use schema for hs-hosting-asset-legacy-id
This commit is contained in:
parent
e0ac4231ac
commit
fd7a63867a
@ -1,63 +0,0 @@
|
|||||||
### rbac bookingItem
|
|
||||||
|
|
||||||
This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually.
|
|
||||||
|
|
||||||
```mermaid
|
|
||||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
|
||||||
flowchart TB
|
|
||||||
|
|
||||||
subgraph bookingItem["`**bookingItem**`"]
|
|
||||||
direction TB
|
|
||||||
style bookingItem fill:#dd4901,stroke:#274d6e,stroke-width:8px
|
|
||||||
|
|
||||||
subgraph bookingItem:roles[ ]
|
|
||||||
style bookingItem:roles fill:#dd4901,stroke:white
|
|
||||||
|
|
||||||
role:bookingItem:OWNER[[bookingItem:OWNER]]
|
|
||||||
role:bookingItem:ADMIN[[bookingItem:ADMIN]]
|
|
||||||
role:bookingItem:AGENT[[bookingItem:AGENT]]
|
|
||||||
role:bookingItem:TENANT[[bookingItem:TENANT]]
|
|
||||||
end
|
|
||||||
|
|
||||||
subgraph bookingItem:permissions[ ]
|
|
||||||
style bookingItem:permissions fill:#dd4901,stroke:white
|
|
||||||
|
|
||||||
perm:bookingItem:INSERT{{bookingItem:INSERT}}
|
|
||||||
perm:bookingItem:DELETE{{bookingItem:DELETE}}
|
|
||||||
perm:bookingItem:UPDATE{{bookingItem:UPDATE}}
|
|
||||||
perm:bookingItem:SELECT{{bookingItem:SELECT}}
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
subgraph project["`**project**`"]
|
|
||||||
direction TB
|
|
||||||
style project fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
|
||||||
|
|
||||||
subgraph project:roles[ ]
|
|
||||||
style project:roles fill:#99bcdb,stroke:white
|
|
||||||
|
|
||||||
role:project:OWNER[[project:OWNER]]
|
|
||||||
role:project:ADMIN[[project:ADMIN]]
|
|
||||||
role:project:AGENT[[project:AGENT]]
|
|
||||||
role:project:TENANT[[project:TENANT]]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
%% granting roles to roles
|
|
||||||
role:project:OWNER -.-> role:project:ADMIN
|
|
||||||
role:project:ADMIN -.-> role:project:AGENT
|
|
||||||
role:project:AGENT -.-> role:project:TENANT
|
|
||||||
role:project:AGENT ==> role:bookingItem:OWNER
|
|
||||||
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
|
||||||
role:bookingItem:ADMIN ==> role:bookingItem:AGENT
|
|
||||||
role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
|
||||||
role:bookingItem:TENANT ==> role:project:TENANT
|
|
||||||
|
|
||||||
%% granting permissions to roles
|
|
||||||
role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
|
|
||||||
role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
|
|
||||||
role:project:ADMIN ==> perm:bookingItem:INSERT
|
|
||||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
|
||||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
|
||||||
|
|
||||||
```
|
|
@ -1,277 +0,0 @@
|
|||||||
--liquibase formatted sql
|
|
||||||
-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-OBJECT endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
call rbac.generateRelatedRbacObject('hs_booking_item');
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
call rbac.generateRbacRoleDescriptors('hsBookingItem', 'hs_booking_item');
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-insert-trigger endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
|
|
||||||
*/
|
|
||||||
|
|
||||||
create or replace procedure buildRbacSystemForHsBookingItem(
|
|
||||||
NEW hs_booking_item
|
|
||||||
)
|
|
||||||
language plpgsql as $$
|
|
||||||
|
|
||||||
declare
|
|
||||||
newProject hs_booking_project;
|
|
||||||
newParentItem hs_booking_item;
|
|
||||||
|
|
||||||
begin
|
|
||||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
|
||||||
|
|
||||||
SELECT * FROM hs_booking_project WHERE uuid = NEW.projectUuid INTO newProject;
|
|
||||||
|
|
||||||
SELECT * FROM hs_booking_item WHERE uuid = NEW.parentItemUuid INTO newParentItem;
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
|
||||||
hsBookingItemOWNER(NEW),
|
|
||||||
incomingSuperRoles => array[
|
|
||||||
hsBookingItemAGENT(newParentItem),
|
|
||||||
hsBookingProjectAGENT(newProject)]
|
|
||||||
);
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
|
||||||
hsBookingItemADMIN(NEW),
|
|
||||||
permissions => array['UPDATE'],
|
|
||||||
incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
|
|
||||||
);
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
|
||||||
hsBookingItemAGENT(NEW),
|
|
||||||
incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
|
|
||||||
);
|
|
||||||
|
|
||||||
perform rbac.defineRoleWithGrants(
|
|
||||||
hsBookingItemTENANT(NEW),
|
|
||||||
permissions => array['SELECT'],
|
|
||||||
incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
|
|
||||||
outgoingSubRoles => array[
|
|
||||||
hsBookingItemTENANT(newParentItem),
|
|
||||||
hsBookingProjectTENANT(newProject)]
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
/*
|
|
||||||
AFTER INSERT TRIGGER to create the role+grant structure for a new hs_booking_item row.
