add INSERT permission for partner to relation AGENT

2024-09-17 14:16:04 +02:00 · 2024-09-17 14:16:04 +02:00 · 5aec875680
commit 5aec875680
parent 1eed0e9b21
3 changed files with 51 additions and 0 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
                        usingDefaultCase(),
                        directlyFetchedByDependsOnColumn(),
                        dependsOnColumn("partnerRelUuid"))
+                .toRole("partnerRel", AGENT).grantPermission(INSERT)
                .createPermission(DELETE).grantedTo("partnerRel", OWNER)
                .createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
                .createPermission(SELECT).grantedTo("partnerRel", TENANT)
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT

 %% granting permissions to roles
 role:rbac.global:ADMIN ==> perm:partner:INSERT
+role:partnerRel:AGENT ==> perm:partner:INSERT
 role:partnerRel:OWNER ==> perm:partner:DELETE
 role:partnerRel:ADMIN ==> perm:partner:UPDATE
 role:partnerRel:TENANT ==> perm:partner:SELECT
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
@ -42,6 +42,7 @@ begin
    SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
    assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);

+
    call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
    call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
    call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
    for each row
 execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();

+-- granting INSERT permission to hs_office_relation ----------------------------
+
+/*
+    Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_office_relation;
+    begin
+        call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
+
+        FOR row IN SELECT * FROM hs_office_relation
+            -- unconditional for all rows in that table
+            LOOP
+                call rbac.grantPermissionToRole(
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
+                        hsOfficeRelationAGENT(row));
+            END LOOP;
+    end;
+$$;
+
+/**
+    Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
+*/
+create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    -- unconditional for all rows in that table
+        call rbac.grantPermissionToRole(
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
+            hsOfficeRelationAGENT(NEW));
+    -- end.
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_new_hs_office_partner_grants_after_insert_tg
+    after insert on hs_office_relation
+    for each row
+execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
+

 -- ============================================================================
 --changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
@ -218,6 +262,10 @@ begin
    if rbac.isGlobalAdmin() then
        return NEW;
    end if;
+    -- check INSERT permission via direct foreign key: NEW.partnerRelUuid
+    if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
+        return NEW;
+    end if;

    raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
            NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();