avoid nested subselect for insert permission check

src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java

@@ -88,7 +88,7 @@ public class HsOfficePartnerDetailsEntity implements HasUuid, Stringifyable {
 
                 .importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
                         fetchedBySql("""
-                            SELECT partnerRel.*
+                            SELECT ${columns}
                                 FROM hs_office_relation AS partnerRel
                                 JOIN hs_office_partner AS partner
                                     ON partner.detailsUuid = ${ref}.uuid

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java

@@ -114,8 +114,7 @@ public class InsertTriggerGenerator {
                     }
                 }
             } else {
-                final var superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
+                if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
-                if (superRoleEntityAlias.fetchSql().part == RbacView.SQL.Part.AUTO_FETCH) {
                     generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g);
                 } else {
                     generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g);
@@ -164,24 +163,23 @@ public class InsertTriggerGenerator {
                     
                     An indirect role is a role FIXME.
                 */
-                create or replace function ${rawSubTable}_insert_permission_missing_tf()
+                create or replace function ${rawSubTable}_insert_permission_check_tf()
                     returns trigger
                     language plpgsql as $$
+                declare
+                    superRoleObjectUuid uuid;
                 begin
-                    if ( not hasInsertPermission(
+                    
-                        ( SELECT ${varName}.uuid FROM
                 """,
-                with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
+                with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
-                with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()));
+        plPgSql.indented(2, () ->  {
-        plPgSql.indented(3, () ->  {
             plPgSql.writeLn(
-                    "(" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ") AS ${varName}",
+                    "superRoleObjectUuid := (" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ");",
-                    with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()),
+                    with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
                     with("ref", NEW.name()));
         });
         plPgSql.writeLn("""
-
+                        if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', '${rawSubTable}') ) then
-                        ), 'INSERT', '${rawSubTable}') ) then
                             raise exception
                                 '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
                                 currentSubjects(), currentSubjectsUuids();
@@ -192,7 +190,7 @@ public class InsertTriggerGenerator {
                 create trigger ${rawSubTable}_insert_permission_check_tg
                     before insert on ${rawSubTable}
                     for each row
-                        execute procedure ${rawSubTable}_insert_permission_missing_tf();
+                        execute procedure ${rawSubTable}_insert_permission_check_tf();
                     
                 """,
                 with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));

src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java

@@ -34,6 +34,7 @@ import static java.util.Arrays.stream;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static org.apache.commons.lang3.StringUtils.uncapitalize;
 
@@ -839,8 +840,8 @@ public class RbacView {
             };
         }
 
-        public boolean hasFetchSql() {
+        boolean isFetchedByDirectForeignKey() {
-            return fetchSql != null;
+            return fetchSql != null && fetchSql.part == AUTO_FETCH;
         }
 
         private String withoutEntitySuffix(final String simpleEntityName) {
@@ -909,14 +910,25 @@ public class RbacView {
 
         /**
          * DSL method to specify an SQL SELECT expression which fetches the related entity,
-         * using the reference `${ref}` of the root entity.
+         * using the reference `${ref}` of the root entity and `${columns}` for the projection.
-         * `${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
+         *
-         * `into ...` will be added with a variable name prefixed with either `new` or `old`.
+         * <p>The query <strong>must define</strong> the entity alias name of the fetched table
+         * as its alias for, so it can be used in the generated projection (the columns between
+         * `SELECT` and `FROM`.</p>
+         *
+         * <p>`${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
+         * `into ...` will be added with a variable name prefixed with either `new` or `old`.</p>
+         *
+         * <p>`${columns}` is going to be replaced by the columns which are needed for the query,
+         * e.g. `*` or `uuid`.</p>
          *
          * @param sql an SQL SELECT expression (not ending with ';)
          * @return the wrapped SQL expression
          */
         public static SQL fetchedBySql(final String sql) {
+            if ( !sql.startsWith("SELECT ${columns}") ) {
+                throw new IllegalArgumentException("SQL SELECT expression must start with 'SELECT ${columns}', but is: " + sql);
+            }
             validateExpression(sql);
             return new SQL(sql, Part.SQL_QUERY);
         }
@@ -929,7 +941,7 @@ public class RbacView {
          * @return the wrapped SQL definition object
          */
         public static SQL directlyFetchedByDependsOnColumn() {
-            return new SQL(null, Part.AUTO_FETCH);
+            return new SQL(null, AUTO_FETCH);
         }
 
         /**

src/main/resources/db/changelog/123-test-package-rbac.sql

@@ -189,30 +189,22 @@ execute procedure test_package_test_customer_insert_tf();
 
 /**
     Checks if the user or assumed roles are allowed to insert a row to test_package,
-    where the check is performed by an indirect role.
+    where the check is performed by a direct role.
 
-    An indirect role is a role FIXME.
+    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function test_package_insert_permission_missing_tf()
     returns trigger
     language plpgsql as $$
 begin
-    if ( not hasInsertPermission(
+    raise exception '[403] insert into test_package not allowed for current subjects % (%)',
-        ( SELECT customer.uuid FROM
+        currentSubjects(), currentSubjectsUuids();
-
-            (SELECT * FROM test_customer WHERE uuid = NEW.customerUuid) AS customer
-
-        ), 'INSERT', 'test_package') ) then
-            raise exception
-                '[403] insert into test_package not allowed for current subjects % (%)',
-                currentSubjects(), currentSubjectsUuids();
-    end if;
-    return NEW;
 end; $$;
 
 create trigger test_package_insert_permission_check_tg
     before insert on test_package
     for each row
+    when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )
         execute procedure test_package_insert_permission_missing_tf();
 --//
 

src/main/resources/db/changelog/133-test-domain-rbac.sql

@@ -188,30 +188,22 @@ execute procedure test_domain_test_package_insert_tf();
 
 /**
     Checks if the user or assumed roles are allowed to insert a row to test_domain,
-    where the check is performed by an indirect role.
+    where the check is performed by a direct role.
 
-    An indirect role is a role FIXME.
+    A direct role is a role depending on a foreign key directly available in the NEW row.
 */
 create or replace function test_domain_insert_permission_missing_tf()
     returns trigger
     language plpgsql as $$
 begin
-    if ( not hasInsertPermission(
+    raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
-        ( SELECT package.uuid FROM
+        currentSubjects(), currentSubjectsUuids();
-
-            (SELECT * FROM test_package WHERE uuid = NEW.packageUuid) AS package
-
-        ), 'INSERT', 'test_domain') ) then
-            raise exception
-                '[403] insert into test_domain not allowed for current subjects % (%)',
-                currentSubjects(), currentSubjectsUuids();
-    end if;
-    return NEW;
 end; $$;
 
 create trigger test_domain_insert_permission_check_tg
     before insert on test_domain
     for each row
+    when ( not hasInsertPermission(NEW.packageUuid, 'INSERT', 'test_domain') )
         execute procedure test_domain_insert_permission_missing_tf();
 --//
 

src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql

@@ -54,8 +54,8 @@ begin
         hsOfficeRelationAdmin(NEW),
             permissions => array['UPDATE'],
             incomingSuperRoles => array[
-            	hsOfficePersonAdmin(newAnchorPerson),
+            	hsOfficeRelationOwner(NEW),
-            	hsOfficeRelationOwner(NEW)]
+            	hsOfficePersonAdmin(newAnchorPerson)]
     );
 
     perform createRoleWithGrants(
@@ -69,13 +69,13 @@ begin
         hsOfficeRelationTenant(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
-            	hsOfficeRelationAgent(NEW),
             	hsOfficeContactAdmin(newContact),
-            	hsOfficePersonAdmin(newHolderPerson)],
+            	hsOfficePersonAdmin(newHolderPerson),
+            	hsOfficeRelationAgent(NEW)],
             outgoingSubRoles => array[
-            	hsOfficePersonReferrer(newAnchorPerson),
+            	hsOfficePersonReferrer(newHolderPerson),
             	hsOfficeContactReferrer(newContact),
-            	hsOfficePersonReferrer(newHolderPerson)]
+            	hsOfficePersonReferrer(newAnchorPerson)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);

src/main/resources/db/changelog/234-hs-office-partner-details-rbac-generated.sql

@@ -35,7 +35,7 @@ declare
 begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
-    SELECT partnerRel.*
+    SELECT ${columns}
         FROM hs_office_relation AS partnerRel
         JOIN hs_office_partner AS partner
             ON partner.detailsUuid = NEW.uuid

src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql

@@ -57,17 +57,17 @@ begin
         hsOfficeSepaMandateAgent(NEW),
             incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
             outgoingSubRoles => array[
-            	hsOfficeBankAccountReferrer(newBankAccount),
+            	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeRelationAgent(newDebitorRel)]
+            	hsOfficeBankAccountReferrer(newBankAccount)]
     );
 
     perform createRoleWithGrants(
         hsOfficeSepaMandateReferrer(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
+            	hsOfficeSepaMandateAgent(NEW),
             	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeBankAccountAdmin(newBankAccount),
+            	hsOfficeBankAccountAdmin(newBankAccount)],
-            	hsOfficeSepaMandateAgent(NEW)],
             outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
     );