From 670ba8e9c910b2256a6d9727337f7b941f332a51 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 25 Mar 2024 06:45:59 +0100 Subject: [PATCH] generate indirect permission by indirect foreign key depending on directlyFetchedByDependsOnColumn vs. fetchedBySql --- .../office/debitor/HsOfficeDebitorEntity.java | 22 ++++---------- .../office/partner/HsOfficePartnerEntity.java | 6 ++-- .../relation/HsOfficeRelationEntity.java | 8 ++--- .../rbac/rbacdef/InsertTriggerGenerator.java | 10 ++----- .../hsadminng/rbac/rbacdef/RbacView.java | 10 +++++-- .../hsadminng/test/dom/TestDomainEntity.java | 7 ++--- .../hsadminng/test/pac/TestPackageEntity.java | 5 +--- .../db/changelog/123-test-package-rbac.sql | 30 ++++++++++--------- .../db/changelog/133-test-domain-rbac.sql | 22 +++++++++----- .../223-hs-office-relation-rbac-generated.sql | 20 ++++++------- .../233-hs-office-partner-rbac-generated.sql | 12 ++++---- ...3-hs-office-sepamandate-rbac-generated.sql | 8 ++--- .../273-hs-office-debitor-rbac-generated.sql | 15 ++-------- 13 files changed, 79 insertions(+), 96 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java index 3c9f0481..4fb08538 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java @@ -22,7 +22,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnCo import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; import static net.hostsharing.hsadminng.stringify.Stringify.stringify; @@ -135,32 +135,22 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable { .createPermission(INSERT).grantedTo("global", ADMIN) .importRootEntityAliasProxy("debitorRel", HsOfficeRelationEntity.class, - fetchedBySql(""" - SELECT * - FROM hs_office_relation AS r - WHERE r.type = 'DEBITOR' AND r.holderUuid = ${REF}.debitorRelUuid - """), + directlyFetchedByDependsOnColumn(), dependsOnColumn("debitorRelUuid")) .createPermission(DELETE).grantedTo("debitorRel", OWNER) .createPermission(UPDATE).grantedTo("debitorRel", ADMIN) .createPermission(SELECT).grantedTo("debitorRel", TENANT) .importEntityAlias("refundBankAccount", HsOfficeBankAccountEntity.class, - dependsOnColumn("refundBankAccountUuid"), fetchedBySql(""" - SELECT * - FROM hs_office_relation AS r - WHERE r.type = 'DEBITOR' AND r.holderUuid = ${REF}.debitorRelUuid - """), + dependsOnColumn("refundBankAccountUuid"), + directlyFetchedByDependsOnColumn(), NULLABLE) .toRole("refundBankAccount", ADMIN).grantRole("debitorRel", AGENT) .toRole("debitorRel", AGENT).grantRole("refundBankAccount", REFERRER) .importEntityAlias("partnerRel", HsOfficeRelationEntity.class, - dependsOnColumn("partnerRelUuid"), fetchedBySql(""" - SELECT * - FROM hs_office_relation AS partnerRel - WHERE ${debitorRel}.anchorUuid = partnerRel.holderUuid - """), + dependsOnColumn("partnerRelUuid"), + directlyFetchedByDependsOnColumn(), NULLABLE) .toRole("partnerRel", ADMIN).grantRole("debitorRel", ADMIN) .toRole("partnerRel", AGENT).grantRole("debitorRel", AGENT) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java index 5aaa5318..b16dcc76 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java @@ -22,7 +22,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnCo import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; import static net.hostsharing.hsadminng.stringify.Stringify.stringify; @@ -93,14 +93,14 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid { .createPermission(INSERT).grantedTo("global", ADMIN) .importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class, - fetchedBySql("SELECT * FROM hs_office_relation AS r WHERE r.uuid = ${ref}.partnerRelUuid"), + directlyFetchedByDependsOnColumn(), dependsOnColumn("partnerRelUuid")) .createPermission(DELETE).grantedTo("partnerRel", ADMIN) .createPermission(UPDATE).grantedTo("partnerRel", AGENT) .createPermission(SELECT).grantedTo("partnerRel", TENANT) .importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class, - fetchedBySql("SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = ${ref}.detailsUuid"), + directlyFetchedByDependsOnColumn(), dependsOnColumn("detailsUuid")) .createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN) .createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java index 0452c0df..364368af 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationEntity.java @@ -20,7 +20,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; import static net.hostsharing.hsadminng.stringify.Stringify.stringify; @@ -91,15 +91,15 @@ public class HsOfficeRelationEntity implements HasUuid, Stringifyable { .withUpdatableColumns("contactUuid") .importEntityAlias("anchorPerson", HsOfficePersonEntity.class, dependsOnColumn("anchorUuid"), - fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.anchorUuid"), + directlyFetchedByDependsOnColumn(), NULLABLE) .importEntityAlias("holderPerson", HsOfficePersonEntity.class, dependsOnColumn("holderUuid"), - fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.holderUuid"), + directlyFetchedByDependsOnColumn(), NULLABLE) .importEntityAlias("contact", HsOfficeContactEntity.class, dependsOnColumn("contactUuid"), - fetchedBySql("select * from hs_office_contact as c where c.uuid = ${REF}.contactUuid"), + directlyFetchedByDependsOnColumn(), NULLABLE) .createRole(OWNER, (with) -> { with.owningUser(CREATOR); diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java index e79f8acf..000988fa 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java @@ -115,14 +115,10 @@ public class InsertTriggerGenerator { } } else { final var superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias(); - - // TODO: Maybe this should depend on the indirection degree of the fetchSql? - // Maybe we need a separate fetchedBy method for all the simple, direct cases? - if (superRoleEntityAlias.fetchSql().sql.contains("JOIN ")) { - generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g); - } else { + if (superRoleEntityAlias.fetchSql().part == RbacView.SQL.Part.AUTO_FETCH) { generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g); - + } else { + generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g); } } }, diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java index ee1c9fdf..99acade9 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java @@ -34,7 +34,7 @@ import static java.util.Arrays.stream; import static java.util.Optional.ofNullable; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.autoFetched; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; import static org.apache.commons.lang3.StringUtils.uncapitalize; @Getter @@ -343,7 +343,7 @@ public class RbacView { public RbacView importEntityAlias( final String aliasName, final Class entityClass, final Column dependsOnColum) { - importEntityAliasImpl(aliasName, entityClass, autoFetched(), dependsOnColum, false, null); + importEntityAliasImpl(aliasName, entityClass, directlyFetchedByDependsOnColumn(), dependsOnColum, false, null); return this; } @@ -839,6 +839,10 @@ public class RbacView { }; } + public boolean hasFetchSql() { + return fetchSql != null; + } + private String withoutEntitySuffix(final String simpleEntityName) { return simpleEntityName.substring(0, simpleEntityName.length() - "Entity".length()); } @@ -924,7 +928,7 @@ public class RbacView { * * @return the wrapped SQL definition object */ - public static SQL autoFetched() { + public static SQL directlyFetchedByDependsOnColumn() { return new SQL(null, Part.AUTO_FETCH); } diff --git a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java index 778c71ec..7db03c7e 100644 --- a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java @@ -17,7 +17,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnCo import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; @Entity @@ -50,10 +50,7 @@ public class TestDomainEntity implements HasUuid { .importEntityAlias("package", TestPackageEntity.class, dependsOnColumn("packageUuid"), - fetchedBySql(""" - SELECT * FROM test_package p - WHERE p.uuid= ${ref}.packageUuid - """), + directlyFetchedByDependsOnColumn(), NULLABLE) .toRole("package", ADMIN).grantPermission(INSERT) diff --git a/src/main/java/net/hostsharing/hsadminng/test/pac/TestPackageEntity.java b/src/main/java/net/hostsharing/hsadminng/test/pac/TestPackageEntity.java index 27546cf2..8f72fc4c 100644 --- a/src/main/java/net/hostsharing/hsadminng/test/pac/TestPackageEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/test/pac/TestPackageEntity.java @@ -51,10 +51,7 @@ public class TestPackageEntity implements HasUuid { .importEntityAlias("customer", TestCustomerEntity.class, dependsOnColumn("customerUuid"), - fetchedBySql(""" - SELECT * FROM test_customer c - WHERE c.uuid= ${ref}.customerUuid - """), + directlyFetchedByDependsOnColumn(), NOT_NULL) .toRole("customer", ADMIN).grantPermission(INSERT) diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql index 912430bb..dc4d042f 100644 --- a/src/main/resources/db/changelog/123-test-package-rbac.sql +++ b/src/main/resources/db/changelog/123-test-package-rbac.sql @@ -35,9 +35,7 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * FROM test_customer c - WHERE c.uuid= NEW.customerUuid - INTO newCustomer; + SELECT * FROM test_customer WHERE uuid = NEW.customerUuid INTO newCustomer; assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid); @@ -103,14 +101,10 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * FROM test_customer c - WHERE c.uuid= OLD.customerUuid - INTO oldCustomer; + SELECT * FROM test_customer WHERE uuid = OLD.customerUuid INTO oldCustomer; assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s', OLD.customerUuid); - SELECT * FROM test_customer c - WHERE c.uuid= NEW.customerUuid - INTO newCustomer; + SELECT * FROM test_customer WHERE uuid = NEW.customerUuid INTO newCustomer; assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid); @@ -195,22 +189,30 @@ execute procedure test_package_test_customer_insert_tf(); /** Checks if the user or assumed roles are allowed to insert a row to test_package, - where the check is performed by a direct role. + where the check is performed by an indirect role. - A direct role is a role depending on a foreign key directly available in the NEW row. + An indirect role is a role FIXME. */ create or replace function test_package_insert_permission_missing_tf() returns trigger language plpgsql as $$ begin - raise exception '[403] insert into test_package not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + if ( not hasInsertPermission( + ( SELECT customer.uuid FROM + + (SELECT * FROM test_customer WHERE uuid = NEW.customerUuid) AS customer + + ), 'INSERT', 'test_package') ) then + raise exception + '[403] insert into test_package not allowed for current subjects % (%)', + currentSubjects(), currentSubjectsUuids(); + end if; + return NEW; end; $$; create trigger test_package_insert_permission_check_tg before insert on test_package for each row - when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') ) execute procedure test_package_insert_permission_missing_tf(); --// diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql index e20f21c4..3b41dcbf 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql @@ -35,9 +35,7 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * FROM test_package p - WHERE p.uuid= NEW.packageUuid - INTO newPackage; + SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage; perform createRoleWithGrants( testDomainOwner(NEW), @@ -163,22 +161,30 @@ execute procedure test_domain_test_package_insert_tf(); /** Checks if the user or assumed roles are allowed to insert a row to test_domain, - where the check is performed by a direct role. + where the check is performed by an indirect role. - A direct role is a role depending on a foreign key directly available in the NEW row. + An indirect role is a role FIXME. */ create or replace function test_domain_insert_permission_missing_tf() returns trigger language plpgsql as $$ begin - raise exception '[403] insert into test_domain not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + if ( not hasInsertPermission( + ( SELECT package.uuid FROM + + (SELECT * FROM test_package WHERE uuid = NEW.packageUuid) AS package + + ), 'INSERT', 'test_domain') ) then + raise exception + '[403] insert into test_domain not allowed for current subjects % (%)', + currentSubjects(), currentSubjectsUuids(); + end if; + return NEW; end; $$; create trigger test_domain_insert_permission_check_tg before insert on test_domain for each row - when ( not hasInsertPermission(NEW.packageUuid, 'INSERT', 'test_domain') ) execute procedure test_domain_insert_permission_missing_tf(); --// diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql index 65645895..0b918ccc 100644 --- a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql +++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql @@ -37,11 +37,11 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - select * from hs_office_person as p where p.uuid = NEW.holderUuid INTO newHolderPerson; + SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid INTO newHolderPerson; - select * from hs_office_person as p where p.uuid = NEW.anchorUuid INTO newAnchorPerson; + SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson; - select * from hs_office_contact as c where c.uuid = NEW.contactUuid INTO newContact; + SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid INTO newContact; perform createRoleWithGrants( hsOfficeRelationOwner(NEW), @@ -54,28 +54,28 @@ begin hsOfficeRelationAdmin(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[ - hsOfficePersonAdmin(newAnchorPerson), - hsOfficeRelationOwner(NEW)] + hsOfficeRelationOwner(NEW), + hsOfficePersonAdmin(newAnchorPerson)] ); perform