fix matching grant detection
This commit is contained in:
parent
35e961c758
commit
c6c5d52af3
@ -181,7 +181,7 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
|
||||
with.permission(SELECT);
|
||||
})
|
||||
|
||||
.limitDiagramTo("bookingItem", "debitor", "debitorRel", "global");
|
||||
.limitDiagramTo("bookingItem", "debitorRel", "global");
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
|
@ -25,6 +25,7 @@ import static java.util.Optional.ofNullable;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.ROLE_TO_ROLE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
|
||||
import static org.apache.commons.collections4.SetUtils.hashSet;
|
||||
@ -397,8 +398,7 @@ public class RbacView {
|
||||
new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
|
||||
});
|
||||
copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
|
||||
if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE &&
|
||||
(grantDef.forCases == null || grantDef.matchesCase(forCase)) ) {
|
||||
if ( grantDef.grantType() == ROLE_TO_ROLE && grantDef.matchesCase(forCase) ) {
|
||||
final var importedGrantDef = findOrCreateGrantDef(
|
||||
findRbacRole(
|
||||
mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName),
|
||||
@ -610,7 +610,7 @@ public class RbacView {
|
||||
GrantType grantType() {
|
||||
return permDef != null ? PERM_TO_ROLE
|
||||
: userDef != null ? GrantType.ROLE_TO_USER
|
||||
: GrantType.ROLE_TO_ROLE;
|
||||
: ROLE_TO_ROLE;
|
||||
}
|
||||
|
||||
boolean isAssumed() {
|
||||
@ -630,7 +630,8 @@ public class RbacView {
|
||||
boolean matchesCase(final ColumnValue requestedCase) {
|
||||
final var noCasesDefined = forCases == null;
|
||||
final var generateForAllCases = requestedCase == null;
|
||||
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase));
|
||||
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase))
|
||||
|| forCases.stream().anyMatch(CaseDef::isDefaultCase) && !allCases.stream().anyMatch(c -> c.isCase(requestedCase));
|
||||
return noCasesDefined || generateForAllCases || isGrantedForRequestedCase;
|
||||
}
|
||||
|
||||
|
@ -44,6 +44,10 @@ subgraph bookingItem["`**bookingItem**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||
role:debitorRel:AGENT ==> role:bookingItem:OWNER
|
||||
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
||||
role:debitorRel:AGENT ==> role:bookingItem:ADMIN
|
||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||
|
Loading…
Reference in New Issue
Block a user