avoid nested subselect for insert permission check
This commit is contained in:
parent
86ee6dfe16
commit
fc51f2a532
@ -150,11 +150,7 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
|
|||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationEntity.class,
|
.importRootEntityAliasProxy("debitorRel", HsOfficeRelationEntity.class,
|
||||||
fetchedBySql("""
|
directlyFetchedByDependsOnColumn(),
|
||||||
SELECT *
|
|
||||||
FROM hs_office_relation AS r
|
|
||||||
WHERE r.type = 'DEBITOR' AND r.uuid = ${REF}.debitorRelUuid
|
|
||||||
"""),
|
|
||||||
dependsOnColumn("debitorRelUuid"))
|
dependsOnColumn("debitorRelUuid"))
|
||||||
.createPermission(DELETE).grantedTo("debitorRel", OWNER)
|
.createPermission(DELETE).grantedTo("debitorRel", OWNER)
|
||||||
.createPermission(UPDATE).grantedTo("debitorRel", ADMIN)
|
.createPermission(UPDATE).grantedTo("debitorRel", ADMIN)
|
||||||
@ -170,7 +166,7 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
|
|||||||
.importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
|
.importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
|
||||||
dependsOnColumn("debitorRelUuid"),
|
dependsOnColumn("debitorRelUuid"),
|
||||||
fetchedBySql("""
|
fetchedBySql("""
|
||||||
SELECT partnerRel.*
|
SELECT ${columns}
|
||||||
FROM hs_office_relation AS partnerRel
|
FROM hs_office_relation AS partnerRel
|
||||||
JOIN hs_office_relation AS debitorRel
|
JOIN hs_office_relation AS debitorRel
|
||||||
ON debitorRel.type = 'DEBITOR' AND debitorRel.anchorUuid = partnerRel.holderUuid
|
ON debitorRel.type = 'DEBITOR' AND debitorRel.anchorUuid = partnerRel.holderUuid
|
||||||
|
@ -132,10 +132,10 @@ public class HsOfficeMembershipEntity implements HasUuid, Stringifyable {
|
|||||||
.importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
|
.importEntityAlias("partnerRel", HsOfficeRelationEntity.class,
|
||||||
dependsOnColumn("partnerUuid"),
|
dependsOnColumn("partnerUuid"),
|
||||||
fetchedBySql("""
|
fetchedBySql("""
|
||||||
SELECT r.*
|
SELECT ${columns}
|
||||||
FROM hs_office_partner AS p
|
FROM hs_office_partner AS partner
|
||||||
JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
|
JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
|
||||||
WHERE p.uuid = ${REF}.partnerUuid
|
WHERE partner.uuid = ${REF}.partnerUuid
|
||||||
"""),
|
"""),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.toRole("partnerRel", ADMIN).grantPermission(INSERT)
|
.toRole("partnerRel", ADMIN).grantPermission(INSERT)
|
||||||
|
@ -32,7 +32,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnCo
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
import static java.util.Optional.ofNullable;
|
import static java.util.Optional.ofNullable;
|
||||||
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
@ -98,14 +98,14 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid {
|
|||||||
.toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor?
|
.toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor?
|
||||||
|
|
||||||
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
|
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
|
||||||
fetchedBySql("SELECT * FROM hs_office_relation AS r WHERE r.uuid = ${ref}.partnerRelUuid"),
|
directlyFetchedByDependsOnColumn(),
|
||||||
dependsOnColumn("partnerRelUuid"))
|
dependsOnColumn("partnerRelUuid"))
|
||||||
.createPermission(DELETE).grantedTo("partnerRel", ADMIN)
|
.createPermission(DELETE).grantedTo("partnerRel", ADMIN)
|
||||||
.createPermission(UPDATE).grantedTo("partnerRel", AGENT)
|
.createPermission(UPDATE).grantedTo("partnerRel", AGENT)
|
||||||
.createPermission(SELECT).grantedTo("partnerRel", TENANT)
|
.createPermission(SELECT).grantedTo("partnerRel", TENANT)
|
||||||
|
|
||||||
.importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class,
|
.importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class,
|
||||||
fetchedBySql("SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = ${ref}.detailsUuid"),
|
directlyFetchedByDependsOnColumn(),
|
||||||
dependsOnColumn("detailsUuid"))
|
dependsOnColumn("detailsUuid"))
|
||||||
.createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN)
|
.createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN)
|
||||||
.createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT)
|
.createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT)
|
||||||
|
@ -20,7 +20,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
|
|
||||||
@ -91,15 +91,15 @@ public class HsOfficeRelationEntity implements HasUuid, Stringifyable {
|
|||||||
.withUpdatableColumns("contactUuid")
|
.withUpdatableColumns("contactUuid")
|
||||||
.importEntityAlias("anchorPerson", HsOfficePersonEntity.class,
|
.importEntityAlias("anchorPerson", HsOfficePersonEntity.class,
|
||||||
dependsOnColumn("anchorUuid"),
|
dependsOnColumn("anchorUuid"),
|
||||||
fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.anchorUuid"),
|
directlyFetchedByDependsOnColumn(),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.importEntityAlias("holderPerson", HsOfficePersonEntity.class,
|
.importEntityAlias("holderPerson", HsOfficePersonEntity.class,
|
||||||
dependsOnColumn("holderUuid"),
|
dependsOnColumn("holderUuid"),
|
||||||
fetchedBySql("select * from hs_office_person as p where p.uuid = ${REF}.holderUuid"),
|
directlyFetchedByDependsOnColumn(),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.importEntityAlias("contact", HsOfficeContactEntity.class,
|
.importEntityAlias("contact", HsOfficeContactEntity.class,
|
||||||
dependsOnColumn("contactUuid"),
|
dependsOnColumn("contactUuid"),
|
||||||
fetchedBySql("select * from hs_office_contact as c where c.uuid = ${REF}.contactUuid"),
|
directlyFetchedByDependsOnColumn(),
|
||||||
NOT_NULL)
|
NOT_NULL)
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.owningUser(CREATOR);
|
with.owningUser(CREATOR);
|
||||||
|
@ -107,7 +107,7 @@ public class HsOfficeSepaMandateEntity implements Stringifyable, HasUuid {
|
|||||||
.importEntityAlias("debitorRel", HsOfficeRelationEntity.class,
|
.importEntityAlias("debitorRel", HsOfficeRelationEntity.class,
|
||||||
dependsOnColumn("debitorUuid"),
|
dependsOnColumn("debitorUuid"),
|
||||||
fetchedBySql("""
|
fetchedBySql("""
|
||||||
SELECT debitorRel.*
|
SELECT ${columns}
|
||||||
FROM hs_office_relation debitorRel
|
FROM hs_office_relation debitorRel
|
||||||
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
WHERE debitor.uuid = ${REF}.debitorUuid
|
WHERE debitor.uuid = ${REF}.debitorUuid
|
||||||
|
@ -114,8 +114,7 @@ public class InsertTriggerGenerator {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
final var superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
|
if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
|
||||||
if (superRoleEntityAlias.fetchSql().part == RbacView.SQL.Part.AUTO_FETCH) {
|
|
||||||
generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g);
|
generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g);
|
||||||
} else {
|
} else {
|
||||||
generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g);
|
generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g);
|
||||||
@ -164,24 +163,27 @@ public class InsertTriggerGenerator {
|
|||||||
|
|
||||||
An indirect role is a role FIXME.
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
create or replace function ${rawSubTable}_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
|
||||||
|
declare
|
||||||
|
superRoleObjectUuid uuid;
|
||||||
|
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
|
||||||
( SELECT ${varName}.uuid FROM
|
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()));
|
plPgSql.chopEmptyLines();
|
||||||
plPgSql.indented(3, () -> {
|
plPgSql.indented(2, () -> {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"(" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ") AS ${varName}",
|
"superRoleObjectUuid := (" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ");\n" +
|
||||||
with("varName", g.getSuperRoleDef().getEntityAlias().aliasName()),
|
"assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';",
|
||||||
|
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
||||||
with("ref", NEW.name()));
|
with("ref", NEW.name()));
|
||||||
});
|
});
|
||||||
|
plPgSql.writeLn();
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
|
if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', '${rawSubTable}') ) then
|
||||||
), 'INSERT', '${rawSubTable}') ) then
|
|
||||||
raise exception
|
