@ -21,7 +21,7 @@ public class RbacRestrictedViewGenerator { -- ============================================================================ --changeset ${liquibaseTagPrefix}-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacRestrictedView('${rawTableName}', + call rbac.generateRbacRestrictedView('${rawTableName}', $orderBy$ ${orderBy} $orderBy$, diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java index dab3ab01..894a5e6e 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacRoleDescriptorsGenerator.java @@ -19,7 +19,7 @@ public class RbacRoleDescriptorsGenerator { -- ============================================================================ --changeset ${liquibaseTagPrefix}-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- - call generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}'); + call rbac.generateRbacRoleDescriptors('${simpleEntityVarName}', '${rawTableName}'); --// """, diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java index a664c66b..d28f3193 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java @@ -389,7 +389,7 @@ class RolesGrantsAndPermissionsGenerator { } plPgSql.writeLn(); - plPgSql.writeLn("perform createRoleWithGrants("); + plPgSql.writeLn("perform rbac.defineRoleWithGrants("); plPgSql.indented(() -> { plPgSql.writeLn("${simpleVarName)${roleSuffix}(NEW)," .replace("${simpleVarName)", simpleEntityVarName) diff --git a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql index d56dddeb..84ab8cf7 100644 --- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql +++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql @@ -3,11 +3,10 @@ -- ================================================================= -- CREATE ROLE ---changeset rbac-role-builder-create-role:1 endDelimiter:--// +--changeset rbac-role-builder-define-role:1 endDelimiter:--// -- ----------------------------------------------------------------- --- TODO: rename to defineRoleWithGrants because it does not complain if the role already exists -create or replace function createRoleWithGrants( +create or replace function rbac.defineRoleWithGrants( roleDescriptor RbacRoleDescriptor, permissions RbacOp[] = array[]::RbacOp[], incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index a1fd2e52..6062539f 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -5,7 +5,7 @@ --changeset rbac-generators-RELATED-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace procedure generateRelatedRbacObject(targetTable varchar) +create or replace procedure rbac.generateRelatedRbacObject(targetTable varchar) language plpgsql as $$ declare createInsertTriggerSQL text; @@ -35,7 +35,7 @@ end; $$; --changeset rbac-generators-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create procedure generateRbacRoleDescriptors(prefix text, targetTable text) +create procedure rbac.generateRbacRoleDescriptors(prefix text, targetTable text) language plpgsql as $$ declare sql text; @@ -100,7 +100,7 @@ end; $$; --changeset rbac-generators-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace procedure generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text) +create or replace procedure rbac.generateRbacIdentityViewFromQuery(targetTable text, sqlQuery text) language plpgsql as $$ declare sql text; @@ -140,7 +140,7 @@ begin execute sql; end; $$; -create or replace procedure generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text) +create or replace procedure rbac.generateRbacIdentityViewFromProjection(targetTable text, sqlProjection text) language plpgsql as $$ declare sqlQuery text; @@ -151,7 +151,7 @@ begin select target.uuid, cleanIdentifier(%2$s) as idName from %1$s as target; $sql$, targetTable, sqlProjection); - call generateRbacIdentityViewFromQuery(targetTable, sqlQuery); + call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery); end; $$; --// @@ -160,7 +160,7 @@ end; $$; --changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace procedure generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*') +create or replace procedure rbac.generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null, columnNames text = '*') language plpgsql as $$ declare sql text; diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index a50ee080..6117c1e6 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset test-customer-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('test_customer'); +call rbac.generateRelatedRbacObject('test_customer'); --// -- ============================================================================ --changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('testCustomer', 'test_customer'); +call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer'); --// @@ -34,20 +34,20 @@ declare begin call rbac.enterTriggerForObjectUuid(NEW.uuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testCustomerOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN(unassumed())], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testCustomerADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[testCustomerOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testCustomerTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[testCustomerADMIN(NEW)] @@ -157,7 +157,7 @@ create trigger test_customer_insert_permission_check_tg --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('test_customer', +call rbac.generateRbacIdentityViewFromProjection('test_customer', $idName$ prefix $idName$); @@ -167,7 +167,7 @@ call generateRbacIdentityViewFromProjection('test_customer', -- ============================================================================ --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('test_customer', +call rbac.generateRbacRestrictedView('test_customer', $orderBy$ reference $orderBy$, diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql index 5232c35f..ef795245 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset test-package-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('test_package'); +call rbac.generateRelatedRbacObject('test_package'); --// -- ============================================================================ --changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('testPackage', 'test_package'); +call rbac.generateRbacRoleDescriptors('testPackage', 'test_package'); --// @@ -39,18 +39,18 @@ begin assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testPackageOWNER(NEW), permissions => array['DELETE', 'UPDATE'], incomingSuperRoles => array[testCustomerADMIN(newCustomer)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testPackageADMIN(NEW), incomingSuperRoles => array[testPackageOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testPackageTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[testPackageADMIN(NEW)], @@ -222,7 +222,7 @@ create trigger test_package_insert_permission_check_tg --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('test_package', +call rbac.generateRbacIdentityViewFromProjection('test_package', $idName$ name $idName$); @@ -232,7 +232,7 @@ call generateRbacIdentityViewFromProjection('test_package', -- ============================================================================ --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('test_package', +call rbac.generateRbacRestrictedView('test_package', $orderBy$ name $orderBy$, diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql index 4c5311be..f14cefb2 100644 --- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset test-domain-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('test_domain'); +call rbac.generateRelatedRbacObject('test_domain'); --// -- ============================================================================ --changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('testDomain', 'test_domain'); +call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain'); --// @@ -39,14 +39,14 @@ begin assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testDomainOWNER(NEW), permissions => array['DELETE', 'UPDATE'], incomingSuperRoles => array[testPackageADMIN(newPackage)], outgoingSubRoles => array[testPackageTENANT(newPackage)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( testDomainADMIN(NEW), permissions => array['SELECT'], incomingSuperRoles => array[testDomainOWNER(NEW)], @@ -221,7 +221,7 @@ create trigger test_domain_insert_permission_check_tg --changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('test_domain', +call rbac.generateRbacIdentityViewFromProjection('test_domain', $idName$ name $idName$); @@ -231,7 +231,7 @@ call generateRbacIdentityViewFromProjection('test_domain', -- ============================================================================ --changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('test_domain', +call rbac.generateRbacRestrictedView('test_domain', $orderBy$ name $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index 713cb3e5..f7f76b06 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_contact'); +call rbac.generateRelatedRbacObject('hs_office_contact'); --// -- ============================================================================ --changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact'); +call rbac.generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact'); --// @@ -34,20 +34,20 @@ declare begin call rbac.enterTriggerForObjectUuid(NEW.uuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeContactOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeContactADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsOfficeContactOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeContactREFERRER(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsOfficeContactADMIN(NEW)] @@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeContact_tf(); --changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_contact', +call rbac.generateRbacIdentityViewFromProjection('hs_office_contact', $idName$ caption $idName$); @@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact', -- ============================================================================ --changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_contact', +call rbac.generateRbacRestrictedView('hs_office_contact', $orderBy$ caption $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index ed05b81c..d22a195f 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_person'); +call rbac.generateRelatedRbacObject('hs_office_person'); --// -- ============================================================================ --changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person'); +call rbac.generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person'); --// @@ -34,20 +34,20 @@ declare begin call rbac.enterTriggerForObjectUuid(NEW.uuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficePersonOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficePersonADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsOfficePersonOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficePersonREFERRER(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsOfficePersonADMIN(NEW)] @@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficePerson_tf(); --changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_person', +call rbac.generateRbacIdentityViewFromProjection('hs_office_person', $idName$ concat(tradeName, familyName, givenName) $idName$); @@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person', -- ============================================================================ --changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_person', +call rbac.generateRbacRestrictedView('hs_office_person', $orderBy$ concat(tradeName, familyName, givenName) $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index c226044a..4bc8e89d 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-relation-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_relation'); +call rbac.generateRelatedRbacObject('hs_office_relation'); --// -- ============================================================================ --changeset hs-office-relation-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation'); +call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation'); --// @@ -47,25 +47,25 @@ begin assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeRelationOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeRelationADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeRelationAGENT(NEW), incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeRelationTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ @@ -231,7 +231,7 @@ create trigger hs_office_relation_insert_permission_check_tg --changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_relation', +call rbac.generateRbacIdentityViewFromProjection('hs_office_relation', $idName$ (select idName from hs_office_person_iv p where p.uuid = anchorUuid) || '-with-' || target.type || '-' @@ -243,7 +243,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation', -- ============================================================================ --changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_relation', +call rbac.generateRbacRestrictedView('hs_office_relation', $orderBy$ (select idName from hs_office_person_iv p where p.uuid = target.holderUuid) $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index f7ab04c6..debae10b 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_partner'); +call rbac.generateRelatedRbacObject('hs_office_partner'); --// -- ============================================================================ --changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner'); +call rbac.generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner'); --// @@ -234,7 +234,7 @@ create trigger hs_office_partner_insert_permission_check_tg --changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_partner', +call rbac.generateRbacIdentityViewFromProjection('hs_office_partner', $idName$ 'P-' || partnerNumber $idName$); @@ -244,7 +244,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner', -- ============================================================================ --changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_partner', +call rbac.generateRbacRestrictedView('hs_office_partner', $orderBy$ 'P-' || partnerNumber $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index dc273e56..93d6de7f 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-partner-details-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_partner_details'); +call rbac.generateRelatedRbacObject('hs_office_partner_details'); --// -- ============================================================================ --changeset hs-office-partner-details-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details'); +call rbac.generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details'); --// @@ -138,7 +138,7 @@ create trigger hs_office_partner_details_insert_permission_check_tg --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromQuery('hs_office_partner_details', +call rbac.generateRbacIdentityViewFromQuery('hs_office_partner_details', $idName$ SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName FROM hs_office_partner_details AS partnerDetails @@ -151,7 +151,7 @@ call generateRbacIdentityViewFromQuery('hs_office_partner_details', -- ============================================================================ --changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_partner_details', +call rbac.generateRbacRestrictedView('hs_office_partner_details', $orderBy$ uuid $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index e42c81f6..6fc3470b 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-bankaccount-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_bankaccount'); +call rbac.generateRelatedRbacObject('hs_office_bankaccount'); --// -- ============================================================================ --changeset hs-office-bankaccount-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount'); +call rbac.generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount'); --// @@ -34,20 +34,20 @@ declare begin call rbac.enterTriggerForObjectUuid(NEW.uuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeBankAccountOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeBankAccountADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeBankAccountREFERRER(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)] @@ -80,7 +80,7 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf(); --changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_bankaccount', +call rbac.generateRbacIdentityViewFromProjection('hs_office_bankaccount', $idName$ iban $idName$); @@ -90,7 +90,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount', -- ============================================================================ --changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_bankaccount', +call rbac.generateRbacRestrictedView('hs_office_bankaccount', $orderBy$ iban $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index c08f6cc4..d53a08ef 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_debitor'); +call rbac.generateRelatedRbacObject('hs_office_debitor'); --// -- ============================================================================ --changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor'); +call rbac.generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor'); --// @@ -207,7 +207,7 @@ create trigger hs_office_debitor_insert_permission_check_tg --changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromQuery('hs_office_debitor', +call rbac.generateRbacIdentityViewFromQuery('hs_office_debitor', $idName$ SELECT debitor.uuid AS uuid, 'D-' || (SELECT partner.partnerNumber @@ -226,7 +226,7 @@ call generateRbacIdentityViewFromQuery('hs_office_debitor', -- ============================================================================ --changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_debitor', +call rbac.generateRbacRestrictedView('hs_office_debitor', $orderBy$ defaultPrefix $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index 93efcc63..bdb97bbc 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-sepamandate-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_sepamandate'); +call