add INSERT permission for partner to relation AGENT
This commit is contained in:
parent
1eed0e9b21
commit
5aec875680
@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
|
|||||||
usingDefaultCase(),
|
usingDefaultCase(),
|
||||||
directlyFetchedByDependsOnColumn(),
|
directlyFetchedByDependsOnColumn(),
|
||||||
dependsOnColumn("partnerRelUuid"))
|
dependsOnColumn("partnerRelUuid"))
|
||||||
|
.toRole("partnerRel", AGENT).grantPermission(INSERT)
|
||||||
.createPermission(DELETE).grantedTo("partnerRel", OWNER)
|
.createPermission(DELETE).grantedTo("partnerRel", OWNER)
|
||||||
.createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
|
.createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
|
||||||
.createPermission(SELECT).grantedTo("partnerRel", TENANT)
|
.createPermission(SELECT).grantedTo("partnerRel", TENANT)
|
||||||
|
@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
|||||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
||||||
|
role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:rbac.global:ADMIN ==> perm:partner:INSERT
|
role:rbac.global:ADMIN ==> perm:partner:INSERT
|
||||||
|
role:partnerRel:AGENT ==> perm:partner:INSERT
|
||||||
role:partnerRel:OWNER ==> perm:partner:DELETE
|
role:partnerRel:OWNER ==> perm:partner:DELETE
|
||||||
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
||||||
role:partnerRel:TENANT ==> perm:partner:SELECT
|
role:partnerRel:TENANT ==> perm:partner:SELECT
|
||||||
|
@ -42,6 +42,7 @@ begin
|
|||||||
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||||
|
|
||||||
|
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||||
@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
|
|||||||
for each row
|
for each row
|
||||||
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
|
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_relation ----------------------------
|
||||||
|
|
||||||
|
/*
|
||||||
|
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
|
||||||
|
*/
|
||||||
|
do language plpgsql $$
|
||||||
|
declare
|
||||||
|
row hs_office_relation;
|
||||||
|
begin
|
||||||
|
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office_relation
|
||||||
|
-- unconditional for all rows in that table
|
||||||
|
LOOP
|
||||||
|
call rbac.grantPermissionToRole(
|
||||||
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
|
hsOfficeRelationAGENT(row));
|
||||||
|
END LOOP;
|
||||||
|
end;
|
||||||
|
$$;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
|
||||||
|
*/
|
||||||
|
create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
|
||||||
|
returns trigger
|
||||||
|
language plpgsql
|
||||||
|
strict as $$
|
||||||
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
|
call rbac.grantPermissionToRole(
|
||||||
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
|
hsOfficeRelationAGENT(NEW));
|
||||||
|
-- end.
|
||||||
|
return NEW;
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
|
create trigger z_new_hs_office_partner_grants_after_insert_tg
|
||||||
|
after insert on hs_office_relation
|
||||||
|
for each row
|
||||||
|
execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
--changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||||
@ -218,6 +262,10 @@ begin
|
|||||||
if rbac.isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.partnerRelUuid
|
||||||
|
if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
|
||||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||||
|
Loading…
Reference in New Issue
Block a user