raise exception
|
||||||
'[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
'[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
@ -192,7 +194,7 @@ public class InsertTriggerGenerator {
|
|||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||||
before insert on ${rawSubTable}
|
before insert on ${rawSubTable}
|
||||||
for each row
|
for each row
|
||||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
||||||
|
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
|
@ -26,18 +26,20 @@ public class RbacIdentityViewGenerator {
|
|||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
switch (rbacDef.getIdentityViewSqlQuery().part) {
|
switch (rbacDef.getIdentityViewSqlQuery().part) {
|
||||||
case SQL_PROJECTION -> """
|
case SQL_PROJECTION -> """
|
||||||
call generateRbacIdentityViewFromProjection('${rawTableName}', $idName$
|
call generateRbacIdentityViewFromProjection('${rawTableName}',
|
||||||
${identityViewSqlPart}
|
$idName$
|
||||||
|
${identityViewSqlPart}
|
||||||
$idName$);
|
$idName$);
|
||||||
""";
|
""";
|
||||||
case SQL_QUERY -> """
|
case SQL_QUERY -> """
|
||||||
call generateRbacIdentityViewFromQuery('${rawTableName}', $idName$
|
call generateRbacIdentityViewFromQuery('${rawTableName}',
|
||||||
${identityViewSqlPart}
|
$idName$
|
||||||
|
${identityViewSqlPart}
|
||||||
$idName$);
|
$idName$);
|
||||||
""";
|
""";
|
||||||
default -> throw new IllegalStateException("illegal SQL part given");
|
default -> throw new IllegalStateException("illegal SQL part given");
|
||||||
},
|
},
|
||||||
with("identityViewSqlPart", rbacDef.getIdentityViewSqlQuery().sql),
|
with("identityViewSqlPart", StringWriter.indented(2, rbacDef.getIdentityViewSqlQuery().sql)),
|
||||||
with("rawTableName", rawTableName));
|
with("rawTableName", rawTableName));
|
||||||
|
|
||||||
plPgSql.writeLn("--//");
|
plPgSql.writeLn("--//");
|
||||||
|
@ -32,10 +32,10 @@ public class RbacRestrictedViewGenerator {
|
|||||||
|
|
||||||
""",
|
""",
|
||||||
with("liquibaseTagPrefix", liquibaseTagPrefix),
|
with("liquibaseTagPrefix", liquibaseTagPrefix),
|
||||||
with("orderBy", indented(rbacDef.getOrderBySqlExpression().sql, 2)),
|
with("orderBy", indented(2, rbacDef.getOrderBySqlExpression().sql)),
|
||||||
with("updates", indented(rbacDef.getUpdatableColumns().stream()
|
with("updates", indented(2, rbacDef.getUpdatableColumns().stream()
|
||||||
.map(c -> c + " = new." + c)
|
.map(c -> c + " = new." + c)
|
||||||
.collect(joining(",\n")), 2)),
|
.collect(joining(",\n")))),
|
||||||
with("rawTableName", rawTableName));
|
with("rawTableName", rawTableName));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -34,6 +34,7 @@ import static java.util.Arrays.stream;
|
|||||||
import static java.util.Optional.ofNullable;
|
import static java.util.Optional.ofNullable;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
||||||
|
|
||||||
@ -839,8 +840,8 @@ public class RbacView {
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean hasFetchSql() {
|
boolean isFetchedByDirectForeignKey() {
|
||||||
return fetchSql != null;
|
return fetchSql != null && fetchSql.part == AUTO_FETCH;
|
||||||
}
|
}
|
||||||
|
|
||||||
private String withoutEntitySuffix(final String simpleEntityName) {
|
private String withoutEntitySuffix(final String simpleEntityName) {
|
||||||
@ -909,14 +910,25 @@ public class RbacView {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* DSL method to specify an SQL SELECT expression which fetches the related entity,
|
* DSL method to specify an SQL SELECT expression which fetches the related entity,
|
||||||
* using the reference `${ref}` of the root entity.
|
* using the reference `${ref}` of the root entity and `${columns}` for the projection.
|
||||||
* `${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
|
*
|
||||||
* `into ...` will be added with a variable name prefixed with either `new` or `old`.
|
* <p>The query <strong>must define</strong> the entity alias name of the fetched table
|
||||||
|
* as its alias for, so it can be used in the generated projection (the columns between
|
||||||
|
* `SELECT` and `FROM`.</p>
|
||||||
|
*
|
||||||
|
* <p>`${ref}` is going to be replaced by either `NEW` or `OLD` of the trigger function.