rbac.generateRelatedRbacObject('hs_office_sepamandate'); --// -- ============================================================================ --changeset hs-office-sepamandate-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate'); +call rbac.generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate'); --// @@ -47,20 +47,20 @@ begin assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeSepaMandateOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeSepaMandateADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeSepaMandateAGENT(NEW), incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)], outgoingSubRoles => array[ @@ -68,7 +68,7 @@ begin hsOfficeRelationAGENT(newDebitorRel)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeSepaMandateREFERRER(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ @@ -188,7 +188,7 @@ create trigger hs_office_sepamandate_insert_permission_check_tg --changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromQuery('hs_office_sepamandate', +call rbac.generateRbacIdentityViewFromQuery('hs_office_sepamandate', $idName$ select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName from hs_office_sepamandate sm @@ -200,7 +200,7 @@ call generateRbacIdentityViewFromQuery('hs_office_sepamandate', -- ============================================================================ --changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_sepamandate', +call rbac.generateRbacRestrictedView('hs_office_sepamandate', $orderBy$ validity $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index 8d5744e2..d60f8eef 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_membership'); +call rbac.generateRelatedRbacObject('hs_office_membership'); --// -- ============================================================================ --changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership'); +call rbac.generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership'); --// @@ -43,12 +43,12 @@ begin assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeMembershipOWNER(NEW), subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeMembershipADMIN(NEW), permissions => array['DELETE', 'UPDATE'], incomingSuperRoles => array[ @@ -56,7 +56,7 @@ begin hsOfficeRelationADMIN(newPartnerRel)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsOfficeMembershipAGENT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ @@ -169,7 +169,7 @@ create trigger hs_office_membership_insert_permission_check_tg --changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromQuery('hs_office_membership', +call rbac.generateRbacIdentityViewFromQuery('hs_office_membership', $idName$ SELECT m.uuid AS uuid, 'M-' || p.partnerNumber || m.memberNumberSuffix as idName @@ -182,7 +182,7 @@ call generateRbacIdentityViewFromQuery('hs_office_membership', -- ============================================================================ --changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_membership', +call rbac.generateRbacRestrictedView('hs_office_membership', $orderBy$ validity $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index b7692428..c265e78b 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_coopsharestransaction'); +call rbac.generateRelatedRbacObject('hs_office_coopsharestransaction'); --// -- ============================================================================ --changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction'); +call rbac.generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction'); --// @@ -145,7 +145,7 @@ create trigger hs_office_coopsharestransaction_insert_permission_check_tg --changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', +call rbac.generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', $idName$ reference $idName$); @@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction', -- ============================================================================ --changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_coopsharestransaction', +call rbac.generateRbacRestrictedView('hs_office_coopsharestransaction', $orderBy$ reference $orderBy$, diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index 15af871b..549207bc 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_office_coopassetstransaction'); +call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction'); --// -- ============================================================================ --changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction'); +call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction'); --// @@ -145,7 +145,7 @@ create trigger hs_office_coopassetstransaction_insert_permission_check_tg --changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', +call rbac.generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', $idName$ reference $idName$); @@ -155,7 +155,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction', -- ============================================================================ --changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_office_coopassetstransaction', +call rbac.generateRbacRestrictedView('hs_office_coopassetstransaction', $orderBy$ reference $orderBy$, diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index 9aca37a1..8e49475f 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-booking-project-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_booking_project'); +call rbac.generateRelatedRbacObject('hs_booking_project'); --// -- ============================================================================ --changeset hs-booking-project-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project'); +call rbac.generateRbacRoleDescriptors('hsBookingProject', 'hs_booking_project'); --// @@ -47,23 +47,23 @@ begin assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingProjectOWNER(NEW), incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingProjectADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsBookingProjectOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingProjectAGENT(NEW), incomingSuperRoles => array[hsBookingProjectADMIN(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingProjectTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsBookingProjectAGENT(NEW)], @@ -182,7 +182,7 @@ create trigger hs_booking_project_insert_permission_check_tg --changeset hs-booking-project-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromQuery('hs_booking_project', +call rbac.generateRbacIdentityViewFromQuery('hs_booking_project', $idName$ SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName FROM hs_booking_project bookingProject @@ -194,7 +194,7 @@ call generateRbacIdentityViewFromQuery('hs_booking_project', -- ============================================================================ --changeset hs-booking-project-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_booking_project', +call rbac.generateRbacRestrictedView('hs_booking_project', $orderBy$ caption $orderBy$, diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql index fee1d62a..bc47690a 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_booking_item'); +call rbac.generateRelatedRbacObject('hs_booking_item'); --// -- ============================================================================ --changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); +call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); --// @@ -40,25 +40,25 @@ begin SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem; - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemOWNER(NEW), incomingSuperRoles => array[ hsBookingItemAGENT(newParentItem), hsBookingProjectAGENT(newProject)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsBookingItemOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemAGENT(NEW), incomingSuperRoles => array[hsBookingItemADMIN(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsBookingItemAGENT(NEW)], @@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg --changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_booking_item', +call rbac.generateRbacIdentityViewFromProjection('hs_booking_item', $idName$ caption $idName$); @@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item', -- ============================================================================ --changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_booking_item', +call rbac.generateRbacRestrictedView('hs_booking_item', $orderBy$ validity $orderBy$, diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index fee1d62a..bc47690a 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-booking-item-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_booking_item'); +call rbac.generateRelatedRbacObject('hs_booking_item'); --// -- ============================================================================ --changeset hs-booking-item-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); +call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item'); --// @@ -40,25 +40,25 @@ begin SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem; - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemOWNER(NEW), incomingSuperRoles => array[ hsBookingItemAGENT(newParentItem), hsBookingProjectAGENT(newProject)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hsBookingItemOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemAGENT(NEW), incomingSuperRoles => array[hsBookingItemADMIN(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsBookingItemTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[hsBookingItemAGENT(NEW)], @@ -253,7 +253,7 @@ create trigger hs_booking_item_insert_permission_check_tg --changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_booking_item', +call rbac.generateRbacIdentityViewFromProjection('hs_booking_item', $idName$ caption $idName$); @@ -263,7 +263,7 @@ call generateRbacIdentityViewFromProjection('hs_booking_item', -- ============================================================================ --changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_booking_item', +call rbac.generateRbacRestrictedView('hs_booking_item', $orderBy$ validity $orderBy$, diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 7cc413fb..93135e0c 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -5,14 +5,14 @@ -- ============================================================================ --changeset hs-hosting-asset-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRelatedRbacObject('hs_hosting_asset'); +call rbac.generateRelatedRbacObject('hs_hosting_asset'); --// -- ============================================================================ --changeset hs-hosting-asset-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset'); +call rbac.generateRbacRoleDescriptors('hsHostingAsset', 'hs_hosting_asset'); --// @@ -46,7 +46,7 @@ begin SELECT * FROM hs_hosting_asset WHERE uuid = NEW.parentAssetUuid INTO newParentAsset; - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsHostingAssetOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[ @@ -56,7 +56,7 @@ begin subjectUuids => array[rbac.currentSubjectUuid()] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsHostingAssetADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[ @@ -65,7 +65,7 @@ begin hsHostingAssetOWNER(NEW)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsHostingAssetAGENT(NEW), incomingSuperRoles => array[ hsHostingAssetADMIN(NEW), @@ -75,7 +75,7 @@ begin hsOfficeContactREFERRER(newAlarmContact)] ); - perform createRoleWithGrants( + perform rbac.defineRoleWithGrants( hsHostingAssetTENANT(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ @@ -158,7 +158,7 @@ execute procedure updateTriggerForHsHostingAsset_tf(); --changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacIdentityViewFromProjection('hs_hosting_asset', +call rbac.generateRbacIdentityViewFromProjection('hs_hosting_asset', $idName$ identifier $idName$); @@ -168,7 +168,7 @@ call generateRbacIdentityViewFromProjection('hs_hosting_asset', -- ============================================================================ --changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -call generateRbacRestrictedView('hs_hosting_asset', +call rbac.generateRbacRestrictedView('hs_hosting_asset', $orderBy$ identifier $orderBy$,