createRoleWithGrants( hsOfficeRelationAgent(NEW), incomingSuperRoles => array[ - hsOfficePersonAdmin(newHolderPerson), - hsOfficeRelationAdmin(NEW)] + hsOfficeRelationAdmin(NEW), + hsOfficePersonAdmin(newHolderPerson)] ); perform createRoleWithGrants( hsOfficeRelationTenant(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ - hsOfficeContactAdmin(newContact), hsOfficeRelationAgent(NEW), + hsOfficeContactAdmin(newContact), hsOfficePersonAdmin(newHolderPerson)], outgoingSubRoles => array[ - hsOfficeContactReferrer(newContact), hsOfficePersonReferrer(newAnchorPerson), - hsOfficePersonReferrer(newHolderPerson)] + hsOfficePersonReferrer(newHolderPerson), + hsOfficeContactReferrer(newContact)] ); call leaveTriggerForObjectUuid(NEW.uuid); diff --git a/src/main/resources/db/changelog/233-hs-office-partner-rbac-generated.sql b/src/main/resources/db/changelog/233-hs-office-partner-rbac-generated.sql index 683a8892..1db004d0 100644 --- a/src/main/resources/db/changelog/233-hs-office-partner-rbac-generated.sql +++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac-generated.sql @@ -36,10 +36,10 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid INTO newPartnerRel; + SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid); - SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid INTO newPartnerDetails; + SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel)); @@ -95,16 +95,16 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * FROM hs_office_relation AS r WHERE r.uuid = OLD.partnerRelUuid INTO oldPartnerRel; + SELECT * FROM hs_office_relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel; assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s', OLD.partnerRelUuid); - SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid INTO newPartnerRel; + SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid); - SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = OLD.detailsUuid INTO oldPartnerDetails; + SELECT * FROM hs_office_partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails; assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s', OLD.detailsUuid); - SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid INTO newPartnerDetails; + SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails; assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid); diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql index ac4e9fee..b1a3fbd0 100644 --- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql +++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql @@ -57,17 +57,17 @@ begin hsOfficeSepaMandateAgent(NEW), incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)], outgoingSubRoles => array[ - hsOfficeRelationAgent(newDebitorRel), - hsOfficeBankAccountReferrer(newBankAccount)] + hsOfficeBankAccountReferrer(newBankAccount), + hsOfficeRelationAgent(newDebitorRel)] ); perform createRoleWithGrants( hsOfficeSepaMandateReferrer(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ - hsOfficeSepaMandateAgent(NEW), + hsOfficeBankAccountAdmin(newBankAccount), hsOfficeRelationAgent(newDebitorRel), - hsOfficeBankAccountAdmin(newBankAccount)], + hsOfficeSepaMandateAgent(NEW)], outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)] ); diff --git a/src/main/resources/db/changelog/273-hs-office-debitor-rbac-generated.sql b/src/main/resources/db/changelog/273-hs-office-debitor-rbac-generated.sql index 7f6afc13..084bdf85 100644 --- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac-generated.sql +++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac-generated.sql @@ -37,21 +37,12 @@ declare begin call enterTriggerForObjectUuid(NEW.uuid); - SELECT * - FROM hs_office_relation AS partnerRel - WHERE ${debitorRel}.anchorUuid = partnerRel.holderUuid - INTO newPartnerRel; + SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel; - SELECT * - FROM hs_office_relation AS r - WHERE r.type = 'DEBITOR' AND r.holderUuid = NEW.debitorRelUuid - INTO newDebitorRel; + SELECT * FROM hs_office_relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel; assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid); - SELECT * - FROM hs_office_relation AS r - WHERE r.type = 'DEBITOR' AND r.holderUuid = NEW.debitorRelUuid - INTO newRefundBankAccount; + SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount; call grantRoleToRole(hsOfficeBankAccountReferrer(newRefundBankAccount), hsOfficeRelationAgent(newDebitorRel)); call grantRoleToRole(hsOfficeRelationAdmin(newDebitorRel), hsOfficeRelationAdmin(newPartnerRel));