generate RBAC-system rebuild for each table with RBAC-support
This commit is contained in:
parent
9a8285e43c
commit
7ae1a0eb37
@ -0,0 +1,65 @@
|
|||||||
|
package net.hostsharing.hsadminng.rbac.generator;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.rbac.generator.RbacView.RbacGrantDefinition;
|
||||||
|
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.Set;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.generator.StringWriter.with;
|
||||||
|
|
||||||
|
class RbacRbacSystemRebuildGenerator {
|
||||||
|
|
||||||
|
private final RbacView rbacDef;
|
||||||
|
private final Set<RbacGrantDefinition> rbacGrants = new HashSet<>();
|
||||||
|
private final String liquibaseTagPrefix;
|
||||||
|
private final String rawTableName;
|
||||||
|
|
||||||
|
RbacRbacSystemRebuildGenerator(final RbacView rbacDef, final String liquibaseTagPrefix) {
|
||||||
|
this.rbacDef = rbacDef;
|
||||||
|
this.liquibaseTagPrefix = liquibaseTagPrefix;
|
||||||
|
this.rawTableName = rbacDef.getRootEntityAlias().getRawTableNameWithSchema();
|
||||||
|
}
|
||||||
|
|
||||||
|
void generateTo(final StringWriter plPgSql) {
|
||||||
|
plPgSql.writeLn("""
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:${liquibaseTagPrefix}-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table ${rawTableName}', null, <<insert executing global admin user here>>);
|
||||||
|
-- call ${rawTableName}_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure ${rawTableName}_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row ${rawTableName};
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM ${rawTableName} LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL ${rawTableName}_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
""",
|
||||||
|
with("liquibaseTagPrefix", liquibaseTagPrefix),
|
||||||
|
with("rawTableName", rawTableName));
|
||||||
|
}
|
||||||
|
}
|
@ -31,6 +31,7 @@ public class RbacViewPostgresGenerator {
|
|||||||
new InsertTriggerGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
new InsertTriggerGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
||||||
new RbacIdentityViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
new RbacIdentityViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
||||||
new RbacRestrictedViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
new RbacRestrictedViewGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
||||||
|
new RbacRbacSystemRebuildGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -258,10 +258,11 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
with("ref", old.name()));
|
with("ref", old.name()));
|
||||||
if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
|
if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s', ${REF}.${dependsOnColumn});",
|
"assert ${entityRefVar}.uuid is not null, format('${entityRefVar} must not be null for ${REF}.${dependsOnColumn} = %s of ${rawTable}', ${REF}.${dependsOnColumn});",
|
||||||
with("entityRefVar", entityRefVar(old, ea)),
|
with("entityRefVar", entityRefVar(old, ea)),
|
||||||
with("dependsOnColumn", ea.dependsOnColumName()),
|
with("dependsOnColumn", ea.dependsOnColumName()),
|
||||||
with("ref", old.name()));
|
with("ref", old.name()),
|
||||||
|
with("rawTable", qualifiedRawTableName));
|
||||||
plPgSql.writeLn();
|
plPgSql.writeLn();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -178,3 +178,41 @@ call rbac.generateRbacRestrictedView('rbactest.customer',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:rbactest-customer-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table rbactest.customer', null, <<insert executing global admin user here>>);
|
||||||
|
-- call rbactest.customer_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure rbactest.customer_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row rbactest.customer;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM rbactest.customer LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL rbactest.customer_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||||
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid);
|
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -102,10 +102,10 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer;
|
SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer;
|
||||||
assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of package', OLD.customerUuid);
|
assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s of rbactest.package', OLD.customerUuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||||
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of package', NEW.customerUuid);
|
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s of rbactest.package', NEW.customerUuid);
|
||||||
|
|
||||||
|
|
||||||
if NEW.customerUuid <> OLD.customerUuid then
|
if NEW.customerUuid <> OLD.customerUuid then
|
||||||
@ -243,3 +243,41 @@ call rbac.generateRbacRestrictedView('rbactest.package',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:rbactest-package-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table rbactest.package', null, <<insert executing global admin user here>>);
|
||||||
|
-- call rbactest.package_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure rbactest.package_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row rbactest.package;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM rbactest.package LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL rbactest.package_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||||
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid);
|
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -98,10 +98,10 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage;
|
SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage;
|
||||||
assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of domain', OLD.packageUuid);
|
assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s of rbactest.domain', OLD.packageUuid);
|
||||||
|
|
||||||
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||||
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of domain', NEW.packageUuid);
|
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s of rbactest.domain', NEW.packageUuid);
|
||||||
|
|
||||||
|
|
||||||
if NEW.packageUuid <> OLD.packageUuid then
|
if NEW.packageUuid <> OLD.packageUuid then
|
||||||
@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('rbactest.domain',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:rbactest-domain-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table rbactest.domain', null, <<insert executing global admin user here>>);
|
||||||
|
-- call rbactest.domain_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure rbactest.domain_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row rbactest.domain;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM rbactest.domain LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL rbactest.domain_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -102,3 +102,41 @@ call rbac.generateRbacRestrictedView('hs_office.contact',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-contact-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.contact', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.contact_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.contact_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.contact;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.contact LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.contact_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -104,3 +104,41 @@ call rbac.generateRbacRestrictedView('hs_office.person',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-person-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.person', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.person_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.person_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.person;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.person LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.person_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -38,13 +38,13 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
|
SELECT * FROM hs_office.person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
|
||||||
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of relation', NEW.holderUuid);
|
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s of hs_office.relation', NEW.holderUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
|
SELECT * FROM hs_office.person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
|
||||||
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of relation', NEW.anchorUuid);
|
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s of hs_office.relation', NEW.anchorUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.contact WHERE uuid = NEW.contactUuid INTO newContact;
|
SELECT * FROM hs_office.contact WHERE uuid = NEW.contactUuid INTO newContact;
|
||||||
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of relation', NEW.contactUuid);
|
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s of hs_office.relation', NEW.contactUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -254,12 +254,12 @@ call rbac.generateRbacRestrictedView('hs_office.relation',
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-rebuild endDelimiter:--//
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-relation-rbac-rebuild endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
--
|
--
|
||||||
-- begin transaction;
|
-- begin transaction;
|
||||||
-- call base.defineContext('re-creating RBAC for table relation', null, <<insert executing global admin user here>>);
|
-- call base.defineContext('re-creating RBAC for table hs_office.relation', null, <<insert executing global admin user here>>);
|
||||||
-- call hs_office.relation_rebuild_rbac_system();
|
-- call hs_office.relation_rebuild_rbac_system();
|
||||||
-- commit;
|
-- commit;
|
||||||
|
|
||||||
@ -289,3 +289,4 @@ BEGIN
|
|||||||
END;
|
END;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -37,10 +37,10 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid);
|
||||||
|
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hs_office.relation_OWNER(newPartnerRel));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hs_office.relation_OWNER(newPartnerRel));
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.relation_TENANT(newPartnerRel));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.relation_TENANT(newPartnerRel));
|
||||||
@ -96,16 +96,16 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel;
|
SELECT * FROM hs_office.relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel;
|
||||||
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of partner', OLD.partnerRelUuid);
|
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s of hs_office.partner', OLD.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
SELECT * FROM hs_office.relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of partner', NEW.partnerRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s of hs_office.partner', NEW.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails;
|
SELECT * FROM hs_office.partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails;
|
||||||
assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of partner', OLD.detailsUuid);
|
assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s of hs_office.partner', OLD.detailsUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office.partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of partner', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s of hs_office.partner', NEW.detailsUuid);
|
||||||
|
|
||||||
|
|
||||||
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
||||||
@ -253,3 +253,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.partner', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.partner_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.partner_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.partner;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.partner LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.partner_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -165,3 +165,41 @@ call rbac.generateRbacRestrictedView('hs_office.partner_details',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-partner-details-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.partner_details', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.partner_details_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.partner_details_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.partner_details;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.partner_details LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.partner_details_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -101,3 +101,41 @@ call rbac.generateRbacRestrictedView('hs_office.bankaccount',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-bankaccount-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.bankaccount', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.bankaccount_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.bankaccount_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.bankaccount;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.bankaccount LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.bankaccount_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -44,10 +44,10 @@ begin
|
|||||||
WHERE partnerRel.type = 'PARTNER'
|
WHERE partnerRel.type = 'PARTNER'
|
||||||
AND NEW.debitorRelUuid = debitorRel.uuid
|
AND NEW.debitorRelUuid = debitorRel.uuid
|
||||||
INTO newPartnerRel;
|
INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel;
|
SELECT * FROM hs_office.relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel;
|
||||||
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of debitor', NEW.debitorRelUuid);
|
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s of hs_office.debitor', NEW.debitorRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
|
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
|
||||||
|
|
||||||
@ -242,3 +242,41 @@ call rbac.generateRbacRestrictedView('hs_office.debitor',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-debitor-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.debitor', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.debitor_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.debitor_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.debitor;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.debitor LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.debitor_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -37,14 +37,14 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount;
|
SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount;
|
||||||
assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of sepamandate', NEW.bankAccountUuid);
|
assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s of hs_office.sepamandate', NEW.bankAccountUuid);
|
||||||
|
|
||||||
SELECT debitorRel.*
|
SELECT debitorRel.*
|
||||||
FROM hs_office.relation debitorRel
|
