new handcoded baseline for multiple insert permission grants
This commit is contained in:
parent
4dafa031a0
commit
69b6baaeb3
@ -98,17 +98,19 @@ execute procedure insertTriggerForHsBookingItem_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-booking-item-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-booking-item-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_relation ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_booking_item permissions for the related hs_office_relation rows.
|
Grants INSERT INTO hs_booking_item permissions to specified role of pre-existing hs_office_relation rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_office_relation;
|
row hs_office_relation;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_booking_item permissions for the related hs_office_relation rows');
|
call defineContext('create INSERT INTO hs_booking_item permissions for pre-exising hs_office_relation rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office_relation
|
FOR row IN SELECT * FROM hs_office_relation
|
||||||
WHERE type = 'DEBITOR'
|
WHERE type = 'DEBITOR'
|
||||||
@ -117,13 +119,13 @@ do language plpgsql $$
|
|||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsOfficeRelationADMIN(row));
|
hsOfficeRelationADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
|
Grants hs_booking_item INSERT permission to specified role of new hs_office_relation rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_booking_item_hs_office_relation_insert_tf()
|
create or replace function new_hs_booking_item_grants_insert_to_hs_office_relation_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -137,39 +139,38 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_booking_item_hs_office_relation_insert_tg
|
create trigger z_new_hs_booking_item_grants_insert_to_hs_office_relation_tg
|
||||||
after insert on hs_office_relation
|
after insert on hs_office_relation
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_booking_item_hs_office_relation_insert_tf();
|
execute procedure new_hs_booking_item_grants_insert_to_hs_office_relation_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_booking_item-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_booking_item,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_booking_item.
|
||||||
where the check is performed by an indirect role.
|
|
||||||
|
|
||||||
An indirect role is a role which depends on an object uuid which is not a direct foreign key
|
|
||||||
of the source entity, but needs to be fetched via joined tables.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_booking_item_insert_permission_check_tf()
|
create or replace function hs_booking_item_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
|
||||||
declare
|
declare
|
||||||
superRoleObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
|
|
||||||
begin
|
begin
|
||||||
superRoleObjectUuid := (SELECT debitorRel.uuid
|
-- check INSERT permission via indirect foreign key: NEW.debitorUuid
|
||||||
|
superObjectUuid := (SELECT debitorRel.uuid
|
||||||
FROM hs_office_relation debitorRel
|
FROM hs_office_relation debitorRel
|
||||||
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
WHERE debitor.uuid = NEW.debitorUuid
|
WHERE debitor.uuid = NEW.debitorUuid
|
||||||
);
|
);
|
||||||
assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
|
assert superObjectUuid is not null, 'object uuid fetched depending on hs_booking_item.debitorUuid must not be null, also check fetchSql in RBAC DSL';
|
||||||
|
if hasInsertPermission(superObjectUuid, 'hs_booking_item') then
|
||||||
if ( not hasInsertPermission(superRoleObjectUuid, 'hs_booking_item') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into hs_booking_item not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
|
raise exception '[403] insert into hs_booking_item not allowed for current subjects % (%)',
|
||||||
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger hs_booking_item_insert_permission_check_tg
|
create trigger hs_booking_item_insert_permission_check_tg
|
||||||
@ -178,11 +179,12 @@ create trigger hs_booking_item_insert_permission_check_tg
|
|||||||
execute procedure hs_booking_item_insert_permission_check_tf();
|
execute procedure hs_booking_item_insert_permission_check_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-booking-item-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_booking_item',
|
call generateRbacIdentityViewFromQuery('hs_booking_item',
|
||||||
$idName$
|
$idName$
|
||||||
SELECT bookingItem.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingItem.caption) as idName
|
SELECT bookingItem.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingItem.caption) as idName
|
||||||
FROM hs_booking_item bookingItem
|
FROM hs_booking_item bookingItem
|
||||||
@ -190,6 +192,7 @@ create trigger hs_booking_item_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-booking-item-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -100,16 +100,16 @@ execute procedure insertTriggerForHsHostingAsset_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
preExistingRow hs_booking_item;
|
row hs_booking_item;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_booking_item rows');
|
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_booking_item rows');
|
||||||
|
|
||||||
FOR preExistingRow IN SELECT * FROM hs_booking_item
|
FOR row IN SELECT * FROM hs_booking_item
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(preExistingRow.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(row.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsBookingItemAGENT(preExistingRow));
|
hsBookingItemAGENT(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -169,15 +169,23 @@ execute procedure new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf();
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_hosting_asset,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_hosting_asset.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_hosting_asset_insert_permission_missing_tf()
|
create or replace function hs_hosting_asset_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.bookingItemUuid
|
||||||
|
if NEW.type in ('CLOUD_SERVER', 'MANAGED_SERVER', 'MANAGED_WEBSPACE') and hasInsertPermission(NEW.bookingItemUuid, 'hs_hosting_asset') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.parentAssetUuid
|
||||||
|
if NEW.type in ('MANAGED_WEBSPACE') and hasInsertPermission(NEW.parentAssetUuid, 'hs_hosting_asset') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_hosting_asset not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_hosting_asset not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -185,11 +193,7 @@ end; $$;
|
|||||||
create trigger hs_hosting_asset_insert_permission_check_tg
|
create trigger hs_hosting_asset_insert_permission_check_tg
|
||||||
before insert on hs_hosting_asset
|
before insert on hs_hosting_asset
|
||||||
for each row
|
for each row
|
||||||
when ( not (
|
execute procedure hs_hosting_asset_insert_permission_check_tf();
|
||||||
hasInsertPermission(NEW.bookingItemUuid, 'hs_hosting_asset') or
|
|
||||||
NEW.type in ('MANAGED_WEBSPACE') and hasInsertPermission(NEW.parentAssetUuid, 'hs_hosting_asset')
|
|
||||||
) )
|
|
||||||
execute procedure hs_hosting_asset_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -197,7 +201,7 @@ create trigger hs_hosting_asset_insert_permission_check_tg
|
|||||||
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_hosting_asset',
|
call generateRbacIdentityViewFromQuery('hs_hosting_asset',
|
||||||
$idName$
|
$idName$
|
||||||
SELECT asset.uuid as uuid, bookingItemIV.idName || '-' || cleanIdentifier(asset.identifier) as idName
|
SELECT asset.uuid as uuid, bookingItemIV.idName || '-' || cleanIdentifier(asset.identifier) as idName
|
||||||
FROM hs_hosting_asset asset
|
FROM hs_hosting_asset asset
|
||||||
@ -205,6 +209,7 @@ create trigger hs_hosting_asset_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-hosting-asset-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user