|
||||||
|
* `into ...` will be added with a variable name prefixed with either `new` or `old`.</p>
|
||||||
|
*
|
||||||
|
* <p>`${columns}` is going to be replaced by the columns which are needed for the query,
|
||||||
|
* e.g. `*` or `uuid`.</p>
|
||||||
*
|
*
|
||||||
* @param sql an SQL SELECT expression (not ending with ';)
|
* @param sql an SQL SELECT expression (not ending with ';)
|
||||||
* @return the wrapped SQL expression
|
* @return the wrapped SQL expression
|
||||||
*/
|
*/
|
||||||
public static SQL fetchedBySql(final String sql) {
|
public static SQL fetchedBySql(final String sql) {
|
||||||
|
if ( !sql.startsWith("SELECT ${columns}") ) {
|
||||||
|
throw new IllegalArgumentException("SQL SELECT expression must start with 'SELECT ${columns}', but is: " + sql);
|
||||||
|
}
|
||||||
validateExpression(sql);
|
validateExpression(sql);
|
||||||
return new SQL(sql, Part.SQL_QUERY);
|
return new SQL(sql, Part.SQL_QUERY);
|
||||||
}
|
}
|
||||||
@ -929,7 +941,7 @@ public class RbacView {
|
|||||||
* @return the wrapped SQL definition object
|
* @return the wrapped SQL definition object
|
||||||
*/
|
*/
|
||||||
public static SQL directlyFetchedByDependsOnColumn() {
|
public static SQL directlyFetchedByDependsOnColumn() {
|
||||||
return new SQL(null, Part.AUTO_FETCH);
|
return new SQL(null, AUTO_FETCH);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -233,6 +233,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
final PostgresTriggerReference old) {
|
final PostgresTriggerReference old) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
ea.fetchSql().sql + " INTO " + entityRefVar(old, ea) + ";",
|
ea.fetchSql().sql + " INTO " + entityRefVar(old, ea) + ";",
|
||||||
|
with("columns", ea.aliasName() + ".*"),
|
||||||
with("ref", old.name()));
|
with("ref", old.name()));
|
||||||
if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
|
if (ea.nullable() == RbacView.Nullable.NOT_NULL) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
|
@ -82,7 +82,7 @@ public class StringWriter {
|
|||||||
return string.toString();
|
return string.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
public static String indented(final String text, final int indentLevel) {
|
public static String indented(final int indentLevel, final String text) {
|
||||||
final var indentation = StringUtils.repeat(" ", indentLevel);
|
final var indentation = StringUtils.repeat(" ", indentLevel);
|
||||||
final var indented = stream(text.split("\n"))
|
final var indented = stream(text.split("\n"))
|
||||||
.map(line -> line.trim().isBlank() ? "" : indentation + line)
|
.map(line -> line.trim().isBlank() ? "" : indentation + line)
|
||||||
@ -94,7 +94,7 @@ public class StringWriter {
|
|||||||
if ( indentLevel == 0) {
|
if ( indentLevel == 0) {
|
||||||
return text;
|
return text;
|
||||||
}
|
}
|
||||||
return indented(text, indentLevel);
|
return indented(indentLevel, text);
|
||||||
}
|
}
|
||||||
|
|
||||||
record VarDef(String name, String value){}
|
record VarDef(String name, String value){}
|
||||||
|
@ -143,8 +143,9 @@ create trigger test_customer_insert_permission_check_tg
|
|||||||
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('test_customer', $idName$
|
call generateRbacIdentityViewFromProjection('test_customer',
|
||||||
prefix
|
$idName$
|
||||||
|
prefix
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -189,30 +189,22 @@ execute procedure test_package_test_customer_insert_tf();
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_package,
|
Checks if the user or assumed roles are allowed to insert a row to test_package,
|
||||||
where the check is performed by an indirect role.
|
where the check is performed by a direct role.
|
||||||
|
|
||||||
An indirect role is a role FIXME.
|
A direct role is a role depending on a foreign key directly available in the NEW row.
|
||||||
*/
|
*/
|
||||||
create or replace function test_package_insert_permission_missing_tf()
|
create or replace function test_package_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
raise exception '[403] insert into test_package not allowed for current subjects % (%)',
|
||||||
( SELECT customer.uuid FROM
|
currentSubjects(), currentSubjectsUuids();
|
||||||
|
|
||||||
(SELECT * FROM test_customer WHERE uuid = NEW.customerUuid) AS customer
|
|
||||||
|
|
||||||
), 'INSERT', 'test_package') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into test_package not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger test_package_insert_permission_check_tg
|
create trigger test_package_insert_permission_check_tg
|
||||||
before insert on test_package
|
before insert on test_package
|
||||||
for each row
|
for each row
|
||||||
|
when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )
|
||||||
execute procedure test_package_insert_permission_missing_tf();
|
execute procedure test_package_insert_permission_missing_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -220,8 +212,9 @@ create trigger test_package_insert_permission_check_tg
|
|||||||
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('test_package', $idName$
|
call generateRbacIdentityViewFromProjection('test_package',
|
||||||
name
|
$idName$
|
||||||
|
name
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -188,30 +188,22 @@ execute procedure test_domain_test_package_insert_tf();
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_domain,
|
Checks if the user or assumed roles are allowed to insert a row to test_domain,
|
||||||
where the check is performed by an indirect role.