FROM hs_office.relation debitorRel
|
||||||
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
WHERE debitor.uuid = NEW.debitorUuid
|
WHERE debitor.uuid = NEW.debitorUuid
|
||||||
INTO newDebitorRel;
|
INTO newDebitorRel;
|
||||||
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of sepamandate', NEW.debitorUuid);
|
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_office.sepamandate', NEW.debitorUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -211,3 +211,41 @@ call rbac.generateRbacRestrictedView('hs_office.sepamandate',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-sepamandate-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.sepamandate', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.sepamandate_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.sepamandate_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.sepamandate;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.sepamandate LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.sepamandate_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ begin
|
|||||||
JOIN hs_office.relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
|
JOIN hs_office.relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
|
||||||
WHERE partner.uuid = NEW.partnerUuid
|
WHERE partner.uuid = NEW.partnerUuid
|
||||||
INTO newPartnerRel;
|
INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of membership', NEW.partnerUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s of hs_office.membership', NEW.partnerUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -193,3 +193,41 @@ call rbac.generateRbacRestrictedView('hs_office.membership',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-membership-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.membership', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.membership_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.membership_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.membership;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.membership LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.membership_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopshares', NEW.membershipUuid);
|
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopsharetx', NEW.membershipUuid);
|
||||||
|
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
|
||||||
@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopsharetx',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-coopsharetx-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.coopsharetx', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.coopsharetx_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.coopsharetx_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.coopsharetx;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.coopsharetx_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
SELECT * FROM hs_office.membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of coopasset', NEW.membershipUuid);
|
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s of hs_office.coopassettx', NEW.membershipUuid);
|
||||||
|
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hs_office.membership_AGENT(newMembership));
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hs_office.membership_ADMIN(newMembership));
|
||||||
@ -164,3 +164,41 @@ call rbac.generateRbacRestrictedView('hs_office.coopassettx',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-office-coopassettx-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_office.coopassettx', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_office.coopassettx_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_office.coopassettx_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_office.coopassettx;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_office.coopassettx LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_office.coopassettx_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -37,14 +37,14 @@ begin
|
|||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office.debitor WHERE uuid = NEW.debitorUuid INTO newDebitor;
|
SELECT * FROM hs_office.debitor WHERE uuid = NEW.debitorUuid INTO newDebitor;
|
||||||
assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of project', NEW.debitorUuid);
|
assert newDebitor.uuid is not null, format('newDebitor must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid);
|
||||||
|
|
||||||
SELECT debitorRel.*
|
SELECT debitorRel.*
|
||||||
FROM hs_office.relation debitorRel
|
FROM hs_office.relation debitorRel
|
||||||
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
WHERE debitor.uuid = NEW.debitorUuid
|
WHERE debitor.uuid = NEW.debitorUuid
|
||||||
INTO newDebitorRel;
|
INTO newDebitorRel;
|
||||||
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s or project', NEW.debitorUuid);
|
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s of hs_booking.project', NEW.debitorUuid);
|
||||||
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
@ -204,3 +204,41 @@ call rbac.generateRbacRestrictedView('hs_booking.project',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-booking-project-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_booking.project', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_booking.project_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_booking.project_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_booking.project;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_booking.project LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_booking.project_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -275,3 +275,41 @@ call rbac.generateRbacRestrictedView('hs_booking.item',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-booking-item-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_booking.item', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_booking.item_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_booking.item_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_booking.item;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_booking.item LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_booking.item_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
@ -181,3 +181,41 @@ call rbac.generateRbacRestrictedView('hs_hosting.asset',
|
|||||||
$updates$);
|
$updates$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset RbacRbacSystemRebuildGenerator:hs-hosting-asset-rbac-rebuild endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
--
|
||||||
|
-- begin transaction;
|
||||||
|
-- call base.defineContext('re-creating RBAC for table hs_hosting.asset', null, <<insert executing global admin user here>>);
|
||||||
|
-- call hs_hosting.asset_rebuild_rbac_system();
|
||||||
|
-- commit;
|
||||||
|
|
||||||
|
create or replace procedure hs_hosting.asset_rebuild_rbac_system()
|
||||||
|
language plpgsql as $$
|
||||||
|
DECLARE
|
||||||
|
DECLARE
|
||||||
|
row hs_hosting.asset;
|
||||||
|
grantsAfter numeric;
|
||||||
|
grantsBefore numeric;
|
||||||
|
BEGIN
|
||||||
|
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
||||||
|
|
||||||
|
FOR row IN SELECT * FROM hs_hosting.asset LOOP
|
||||||
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
|
DELETE FROM rbac.grants g
|
||||||
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
|
CALL hs_hosting.asset_build_rbac_system(row);
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
select count(*) into grantsAfter from rbac.grants;
|
||||||
|
|
||||||
|
-- print how the total count of grants has changed
|
||||||
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user