Compare commits

...

2 Commits

Author SHA1 Message Date
Michael Hoennig
97059c75a1 add holderPerson:ADMIN role to relation:ADMIN 2024-09-17 14:16:43 +02:00
Michael Hoennig
5aec875680 add INSERT permission for partner to relation AGENT 2024-09-17 14:16:04 +02:00
6 changed files with 68 additions and 14 deletions

View File

@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
usingDefaultCase(),
directlyFetchedByDependsOnColumn(),
dependsOnColumn("partnerRelUuid"))
.toRole("partnerRel", AGENT).grantPermission(INSERT)
.createPermission(DELETE).grantedTo("partnerRel", OWNER)
.createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
.createPermission(SELECT).grantedTo("partnerRel", TENANT)

View File

@ -98,6 +98,7 @@ public class HsOfficeRelationRbacEntity extends HsOfficeRelation {
})
.createSubRole(ADMIN, (with) -> {
with.permission(UPDATE);
with.outgoingSubRole("holderPerson", ADMIN); // FIXME: only for type=partner
})
.createSubRole(AGENT, (with) -> {
// TODO.rbac: we need relation:PROXY, to allow changing the relation contact.

View File

@ -90,6 +90,7 @@ role:relation:TENANT ==> role:anchorPerson:REFERRER
role:relation:TENANT ==> role:holderPerson:REFERRER
role:relation:TENANT ==> role:contact:REFERRER
role:anchorPerson:ADMIN ==> role:relation:OWNER
role:relation:ADMIN ==> role:holderPerson:ADMIN
role:holderPerson:ADMIN ==> role:relation:AGENT
%% granting permissions to roles

View File

@ -3,21 +3,21 @@
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-relation-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call rbac.generateRelatedRbacObject('hs_office_relation');
--//
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
--//
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[rbac.globalAdmin()],
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
@ -82,6 +82,7 @@ begin
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
ELSE
call rbac.grantRoleToRole(hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationADMIN(NEW));
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
END IF;
@ -110,7 +111,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf();
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-update-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@ -151,7 +152,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to hs_office_person ----------------------------
@ -178,7 +179,7 @@ $$;
/**
Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
*/
create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
create or replace function new_hsof_relation_grants_insert_to_hsof_person_tf()
returns trigger
language plpgsql
strict as $$
@ -192,14 +193,14 @@ begin
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
create trigger z_new_hs_office_relation_grants_after_insert_tg
after insert on hs_office_person
for each row
execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
execute procedure new_hsof_relation_grants_insert_to_hsof_person_tf();
-- ============================================================================
--changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@ -216,8 +217,8 @@ begin
return NEW;
end if;
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
raise exception '[403] insert into hs_office_relation values(%) not allowed for current subjects % (%)',
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_relation_insert_permission_check_tg
@ -228,7 +229,7 @@ create trigger hs_office_relation_insert_permission_check_tg
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
@ -241,7 +242,7 @@ call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
-- ============================================================================
--changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call rbac.generateRbacRestrictedView('hs_office_relation',
$orderBy$

View File

@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
%% granting permissions to roles
role:rbac.global:ADMIN ==> perm:partner:INSERT
role:partnerRel:AGENT ==> perm:partner:INSERT
role:partnerRel:OWNER ==> perm:partner:DELETE
role:partnerRel:ADMIN ==> perm:partner:UPDATE
role:partnerRel:TENANT ==> perm:partner:SELECT

View File

@ -42,6 +42,7 @@ begin
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
for each row
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
-- granting INSERT permission to hs_office_relation ----------------------------
/*
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
*/
do language plpgsql $$
declare
row hs_office_relation;
begin
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
FOR row IN SELECT * FROM hs_office_relation
-- unconditional for all rows in that table
LOOP
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
hsOfficeRelationAGENT(row));
END LOOP;
end;
$$;
/**
Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
*/
create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
hsOfficeRelationAGENT(NEW));
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_grants_after_insert_tg
after insert on hs_office_relation
for each row
execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
-- ============================================================================
--changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
@ -218,6 +262,10 @@ begin
if rbac.isGlobalAdmin() then
return NEW;
end if;
-- check INSERT permission via direct foreign key: NEW.partnerRelUuid
if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
return NEW;
end if;
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();