diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java index 2cf1ada2..f1f8ffff 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java @@ -27,7 +27,6 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference. import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md index d458212c..3681b8e6 100644 --- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.md +++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.md @@ -42,7 +42,7 @@ subgraph membership["`**membership**`"] role:membership:OWNER[[membership:OWNER]] role:membership:ADMIN[[membership:ADMIN]] - role:membership:REFERRER[[membership:REFERRER]] + role:membership:AGENT[[membership:AGENT]] end subgraph membership:permissions[ ] @@ -105,16 +105,16 @@ role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER -role:partnerRel:ADMIN ==> role:membership:OWNER role:membership:OWNER ==> role:membership:ADMIN -role:partnerRel:AGENT ==> role:membership:ADMIN -role:membership:ADMIN ==> role:membership:REFERRER -role:membership:REFERRER ==> role:partnerRel:TENANT +role:partnerRel:ADMIN ==> role:membership:ADMIN +role:membership:ADMIN ==> role:membership:AGENT +role:partnerRel:AGENT ==> role:membership:AGENT +role:membership:AGENT ==> role:partnerRel:TENANT %% granting permissions to roles role:global:ADMIN ==> perm:membership:INSERT -role:membership:OWNER ==> perm:membership:DELETE +role:membership:ADMIN ==> perm:membership:DELETE role:membership:ADMIN ==> perm:membership:UPDATE -role:membership:REFERRER ==> perm:membership:SELECT +role:membership:AGENT ==> perm:membership:SELECT ``` diff --git a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql index 9c423ba4..7f8de66b 100644 --- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql @@ -45,23 +45,23 @@ begin perform createRoleWithGrants( hsOfficeMembershipOWNER(NEW), - permissions => array['DELETE'], - incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)], userUuids => array[currentUserUuid()] ); perform createRoleWithGrants( hsOfficeMembershipADMIN(NEW), - permissions => array['UPDATE'], + permissions => array['DELETE', 'UPDATE'], incomingSuperRoles => array[ hsOfficeMembershipOWNER(NEW), - hsOfficeRelationAGENT(newPartnerRel)] + hsOfficeRelationADMIN(newPartnerRel)] ); perform createRoleWithGrants( - hsOfficeMembershipREFERRER(NEW), + hsOfficeMembershipAGENT(NEW), permissions => array['SELECT'], - incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)], + incomingSuperRoles => array[ + hsOfficeMembershipADMIN(NEW), + hsOfficeRelationAGENT(newPartnerRel)], outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)] ); diff --git a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md index cdc18b6f..26ff3d5c 100644 --- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md +++ b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.md @@ -13,9 +13,9 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers subgraph membership.partnerRel.holderPerson:roles[ ] style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] + role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]] + role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]] + role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]] end end @@ -26,9 +26,9 @@ subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPers subgraph membership.partnerRel.anchorPerson:roles[ ] style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] + role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]] + role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]] + role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]] end end @@ -49,103 +49,12 @@ subgraph membership["`**membership**`"] direction TB style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel["`**membership.partnerRel**`"] - direction TB - style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - - subgraph membership.partnerRel:roles[ ] - style membership.partnerRel:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel:owner[[membership.partnerRel:owner]] - role:membership.partnerRel:admin[[membership.partnerRel:admin]] - role:membership.partnerRel:agent[[membership.partnerRel:agent]] - role:membership.partnerRel:tenant[[membership.partnerRel:tenant]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - subgraph membership:roles[ ] style membership:roles fill:#99bcdb,stroke:white - role:membership:owner[[membership:owner]] - role:membership:admin[[membership:admin]] - role:membership:referrer[[membership:referrer]] + role:membership:OWNER[[membership:OWNER]] + role:membership:ADMIN[[membership:ADMIN]] + role:membership:AGENT[[membership:AGENT]] end end @@ -153,52 +62,13 @@ subgraph membership.partnerRel["`**membership.partnerRel**`"] direction TB style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - subgraph membership.partnerRel:roles[ ] style membership.partnerRel:roles fill:#99bcdb,stroke:white - role:membership.partnerRel:owner[[membership.partnerRel:owner]] - role:membership.partnerRel:admin[[membership.partnerRel:admin]] - role:membership.partnerRel:agent[[membership.partnerRel:agent]] - role:membership.partnerRel:tenant[[membership.partnerRel:tenant]] + role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]] + role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]] + role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]] + role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]] end end @@ -209,42 +79,42 @@ subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] subgraph membership.partnerRel.contact:roles[ ] style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] + role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]] + role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]] + role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]] end end %% granting roles to roles -role:global:admin -.-> role:membership.partnerRel.anchorPerson:owner -role:membership.partnerRel.anchorPerson:owner -.-> role:membership.partnerRel.anchorPerson:admin -role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel.anchorPerson:referrer -role:global:admin -.-> role:membership.partnerRel.holderPerson:owner -role:membership.partnerRel.holderPerson:owner -.-> role:membership.partnerRel.holderPerson:admin -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel.holderPerson:referrer -role:global:admin -.-> role:membership.partnerRel.contact:owner -role:membership.partnerRel.contact:owner -.-> role:membership.partnerRel.contact:admin -role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel.contact:referrer -role:global:admin -.-> role:membership.partnerRel:owner -role:membership.partnerRel:owner -.-> role:membership.partnerRel:admin -role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel:admin -role:membership.partnerRel:admin -.-> role:membership.partnerRel:agent -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:agent -role:membership.partnerRel:agent -.-> role:membership.partnerRel:tenant -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:tenant -role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel:tenant -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.anchorPerson:referrer -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.holderPerson:referrer -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.contact:referrer -role:membership.partnerRel:admin -.-> role:membership:owner -role:membership:owner -.-> role:membership:admin -role:membership.partnerRel:agent -.-> role:membership:admin -role:membership:admin -.-> role:membership:referrer -role:membership:referrer -.-> role:membership.partnerRel:tenant +role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER +role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER +role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER +role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN +role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel:OWNER +role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN +role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT +role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER +role:membership:OWNER -.-> role:membership:ADMIN +role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN +role:membership:ADMIN -.-> role:membership:AGENT +role:membership.partnerRel:AGENT -.-> role:membership:AGENT +role:membership:AGENT -.-> role:membership.partnerRel:TENANT %% granting permissions to roles -role:membership:admin ==> perm:coopSharesTransaction:INSERT -role:membership:admin ==> perm:coopSharesTransaction:UPDATE -role:membership:admin ==> perm:coopSharesTransaction:SELECT +role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT +role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE +role:membership:AGENT ==> perm:coopSharesTransaction:SELECT ``` diff --git a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql index 0f063309..f4856f0a 100644 --- a/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql @@ -38,8 +38,8 @@ begin SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAdmin(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipAdmin(newMembership)); + call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); + call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -81,7 +81,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'), - hsOfficeMembershipAdmin(row)); + hsOfficeMembershipADMIN(row)); END LOOP; END; $$; @@ -96,7 +96,7 @@ create or replace function hs_office_coopsharestransaction_hs_office_membership_ begin call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'), - hsOfficeMembershipAdmin(NEW)); + hsOfficeMembershipADMIN(NEW)); return NEW; end; $$; diff --git a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md index cbbe3fad..d220a38c 100644 --- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md +++ b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.md @@ -13,9 +13,9 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers subgraph membership.partnerRel.holderPerson:roles[ ] style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] + role:membership.partnerRel.holderPerson:OWNER[[membership.partnerRel.holderPerson:OWNER]] + role:membership.partnerRel.holderPerson:ADMIN[[membership.partnerRel.holderPerson:ADMIN]] + role:membership.partnerRel.holderPerson:REFERRER[[membership.partnerRel.holderPerson:REFERRER]] end end @@ -26,9 +26,9 @@ subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPers subgraph membership.partnerRel.anchorPerson:roles[ ] style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] + role:membership.partnerRel.anchorPerson:OWNER[[membership.partnerRel.anchorPerson:OWNER]] + role:membership.partnerRel.anchorPerson:ADMIN[[membership.partnerRel.anchorPerson:ADMIN]] + role:membership.partnerRel.anchorPerson:REFERRER[[membership.partnerRel.anchorPerson:REFERRER]] end end @@ -49,103 +49,12 @@ subgraph membership["`**membership**`"] direction TB style membership fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel["`**membership.partnerRel**`"] - direction TB - style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - - subgraph membership.partnerRel:roles[ ] - style membership.partnerRel:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel:owner[[membership.partnerRel:owner]] - role:membership.partnerRel:admin[[membership.partnerRel:admin]] - role:membership.partnerRel:agent[[membership.partnerRel:agent]] - role:membership.partnerRel:tenant[[membership.partnerRel:tenant]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - subgraph membership:roles[ ] style membership:roles fill:#99bcdb,stroke:white - role:membership:owner[[membership:owner]] - role:membership:admin[[membership:admin]] - role:membership:referrer[[membership:referrer]] + role:membership:OWNER[[membership:OWNER]] + role:membership:ADMIN[[membership:ADMIN]] + role:membership:AGENT[[membership:AGENT]] end end @@ -153,52 +62,13 @@ subgraph membership.partnerRel["`**membership.partnerRel**`"] direction TB style membership.partnerRel fill:#99bcdb,stroke:#274d6e,stroke-width:8px - subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPerson**`"] - direction TB - style membership.partnerRel.holderPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.holderPerson:roles[ ] - style membership.partnerRel.holderPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.holderPerson:owner[[membership.partnerRel.holderPerson:owner]] - role:membership.partnerRel.holderPerson:admin[[membership.partnerRel.holderPerson:admin]] - role:membership.partnerRel.holderPerson:referrer[[membership.partnerRel.holderPerson:referrer]] - end - end - - subgraph membership.partnerRel.anchorPerson["`**membership.partnerRel.anchorPerson**`"] - direction TB - style membership.partnerRel.anchorPerson fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.anchorPerson:roles[ ] - style membership.partnerRel.anchorPerson:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.anchorPerson:owner[[membership.partnerRel.anchorPerson:owner]] - role:membership.partnerRel.anchorPerson:admin[[membership.partnerRel.anchorPerson:admin]] - role:membership.partnerRel.anchorPerson:referrer[[membership.partnerRel.anchorPerson:referrer]] - end - end - - subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] - direction TB - style membership.partnerRel.contact fill:#99bcdb,stroke:#274d6e,stroke-width:8px - - subgraph membership.partnerRel.contact:roles[ ] - style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] - end - end - subgraph membership.partnerRel:roles[ ] style membership.partnerRel:roles fill:#99bcdb,stroke:white - role:membership.partnerRel:owner[[membership.partnerRel:owner]] - role:membership.partnerRel:admin[[membership.partnerRel:admin]] - role:membership.partnerRel:agent[[membership.partnerRel:agent]] - role:membership.partnerRel:tenant[[membership.partnerRel:tenant]] + role:membership.partnerRel:OWNER[[membership.partnerRel:OWNER]] + role:membership.partnerRel:ADMIN[[membership.partnerRel:ADMIN]] + role:membership.partnerRel:AGENT[[membership.partnerRel:AGENT]] + role:membership.partnerRel:TENANT[[membership.partnerRel:TENANT]] end end @@ -209,42 +79,42 @@ subgraph membership.partnerRel.contact["`**membership.partnerRel.contact**`"] subgraph membership.partnerRel.contact:roles[ ] style membership.partnerRel.contact:roles fill:#99bcdb,stroke:white - role:membership.partnerRel.contact:owner[[membership.partnerRel.contact:owner]] - role:membership.partnerRel.contact:admin[[membership.partnerRel.contact:admin]] - role:membership.partnerRel.contact:referrer[[membership.partnerRel.contact:referrer]] + role:membership.partnerRel.contact:OWNER[[membership.partnerRel.contact:OWNER]] + role:membership.partnerRel.contact:ADMIN[[membership.partnerRel.contact:ADMIN]] + role:membership.partnerRel.contact:REFERRER[[membership.partnerRel.contact:REFERRER]] end end %% granting roles to roles -role:global:admin -.-> role:membership.partnerRel.anchorPerson:owner -role:membership.partnerRel.anchorPerson:owner -.-> role:membership.partnerRel.anchorPerson:admin -role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel.anchorPerson:referrer -role:global:admin -.