|
where the check is performed by a direct role.
|
||||||
|
|
||||||
An indirect role is a role FIXME.
|
A direct role is a role depending on a foreign key directly available in the NEW row.
|
||||||
*/
|
*/
|
||||||
create or replace function test_domain_insert_permission_missing_tf()
|
create or replace function test_domain_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
|
||||||
( SELECT package.uuid FROM
|
currentSubjects(), currentSubjectsUuids();
|
||||||
|
|
||||||
(SELECT * FROM test_package WHERE uuid = NEW.packageUuid) AS package
|
|
||||||
|
|
||||||
), 'INSERT', 'test_domain') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into test_domain not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger test_domain_insert_permission_check_tg
|
create trigger test_domain_insert_permission_check_tg
|
||||||
before insert on test_domain
|
before insert on test_domain
|
||||||
for each row
|
for each row
|
||||||
|
when ( not hasInsertPermission(NEW.packageUuid, 'INSERT', 'test_domain') )
|
||||||
execute procedure test_domain_insert_permission_missing_tf();
|
execute procedure test_domain_insert_permission_missing_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -219,8 +211,9 @@ create trigger test_domain_insert_permission_check_tg
|
|||||||
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('test_domain', $idName$
|
call generateRbacIdentityViewFromProjection('test_domain',
|
||||||
name
|
$idName$
|
||||||
|
name
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -125,8 +125,9 @@ execute procedure hs_office_contact_global_insert_tf();
|
|||||||
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('hs_office_contact', $idName$
|
call generateRbacIdentityViewFromProjection('hs_office_contact',
|
||||||
label
|
$idName$
|
||||||
|
label
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -125,8 +125,9 @@ execute procedure hs_office_person_global_insert_tf();
|
|||||||
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('hs_office_person', $idName$
|
call generateRbacIdentityViewFromProjection('hs_office_person',
|
||||||
concat(tradeName, familyName, givenName)
|
$idName$
|
||||||
|
concat(tradeName, familyName, givenName)
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -37,13 +37,13 @@ declare
|
|||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = NEW.holderUuid INTO newHolderPerson;
|
SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
|
||||||
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
|
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = NEW.anchorUuid INTO newAnchorPerson;
|
SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
|
||||||
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
|
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
|
||||||
|
|
||||||
select * from hs_office_contact as c where c.uuid = NEW.contactUuid INTO newContact;
|
SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid INTO newContact;
|
||||||
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
|
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
|
||||||
|
|
||||||
|
|
||||||
@ -73,13 +73,13 @@ begin
|
|||||||
hsOfficeRelationTenant(NEW),
|
hsOfficeRelationTenant(NEW),
|
||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
|
hsOfficeContactAdmin(newContact),
|
||||||
hsOfficeRelationAgent(NEW),
|
hsOfficeRelationAgent(NEW),
|
||||||
hsOfficePersonAdmin(newHolderPerson),
|
hsOfficePersonAdmin(newHolderPerson)],
|
||||||
hsOfficeContactAdmin(newContact)],
|
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
hsOfficePersonReferrer(newAnchorPerson),
|
hsOfficePersonReferrer(newAnchorPerson),
|
||||||
hsOfficeContactReferrer(newContact),
|
hsOfficePersonReferrer(newHolderPerson),
|
||||||
hsOfficePersonReferrer(newHolderPerson)]
|
hsOfficeContactReferrer(newContact)]
|
||||||
);
|
);
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
@ -130,22 +130,22 @@ declare
|
|||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = OLD.holderUuid INTO oldHolderPerson;
|
SELECT * FROM hs_office_person WHERE uuid = OLD.holderUuid INTO oldHolderPerson;
|
||||||
assert oldHolderPerson.uuid is not null, format('oldHolderPerson must not be null for OLD.holderUuid = %s', OLD.holderUuid);
|
assert oldHolderPerson.uuid is not null, format('oldHolderPerson must not be null for OLD.holderUuid = %s', OLD.holderUuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = NEW.holderUuid INTO newHolderPerson;
|
SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
|
||||||
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
|
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = OLD.anchorUuid INTO oldAnchorPerson;
|
SELECT * FROM hs_office_person WHERE uuid = OLD.anchorUuid INTO oldAnchorPerson;
|
||||||
assert oldAnchorPerson.uuid is not null, format('oldAnchorPerson must not be null for OLD.anchorUuid = %s', OLD.anchorUuid);
|
assert oldAnchorPerson.uuid is not null, format('oldAnchorPerson must not be null for OLD.anchorUuid = %s', OLD.anchorUuid);
|
||||||
|
|
||||||
select * from hs_office_person as p where p.uuid = NEW.anchorUuid INTO newAnchorPerson;
|
SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
|
||||||
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
|
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
|
||||||
|
|
||||||
select * from hs_office_contact as c where c.uuid = OLD.contactUuid INTO oldContact;
|
SELECT * FROM hs_office_contact WHERE uuid = OLD.contactUuid INTO oldContact;
|
||||||
assert oldContact.uuid is not null, format('oldContact must not be null for OLD.contactUuid = %s', OLD.contactUuid);
|
assert oldContact.uuid is not null, format('oldContact must not be null for OLD.contactUuid = %s', OLD.contactUuid);
|
||||||
|
|
||||||
select * from hs_office_contact as c where c.uuid = NEW.contactUuid INTO newContact;
|
SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid INTO newContact;
|
||||||
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
|
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
|
||||||
|
|
||||||
|
|
||||||
@ -228,30 +228,22 @@ execute procedure hs_office_relation_hs_office_person_insert_tf();
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_relation,
|
Checks if the user or assumed roles are allowed to insert a row to hs_office_relation,
|
||||||
where the check is performed by an indirect role.
|
where the check is performed by a direct role.
|
||||||
|
|
||||||
An indirect role is a role FIXME.
|
A direct role is a role depending on a foreign key directly available in the NEW row.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_relation_insert_permission_missing_tf()
|
create or replace function hs_office_relation_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
||||||
( SELECT anchorPerson.uuid FROM
|
currentSubjects(), currentSubjectsUuids();
|
||||||
|
|
||||||
(select * from hs_office_person as p where p.uuid = NEW.anchorUuid) AS anchorPerson
|
|
||||||
|
|
||||||
), 'INSERT', 'hs_office_relation') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger hs_office_relation_insert_permission_check_tg
|
create trigger hs_office_relation_insert_permission_check_tg
|
||||||
before insert on hs_office_relation
|
before insert on hs_office_relation
|
||||||
for each row
|
for each row
|
||||||
|
when ( not hasInsertPermission(NEW.anchorUuid, 'INSERT', 'hs_office_relation') )
|
||||||
execute procedure hs_office_relation_insert_permission_missing_tf();
|
execute procedure hs_office_relation_insert_permission_missing_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -259,11 +251,11 @@ create trigger hs_office_relation_insert_permission_check_tg
|
|||||||
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('hs_office_relation', $idName$
|
call generateRbacIdentityViewFromProjection('hs_office_relation',
|
||||||
(select idName from hs_office_person_iv p where p.uuid = anchorUuid)
|
$idName$
|
||||||
|| '-with-' || target.type || '-'
|
(select idName from hs_office_person_iv p where p.uuid = anchorUuid)
|
||||||
|| (select idName from hs_office_person_iv p where p.uuid = holderUuid)
|
|| '-with-' || target.type || '-'
|
||||||
|
|| (select idName from hs_office_person_iv p where p.uuid = holderUuid)
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -36,10 +36,10 @@ declare
|
|||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
|
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationAdmin(newPartnerRel));
|
||||||
@ -95,16 +95,16 @@ declare
|
|||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_relation AS r WHERE r.uuid = OLD.partnerRelUuid INTO oldPartnerRel;
|
SELECT * FROM hs_office_relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel;
|
||||||
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s', OLD.partnerRelUuid);
|
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s', OLD.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_relation AS r WHERE r.uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = OLD.detailsUuid INTO oldPartnerDetails;
|
SELECT * FROM hs_office_partner_details WHERE uuid = OLD.detailsUuid INTO oldPartnerDetails;
|
||||||
assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s', OLD.detailsUuid);
|
assert oldPartnerDetails.uuid is not null, format('oldPartnerDetails must not be null for OLD.detailsUuid = %s', OLD.detailsUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||||
|
|
||||||
|
|
||||||
@ -220,8 +220,9 @@ create trigger hs_office_partner_insert_permission_check_tg
|
|||||||
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('hs_office_partner', $idName$
|
call generateRbacIdentityViewFromProjection('hs_office_partner',
|
||||||
'P-' || partnerNumber
|
$idName$
|
||||||
|
'P-' || partnerNumber
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -124,12 +124,12 @@ create trigger hs_office_partner_details_insert_permission_check_tg
|
|||||||
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_office_partner_details', $idName$
|
call generateRbacIdentityViewFromQuery('hs_office_partner_details',
|
||||||
SELECT partnerDetails.uuid as uuid, partner_iv.idName || '-details' as idName
|
$idName$
|
||||||
FROM hs_office_partner_details AS partnerDetails
|
SELECT partnerDetails.uuid as uuid, partner_iv.idName || '-details' as idName
|
||||||
JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
|
FROM hs_office_partner_details AS partnerDetails
|
||||||
JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
|
JOIN hs_office_partner partner ON partner.detailsUuid = partnerDetails.uuid
|
||||||
|
JOIN hs_office_partner_iv partner_iv ON partner_iv.uuid = partner.uuid
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -125,8 +125,9 @@ execute procedure hs_office_bankaccount_global_insert_tf();
|
|||||||
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromProjection('hs_office_bankaccount', $idName$
|
call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
|
||||||
iban
|
$idName$
|
||||||
|
iban
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -64,8 +64,8 @@ begin
|
|||||||
hsOfficeSepaMandateAgent(NEW),
|
hsOfficeSepaMandateAgent(NEW),
|
||||||
incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
|
incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
hsOfficeBankAccountReferrer(newBankAccount),
|
hsOfficeRelationAgent(newDebitorRel),
|
||||||
hsOfficeRelationAgent(newDebitorRel)]
|
hsOfficeBankAccountReferrer(newBankAccount)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
@ -151,20 +151,22 @@ execute procedure hs_office_sepamandate_hs_office_relation_insert_tf();
|
|||||||
|
|
||||||
An indirect role is a role FIXME.
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_sepamandate_insert_permission_missing_tf()
|
create or replace function hs_office_sepamandate_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
|
||||||
|
declare
|
||||||
|
superRoleObjectUuid uuid;
|
||||||
|
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
superRoleObjectUuid := (SELECT debitorRel.uuid
|
||||||
( SELECT debitorRel.uuid FROM
|
FROM hs_office_relation debitorRel
|
||||||
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
|
WHERE debitor.uuid = NEW.debitorUuid
|
||||||
|
);
|
||||||
|
assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
|
||||||
|
|
||||||
(SELECT debitorRel.*
|
if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', 'hs_office_sepamandate') ) then
|
||||||
FROM hs_office_relation debitorRel
|
|
||||||
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
|
||||||
WHERE debitor.uuid = NEW.debitorUuid
|
|
||||||
) AS debitorRel
|
|
||||||
|
|
||||||
), 'INSERT', 'hs_office_sepamandate') ) then
|
|
||||||
raise exception
|
raise exception
|
||||||
'[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
|
'[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
@ -175,18 +177,18 @@ end; $$;
|
|||||||
create trigger hs_office_sepamandate_insert_permission_check_tg
|
create trigger hs_office_sepamandate_insert_permission_check_tg
|
||||||
before insert on hs_office_sepamandate
|
before insert on hs_office_sepamandate
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_sepamandate_insert_permission_missing_tf();
|
execute procedure hs_office_sepamandate_insert_permission_check_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_office_sepamandate', $idName$
|
call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
|
||||||
select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
|
$idName$
|
||||||
from hs_office_sepamandate sm
|
select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
|
||||||
join hs_office_bankaccount ba on ba.uuid = sm.bankAccountUuid
|
from hs_office_sepamandate sm
|
||||||
|
join hs_office_bankaccount ba on ba.uuid = sm.bankAccountUuid
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -46,10 +46,7 @@ begin
|
|||||||
INTO newPartnerRel;
|
INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
|
||||||
|
|
||||||
SELECT *
|
SELECT * FROM hs_office_relation WHERE uuid = NEW.debitorRelUuid INTO newDebitorRel;
|
||||||
FROM hs_office_relation AS r
|
|
||||||
WHERE r.type = 'DEBITOR' AND r.uuid = NEW.debitorRelUuid
|
|
||||||
INTO newDebitorRel;
|
|
||||||
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
|
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorRelUuid = %s', NEW.debitorRelUuid);
|
||||||
|
|
||||||
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
|
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
|
||||||
@ -196,18 +193,18 @@ create trigger hs_office_debitor_insert_permission_check_tg
|
|||||||
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_office_debitor', $idName$
|
call generateRbacIdentityViewFromQuery('hs_office_debitor',
|
||||||
SELECT debitor.uuid AS uuid,
|
$idName$
|
||||||
'D-' || (SELECT partner.partnerNumber
|
SELECT debitor.uuid AS uuid,
|
||||||
FROM hs_office_partner partner
|
'D-' || (SELECT partner.partnerNumber
|
||||||
JOIN hs_office_relation partnerRel
|
FROM hs_office_partner partner
|
||||||
ON partnerRel.uuid = partner.partnerRelUUid AND partnerRel.type = 'PARTNER'
|
JOIN hs_office_relation partnerRel
|
||||||
JOIN hs_office_relation debitorRel
|
ON partnerRel.uuid = partner.partnerRelUUid AND partnerRel.type = 'PARTNER'
|
||||||
ON debitorRel.anchorUuid = partnerRel.holderUuid AND debitorRel.type = 'DEBITOR'
|
JOIN hs_office_relation debitorRel
|
||||||
WHERE debitorRel.uuid = debitor.debitorRelUuid)
|
ON debitorRel.anchorUuid = partnerRel.holderUuid AND debitorRel.type = 'DEBITOR'
|
||||||
|| to_char(debitorNumberSuffix, 'fm00') as idName
|
WHERE debitorRel.uuid = debitor.debitorRelUuid)
|
||||||
FROM hs_office_debitor AS debitor
|
|| to_char(debitorNumberSuffix, 'fm00') as idName
|
||||||
|
FROM hs_office_debitor AS debitor
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -35,10 +35,10 @@ declare
|
|||||||
begin
|
begin
|
||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT r.*
|
SELECT partnerRel.*
|
||||||
FROM hs_office_partner AS p
|
FROM hs_office_partner AS partner
|
||||||
JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
|
JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
|
||||||
WHERE p.uuid = NEW.partnerUuid
|
WHERE partner.uuid = NEW.partnerUuid
|
||||||
INTO newPartnerRel;
|
INTO newPartnerRel;
|
||||||
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
|
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
|
||||||
|
|
||||||
@ -138,20 +138,22 @@ execute procedure hs_office_membership_hs_office_relation_insert_tf();
|
|||||||
|
|
||||||
An indirect role is a role FIXME.
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_membership_insert_permission_missing_tf()
|
create or replace function hs_office_membership_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
|
||||||
|
declare
|
||||||
|
superRoleObjectUuid uuid;
|
||||||
|
|
||||||
begin
|
begin
|
||||||
if ( not hasInsertPermission(
|
superRoleObjectUuid := (SELECT partnerRel.uuid
|
||||||
( SELECT partnerRel.uuid FROM
|
FROM hs_office_partner AS partner
|
||||||
|
JOIN hs_office_relation AS partnerRel ON partnerRel.uuid = partner.partnerRelUuid
|
||||||
|
WHERE partner.uuid = NEW.partnerUuid
|
||||||
|
);
|
||||||
|
assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
|
||||||
|
|
||||||
(SELECT r.*
|
if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', 'hs_office_membership') ) then
|
||||||
FROM hs_office_partner AS p
|
|
||||||
JOIN hs_office_relation AS r ON r.uuid = p.partnerRelUuid
|
|
||||||
WHERE p.uuid = NEW.partnerUuid
|
|
||||||
) AS partnerRel
|
|
||||||
|
|
||||||
), 'INSERT', 'hs_office_membership') ) then
|
|
||||||
raise exception
|
raise exception
|
||||||
'[403] insert into hs_office_membership not allowed for current subjects % (%)',
|
'[403] insert into hs_office_membership not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
@ -162,19 +164,19 @@ end; $$;
|
|||||||
create trigger hs_office_membership_insert_permission_check_tg
|
create trigger hs_office_membership_insert_permission_check_tg
|
||||||
before insert on hs_office_membership
|
before insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_membership_insert_permission_missing_tf();
|
execute procedure hs_office_membership_insert_permission_check_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_office_membership', $idName$
|
call generateRbacIdentityViewFromQuery('hs_office_membership',
|
||||||
SELECT m.uuid AS uuid,
|
$idName$
|
||||||
'M-' || p.partnerNumber || m.memberNumberSuffix as idName
|
SELECT m.uuid AS uuid,
|
||||||
FROM hs_office_membership AS m
|
'M-' || p.partnerNumber || m.memberNumberSuffix as idName
|
||||||
JOIN hs_office_partner AS p ON p.uuid = m.partnerUuid
|
FROM hs_office_membership AS m
|
||||||
|
JOIN hs_office_partner AS p ON p.uuid = m.partnerUuid
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user