|
|
||||||
*/
|
|
||||||
|
|
||||||
create or replace function insertTriggerForHsBookingItem_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
call buildRbacSystemForHsBookingItem(NEW);
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
create trigger insertTriggerForHsBookingItem_tg
|
|
||||||
after insert on hs_booking_item
|
|
||||||
for each row
|
|
||||||
execute procedure insertTriggerForHsBookingItem_tf();
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Grants INSERT INTO hs_booking_item permissions to specified role of pre-existing global rows.
|
|
||||||
*/
|
|
||||||
do language plpgsql $$
|
|
||||||
declare
|
|
||||||
row rbac.global%ROWTYPE;
|
|
||||||
begin
|
|
||||||
call base.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
|
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbac.global
|
|
||||||
-- unconditional for all rows in that table
|
|
||||||
LOOP
|
|
||||||
call rbac.grantPermissionToRole(
|
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
|
||||||
rbac.globalAdmin());
|
|
||||||
END LOOP;
|
|
||||||
end;
|
|
||||||
$$;
|
|
||||||
|
|
||||||
/**
|
|
||||||
Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
|
|
||||||
*/
|
|
||||||
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
-- unconditional for all rows in that table
|
|
||||||
call rbac.grantPermissionToRole(
|
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
|
||||||
rbac.globalAdmin());
|
|
||||||
-- end.
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
|
||||||
after insert on rbac.global
|
|
||||||
for each row
|
|
||||||
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
|
||||||
|
|
||||||
-- granting INSERT permission to hs_booking_project ----------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Grants INSERT INTO hs_booking_item permissions to specified role of pre-existing hs_booking_project rows.
|
|
||||||
*/
|
|
||||||
do language plpgsql $$
|
|
||||||
declare
|
|
||||||
row hs_booking_project;
|
|
||||||
begin
|
|
||||||
call base.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising hs_booking_project rows');
|
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_booking_project
|
|
||||||
-- unconditional for all rows in that table
|
|
||||||
LOOP
|
|
||||||
call rbac.grantPermissionToRole(
|
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
|
||||||
hsBookingProjectADMIN(row));
|
|
||||||
END LOOP;
|
|
||||||
end;
|
|
||||||
$$;
|
|
||||||
|
|
||||||
/**
|
|
||||||
Grants hs_booking_item INSERT permission to specified role of new hs_booking_project rows.
|
|
||||||
*/
|
|
||||||
create or replace function new_hs_booking_item_grants_insert_to_hs_booking_project_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
-- unconditional for all rows in that table
|
|
||||||
call rbac.grantPermissionToRole(
|
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
|
||||||
hsBookingProjectADMIN(NEW));
|
|
||||||
-- end.
