diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java index 08974cd8..8bdb5c8b 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java @@ -181,7 +181,7 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject { with.permission(SELECT); }) - .limitDiagramTo("bookingItem", "debitor", "debitorRel", "global"); + .limitDiagramTo("bookingItem", "debitorRel", "global"); } public static void main(String[] args) throws IOException { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java index b595007a..9b4d2bbb 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java @@ -25,6 +25,7 @@ import static java.util.Optional.ofNullable; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.ROLE_TO_ROLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH; import static org.apache.commons.collections4.SetUtils.hashSet; @@ -397,8 +398,7 @@ public class RbacView { new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role); }); copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> { - if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE && - (grantDef.forCases == null || grantDef.matchesCase(forCase)) ) { + if ( grantDef.grantType() == ROLE_TO_ROLE && grantDef.matchesCase(forCase) ) { final var importedGrantDef = findOrCreateGrantDef( findRbacRole( mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName), @@ -610,7 +610,7 @@ public class RbacView { GrantType grantType() { return permDef != null ? PERM_TO_ROLE : userDef != null ? GrantType.ROLE_TO_USER - : GrantType.ROLE_TO_ROLE; + : ROLE_TO_ROLE; } boolean isAssumed() { @@ -630,7 +630,8 @@ public class RbacView { boolean matchesCase(final ColumnValue requestedCase) { final var noCasesDefined = forCases == null; final var generateForAllCases = requestedCase == null; - final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase)); + final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase)) + || forCases.stream().anyMatch(CaseDef::isDefaultCase) && !allCases.stream().anyMatch(c -> c.isCase(requestedCase)); return noCasesDefined || generateForAllCases || isGrantedForRequestedCase; } diff --git a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md index f915d15e..25b45a58 100644 --- a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md +++ b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md @@ -44,6 +44,10 @@ subgraph bookingItem["`**bookingItem**`"] end %% granting roles to roles +role:global:ADMIN -.-> role:debitorRel:OWNER +role:debitorRel:OWNER -.-> role:debitorRel:ADMIN +role:debitorRel:ADMIN -.-> role:debitorRel:AGENT +role:debitorRel:AGENT -.-> role:debitorRel:TENANT role:debitorRel:AGENT ==> role:bookingItem:OWNER role:bookingItem:OWNER ==> role:bookingItem:ADMIN role:debitorRel:AGENT ==> role:bookingItem:ADMIN diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md index bb111027..56b4a6cd 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md @@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"] end %% granting roles to roles +role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER +role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN +role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT +role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md index 2002f872..c70c6bbe 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md @@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"] end %% granting roles to roles +role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER +role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN +role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT +role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md index 421756d5..c052618a 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md @@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"] end %% granting roles to roles +role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER +role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN +role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT +role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md index 834a0156..127dfac0 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md @@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"] end %% granting roles to roles +role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER +role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN +role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT +role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN