From ac956d3b0582d3db6c912b80e1f5524a96976eb7 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Tue, 23 Jul 2024 13:00:47 +0200
Subject: [PATCH] move recursive CTE query
 queryAccessibleObjectUuidsOfSubjectIds to the rbac-generator for *_rv

---
 .../db/changelog/1-rbac/1050-rbac-base.sql    |  8 ++---
 .../changelog/1-rbac/1058-rbac-generators.sql | 34 +++++++++++++++----
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
index a2a8f750..5722c26e 100644
--- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
+++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
@@ -728,10 +728,10 @@ begin
                          INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
                 WHERE g.assumed
         ),
-                       granted AS (
-                           SELECT DISTINCT descendantUuid
-                               FROM grants
-                       )
+       granted AS (
+           SELECT DISTINCT descendantUuid
+               FROM grants
+       )
         SELECT DISTINCT perm.objectUuid
             FROM granted
                      JOIN RbacPermission perm ON granted.descendantUuid = perm.uuid
diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
index 016b8f89..86d9b673 100644
--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@@ -175,16 +175,38 @@ begin
         Creates a restricted view based on the 'SELECT' permission of the current subject.
     */
     sql := format($sql$
-        set session session authorization default;
-        create view %1$s_rv as
-            with accessibleObjects as (
-                select queryAccessibleObjectUuidsOfSubjectIds('SELECT', '%1$s', currentSubjectsUuids())
+        create or replace view %1$s_rv as
+            with accessible_%1$s_uuids as (
+
+                with recursive grants as (
+                    select descendantUuid, ascendantUuid, 1 as level
+                        from RbacGrants
+                        where assumed
+                          and ascendantUuid = any (currentSubjectsuUids())
+                    union all
+                    select g.descendantUuid, g.ascendantUuid, level + 1 as level
+                        from RbacGrants g
+                                 inner join grants on grants.descendantUuid = g.ascendantUuid
+                        where g.assumed
+                ),
+                granted as (
+                   select distinct descendantUuid
+                       from grants
+                )
+                select distinct perm.objectUuid as objectUuid
+                    from granted
+                             join RbacPermission perm on granted.descendantUuid = perm.uuid
+                             join RbacObject obj on obj.uuid = perm.objectUuid
+                    where perm.op = 'SELECT'
+                      and obj.objectTable = '%1$s'
+                    limit 8001
             )
             select target.*
                 from %1$s as target
-                where target.uuid in (select * from accessibleObjects)
+                where target.uuid in (select * from accessible_%1$s_uuids)
                 order by %2$s;
-            grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
+
+        grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
         $sql$, targetTable, orderBy);
     execute sql;