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_new_hs_booking_item_grants_insert_to_hs_booking_project_tg
|
|
||||||
after insert on hs_booking_project
|
|
||||||
for each row
|
|
||||||
execute procedure new_hs_booking_item_grants_insert_to_hs_booking_project_tf();
|
|
||||||
|
|
||||||
-- granting INSERT permission to hs_booking_item ----------------------------
|
|
||||||
|
|
||||||
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
|
|
||||||
-- because there cannot yet be any pre-existing rows in the same table yet.
|
|
||||||
|
|
||||||
/**
|
|
||||||
Grants hs_booking_item INSERT permission to specified role of new hs_booking_item rows.
|
|
||||||
*/
|
|
||||||
create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
-- unconditional for all rows in that table
|
|
||||||
call rbac.grantPermissionToRole(
|
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
|
||||||
hsBookingItemADMIN(NEW));
|
|
||||||
-- end.
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_new_hs_booking_item_grants_insert_to_hs_booking_item_tg
|
|
||||||
after insert on hs_booking_item
|
|
||||||
for each row
|
|
||||||
execute procedure new_hs_booking_item_grants_insert_to_hs_booking_item_tf();
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs_booking_item-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/**
|
|
||||||
Checks if the user respectively the assumed roles are allowed to insert a row to hs_booking_item.
|
|
||||||
*/
|
|
||||||
create or replace function hs_booking_item_insert_permission_check_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql as $$
|
|
||||||
declare
|
|
||||||
superObjectUuid uuid;
|
|
||||||
begin
|
|
||||||
-- check INSERT INSERT if rbac.Global ADMIN
|
|
||||||
if rbac.isGlobalAdmin() then
|
|
||||||
return NEW;
|
|
||||||
end if;
|
|
||||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
|
||||||
if rbac.hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
|
|
||||||
return NEW;
|
|
||||||
end if;
|
|
||||||
-- check INSERT permission via direct foreign key: NEW.parentItemUuid
|
|
||||||
if rbac.hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
|
|
||||||
return NEW;
|
|
||||||
end if;
|
|
||||||
|
|
||||||
raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)',
|
|
||||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
create trigger hs_booking_item_insert_permission_check_tg
|
|
||||||
before insert on hs_booking_item
|
|
||||||
for each row
|
|
||||||
execute procedure hs_booking_item_insert_permission_check_tf();
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-IDENTITY-VIEW endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
call rbac.generateRbacIdentityViewFromProjection('hs_booking_item',
|
|
||||||
$idName$
|
|
||||||
caption
|
|
||||||
$idName$);
|
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset michael.hoennig:hs-booking-item-rbac-RESTRICTED-VIEW endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
call rbac.generateRbacRestrictedView('hs_booking_item',
|
|
||||||
$orderBy$
|
|
||||||
validity
|
|
||||||
$orderBy$,
|
|
||||||
$updates$
|
|
||||||
version = new.version,
|
|
||||||
caption = new.caption,
|
|
||||||
validity = new.validity,
|
|
||||||
resources = new.resources
|
|
||||||
$updates$);
|
|
||||||
--//
|
|
||||||
|
|
@ -40,7 +40,7 @@ ALTER TABLE hs_hosting_asset_legacy_id
|
|||||||
--changeset hs-hosting-asset-MIGRATION-insert:1 endDelimiter:--//
|
--changeset hs-hosting-asset-MIGRATION-insert:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
CALL defineContext('schema-migration');
|
CALL base.defineContext('schema-migration');
|
||||||
INSERT INTO hs_hosting_asset_legacy_id(uuid, legacy_id)
|
INSERT INTO hs_hosting_asset_legacy_id(uuid, legacy_id)
|
||||||
SELECT uuid, nextVal('hs_hosting_asset_legacy_id_seq') FROM hs_hosting_asset;
|
SELECT uuid, nextVal('hs_hosting_asset_legacy_id_seq') FROM hs_hosting_asset;
|
||||||
--/
|
--/
|
||||||
|
@ -148,7 +148,7 @@ databaseChangeLog:
|
|||||||
- include:
|
- include:
|
||||||
file: db/changelog/6-hs-booking/630-booking-item/6300-hs-booking-item.sql
|
file: db/changelog/6-hs-booking/630-booking-item/6300-hs-booking-item.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql
|
file: db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/6-hs-booking/630-booking-item/6308-hs-booking-item-test-data.sql
|
file: db/changelog/6-hs-booking/630-booking-item/6308-hs-booking-item-test-data.sql
|
||||||
- include:
|
- include:
|
||||||
|
Loading…
Reference in New Issue
Block a user