From 97059c75a1f29f98259c55d6f8791022bebc7079 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Tue, 17 Sep 2024 14:16:43 +0200 Subject: [PATCH] add holderPerson:ADMIN role to relation:ADMIN --- .../relation/HsOfficeRelationRbacEntity.java | 1 + .../5033-hs-office-relation-rbac.md | 1 + .../5033-hs-office-relation-rbac.sql | 29 ++++++++++--------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java index f47fc105..827f0a32 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java @@ -98,6 +98,7 @@ public class HsOfficeRelationRbacEntity extends HsOfficeRelation { }) .createSubRole(ADMIN, (with) -> { with.permission(UPDATE); + with.outgoingSubRole("holderPerson", ADMIN); // FIXME: only for type=partner }) .createSubRole(AGENT, (with) -> { // TODO.rbac: we need relation:PROXY, to allow changing the relation contact. diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md index ccd95235..bb76a8ff 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md @@ -90,6 +90,7 @@ role:relation:TENANT ==> role:anchorPerson:REFERRER role:relation:TENANT ==> role:holderPerson:REFERRER role:relation:TENANT ==> role:contact:REFERRER role:anchorPerson:ADMIN ==> role:relation:OWNER +role:relation:ADMIN ==> role:holderPerson:ADMIN role:holderPerson:ADMIN ==> role:relation:AGENT %% granting permissions to roles diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index d6f36ad5..573cc15e 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -3,21 +3,21 @@ -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--// +--changeset RbacObjectGenerator:hs-office-relation-rbac-OBJECT endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRelatedRbacObject('hs_office_relation'); --// -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--// +--changeset RbacRoleDescriptorsGenerator:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation'); --// -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--// +--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-insert-trigger endDelimiter:--// -- ---------------------------------------------------------------------------- /* @@ -50,7 +50,7 @@ begin perform rbac.defineRoleWithGrants( hsOfficeRelationOWNER(NEW), permissions => array['DELETE'], - incomingSuperRoles => array[rbac.globalAdmin()], + incomingSuperRoles => array[rbac.globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); @@ -82,6 +82,7 @@ begin call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson)); call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson)); ELSE + call rbac.grantRoleToRole(hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationADMIN(NEW)); call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson)); call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson)); END IF; @@ -110,7 +111,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf(); -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--// +--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-update-trigger endDelimiter:--// -- ---------------------------------------------------------------------------- /* @@ -151,7 +152,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf(); -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--// +--changeset InsertTriggerGenerator:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--// -- ---------------------------------------------------------------------------- -- granting INSERT permission to hs_office_person ---------------------------- @@ -178,7 +179,7 @@ $$; /** Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows. */ -create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf() +create or replace function new_hsof_relation_grants_insert_to_hsof_person_tf() returns trigger language plpgsql strict as $$ @@ -192,14 +193,14 @@ begin end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist -create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg +create trigger z_new_hs_office_relation_grants_after_insert_tg after insert on hs_office_person for each row -execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf(); +execute procedure new_hsof_relation_grants_insert_to_hsof_person_tf(); -- ============================================================================ ---changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--// +--changeset InsertTriggerGenerator:hs-office-relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--// -- ---------------------------------------------------------------------------- /** @@ -216,8 +217,8 @@ begin return NEW; end if; - raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)', - base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); + raise exception '[403] insert into hs_office_relation values(%) not allowed for current subjects % (%)', + NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); end; $$; create trigger hs_office_relation_insert_permission_check_tg @@ -228,7 +229,7 @@ create trigger hs_office_relation_insert_permission_check_tg -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--// +--changeset RbacIdentityViewGenerator:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacIdentityViewFromProjection('hs_office_relation', @@ -241,7 +242,7 @@ call rbac.generateRbacIdentityViewFromProjection('hs_office_relation', -- ============================================================================ ---changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--// +--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacRestrictedView('hs_office_relation', $orderBy$