-> role:membership.partnerRel.holderPerson:owner -role:membership.partnerRel.holderPerson:owner -.-> role:membership.partnerRel.holderPerson:admin -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel.holderPerson:referrer -role:global:admin -.-> role:membership.partnerRel.contact:owner -role:membership.partnerRel.contact:owner -.-> role:membership.partnerRel.contact:admin -role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel.contact:referrer -role:global:admin -.-> role:membership.partnerRel:owner -role:membership.partnerRel:owner -.-> role:membership.partnerRel:admin -role:membership.partnerRel.anchorPerson:admin -.-> role:membership.partnerRel:admin -role:membership.partnerRel:admin -.-> role:membership.partnerRel:agent -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:agent -role:membership.partnerRel:agent -.-> role:membership.partnerRel:tenant -role:membership.partnerRel.holderPerson:admin -.-> role:membership.partnerRel:tenant -role:membership.partnerRel.contact:admin -.-> role:membership.partnerRel:tenant -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.anchorPerson:referrer -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.holderPerson:referrer -role:membership.partnerRel:tenant -.-> role:membership.partnerRel.contact:referrer -role:membership.partnerRel:admin -.-> role:membership:owner -role:membership:owner -.-> role:membership:admin -role:membership.partnerRel:agent -.-> role:membership:admin -role:membership:admin -.-> role:membership:referrer -role:membership:referrer -.-> role:membership.partnerRel:tenant +role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER +role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER +role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER +role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN +role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER +role:global:ADMIN -.-> role:membership.partnerRel:OWNER +role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN +role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN +role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT +role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER +role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER +role:membership:OWNER -.-> role:membership:ADMIN +role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN +role:membership:ADMIN -.-> role:membership:AGENT +role:membership.partnerRel:AGENT -.-> role:membership:AGENT +role:membership:AGENT -.-> role:membership.partnerRel:TENANT %% granting permissions to roles -role:membership:admin ==> perm:coopAssetsTransaction:INSERT -role:membership:admin ==> perm:coopAssetsTransaction:UPDATE -role:membership:admin ==> perm:coopAssetsTransaction:SELECT +role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT +role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE +role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT ``` diff --git a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql index d1218873..df1fdd3b 100644 --- a/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql @@ -38,8 +38,8 @@ begin SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership; assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid); - call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAdmin(newMembership)); - call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipAdmin(newMembership)); + call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership)); + call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership)); call leaveTriggerForObjectUuid(NEW.uuid); end; $$; @@ -81,7 +81,7 @@ do language plpgsql $$ LOOP call grantPermissionToRole( createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'), - hsOfficeMembershipAdmin(row)); + hsOfficeMembershipADMIN(row)); END LOOP; END; $$; @@ -96,7 +96,7 @@ create or replace function hs_office_coopassetstransaction_hs_office_membership_ begin call grantPermissionToRole( createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'), - hsOfficeMembershipAdmin(NEW)); + hsOfficeMembershipADMIN(NEW)); return NEW; end; $$; diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java index 273b331d..f3601449 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java @@ -338,15 +338,15 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle void partnerRelAdmin_canPatchValidityOfRelatedMembership() { // given - final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH.ADMIN"; - context.define("superuser-alex@hostsharing.net", givenPartnerAgent); + final var givenPartnerAdmin = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN"; + context.define("superuser-alex@hostsharing.net", givenPartnerAdmin); final var givenMembership = givenSomeTemporaryMembershipBessler("First"); // when RestAssured // @formatter:off .given() .header("current-user", "superuser-alex@hostsharing.net") - .header("assumed-roles", givenPartnerAgent) + .header("assumed-roles", givenPartnerAdmin) .contentType(ContentType.JSON) .body(""" {