generateRbacRestrictedView for non-updateable tables

This commit is contained in:
Michael Hoennig 2022-10-18 17:29:10 +02:00
parent 61473abf68
commit bec559c9c3

View File

@ -135,7 +135,7 @@ end; $$;
--changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--// --changeset rbac-generators-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text) create or replace procedure generateRbacRestrictedView(targetTable text, orderBy text, columnUpdates text = null)
language plpgsql as $$ language plpgsql as $$
declare declare
sql text; sql text;
@ -221,32 +221,34 @@ begin
Instead of update trigger function for the restricted view Instead of update trigger function for the restricted view
based on the 'edit' permission of the current subject. based on the 'edit' permission of the current subject.
*/ */
sql := format($sql$ if columnUpdates is not null then
create or replace function %1$sUpdate() sql := format($sql$
returns trigger create or replace function %1$sUpdate()
language plpgsql as $f$ returns trigger
begin language plpgsql as $f$
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('edit', '%1$s', currentSubjectsUuids())) then begin
update %1$s if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('edit', '%1$s', currentSubjectsUuids())) then
set %2$s update %1$s
where uuid = old.uuid; set %2$s
return old; where uuid = old.uuid;
end if; return old;
raise exception '[403] Subject %% is not allowed to update %1$s uuid %%', currentSubjectsUuids(), old.uuid; end if;
end; $f$; raise exception '[403] Subject %% is not allowed to update %1$s uuid %%', currentSubjectsUuids(), old.uuid;
$sql$, targetTable, columnUpdates); end; $f$;
execute sql; $sql$, targetTable, columnUpdates);
execute sql;
/* /*
Creates an instead of delete trigger for the restricted view. Creates an instead of delete trigger for the restricted view.
*/ */
sql = format($sql$ sql = format($sql$
create trigger %1$sUpdate_tg create trigger %1$sUpdate_tg
instead of update instead of update
on %1$s_rv on %1$s_rv
for each row for each row
execute function %1$sUpdate(); execute function %1$sUpdate();
$sql$, targetTable); $sql$, targetTable);
execute sql; execute sql;
end if;
end; $$; end; $$;
--// --//