From 6465a2457c50e296b7882347484512a259bbea07 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 14 Sep 2024 07:25:18 +0200 Subject: [PATCH] rbac.globalAdmin(), rbac.globalGuest() --- .../rbacdef/RolesGrantsAndPermissionsGenerator.java | 2 +- .../db/changelog/1-rbac/1080-rbac-global.sql | 12 ++++++------ .../201-test-customer/2013-test-customer-rbac.sql | 6 +++--- .../501-contact/5013-hs-office-contact-rbac.sql | 2 +- .../502-person/5023-hs-office-person-rbac.sql | 2 +- .../503-relation/5033-hs-office-relation-rbac.sql | 2 +- .../504-partner/5043-hs-office-partner-rbac.sql | 4 ++-- .../5044-hs-office-partner-details-rbac.sql | 4 ++-- .../5053-hs-office-bankaccount-rbac.sql | 2 +- .../506-debitor/5063-hs-office-debitor-rbac.sql | 4 ++-- .../5073-hs-office-sepamandate-rbac.sql | 2 +- .../5103-hs-office-membership-rbac.sql | 4 ++-- .../6203-hs-booking-project-rbac.sql | 2 +- .../630-booking-item/6203-hs-booking-item-rbac.sql | 6 +++--- .../630-booking-item/6303-hs-booking-item-rbac.sql | 6 +++--- .../701-hosting-asset/7013-hs-hosting-asset-rbac.sql | 2 +- 16 files changed, 31 insertions(+), 31 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java index 727e5d62..069fa266 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java @@ -364,7 +364,7 @@ class RolesGrantsAndPermissionsGenerator { System.out.println("null"); } if (roleDef.getEntityAlias().isGlobal()) { - return "globalAdmin()"; + return "rbac.globalAdmin()"; } final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias()); return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name()) diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index 8accfb53..9ffb4c52 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin() returns boolean language plpgsql as $$ begin - return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin())); + return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin())); end; $$; --// @@ -109,7 +109,7 @@ commit; /* A rbac.Global administrator role. */ -create or replace function globalAdmin(assumed boolean = true) +create or replace function rbac.globalAdmin(assumed boolean = true) returns rbac.RoleDescriptor returns null on null input stable -- leakproof @@ -119,7 +119,7 @@ $$; begin transaction; call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null); - select rbac.createRole(globalAdmin()); + select rbac.createRole(rbac.globalAdmin()); commit; --// @@ -130,7 +130,7 @@ commit; /* A rbac.Global guest role. */ -create or replace function globalGuest(assumed boolean = true) +create or replace function rbac.globalglobalGuest(assumed boolean = true) returns rbac.RoleDescriptor returns null on null input stable -- leakproof @@ -140,7 +140,7 @@ $$; begin transaction; call base.defineContext('creating role:rbac.global#global:guest', null, null, null); - select rbac.createRole(globalGuest()); + select rbac.createRole(rbac.globalglobalGuest()); commit; --// @@ -157,7 +157,7 @@ do language plpgsql $$ begin call base.defineContext('creating fake test-realm admin users', null, null, null); - admins = rbac.findRoleId(globalAdmin()); + admins = rbac.findRoleId(rbac.globalAdmin()); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index f6844048..03524d3a 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( testCustomerOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN(rbac.unassumed())], + incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())], subjectUuids => array[rbac.currentSubjectUuid()] ); @@ -96,7 +96,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -112,7 +112,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index f7f76b06..316128dc 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeContactOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN()], + incomingSuperRoles => array[rbac.globalAdmin()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index d22a195f..16b624cb 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficePersonOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN()], + incomingSuperRoles => array[rbac.globalAdmin()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index 52ee285e..ddc7c92e 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -50,7 +50,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeRelationOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN()], + incomingSuperRoles => array[rbac.globalAdmin()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index 50a66a9a..81518c74 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -173,7 +173,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -189,7 +189,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index b53a2e2f..44b25603 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -77,7 +77,7 @@ begin LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -93,7 +93,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index 6fc3470b..5a11bc81 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -37,7 +37,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeBankAccountOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN()], + incomingSuperRoles => array[rbac.globalAdmin()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index a2ca4c80..5b7dcf8b 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -146,7 +146,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -162,7 +162,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index c5f91a9c..afb90114 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -50,7 +50,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeSepaMandateOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[globalADMIN()], + incomingSuperRoles => array[rbac.globalAdmin()], subjectUuids => array[rbac.currentSubjectUuid()] ); diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index 2d42a51d..8730876a 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -108,7 +108,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -124,7 +124,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index c4cd9175..62686ce4 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -70,7 +70,7 @@ begin outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)] ); - call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql index 0ae4bcfa..fa3ed829 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql @@ -69,7 +69,7 @@ begin - call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -114,7 +114,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -130,7 +130,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index 0ae4bcfa..fa3ed829 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -69,7 +69,7 @@ begin - call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); + call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin()); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -114,7 +114,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), - globalADMIN()); + rbac.globalAdmin()); END LOOP; end; $$; @@ -130,7 +130,7 @@ begin -- unconditional for all rows in that table call grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), - globalADMIN()); + rbac.globalAdmin()); -- end. return NEW; end; $$; diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index a699bdc1..6d37d828 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -50,7 +50,7 @@ begin hsHostingAssetOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[ - globalADMIN(rbac.unassumed()), + rbac.globalADMIN(rbac.unassumed()), hsBookingItemADMIN(newBookingItem), hsHostingAssetADMIN(newParentAsset)], subjectUuids => array[rbac.currentSubjectUuid()]