src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java

@@ -110,7 +110,6 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
                         usingDefaultCase(),
                         directlyFetchedByDependsOnColumn(),
                         dependsOnColumn("partnerRelUuid"))
-                .toRole("partnerRel", AGENT).grantPermission(INSERT)
                 .createPermission(DELETE).grantedTo("partnerRel", OWNER)
                 .createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
                 .createPermission(SELECT).grantedTo("partnerRel", TENANT)

src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java

@@ -98,7 +98,6 @@ public class HsOfficeRelationRbacEntity extends HsOfficeRelation {
                                     })
                                     .createSubRole(ADMIN, (with) -> {
                                         with.permission(UPDATE);
-                                        with.outgoingSubRole("holderPerson", ADMIN); // FIXME: only for type=partner
                                     })
                                     .createSubRole(AGENT, (with) -> {
                                         // TODO.rbac: we need relation:PROXY, to allow changing the relation contact.

src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md

@@ -90,7 +90,6 @@ role:relation:TENANT ==> role:anchorPerson:REFERRER
 role:relation:TENANT ==> role:holderPerson:REFERRER
 role:relation:TENANT ==> role:contact:REFERRER
 role:anchorPerson:ADMIN ==> role:relation:OWNER
-role:relation:ADMIN ==> role:holderPerson:ADMIN
 role:holderPerson:ADMIN ==> role:relation:AGENT
 
 %% granting permissions to roles

src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql

@@ -3,21 +3,21 @@
 
 
 -- ============================================================================
---changeset RbacObjectGenerator:hs-office-relation-rbac-OBJECT endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRelatedRbacObject('hs_office_relation');
 --//
 
 
 -- ============================================================================
---changeset RbacRoleDescriptorsGenerator:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
 --//
 
 
 -- ============================================================================
---changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-insert-trigger endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /*
@@ -50,7 +50,7 @@ begin
     perform rbac.defineRoleWithGrants(
         hsOfficeRelationOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[rbac.globalADMIN()],
+            incomingSuperRoles => array[rbac.globalAdmin()],
             subjectUuids => array[rbac.currentSubjectUuid()]
     );
 
@@ -82,7 +82,6 @@ begin
         call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
         call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
     ELSE
-        call rbac.grantRoleToRole(hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationADMIN(NEW));
         call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
         call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
     END IF;
@@ -111,7 +110,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf();
 
 
 -- ============================================================================
---changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-update-trigger endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /*
@@ -152,7 +151,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
 
 
 -- ============================================================================
---changeset InsertTriggerGenerator:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 -- granting INSERT permission to hs_office_person ----------------------------
@@ -179,7 +178,7 @@ $$;
 /**
     Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
 */
-create or replace function new_hsof_relation_grants_insert_to_hsof_person_tf()
+create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
     returns trigger
     language plpgsql
     strict as $$
@@ -193,14 +192,14 @@ begin
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_new_hs_office_relation_grants_after_insert_tg
+create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
     after insert on hs_office_person
     for each row
-execute procedure new_hsof_relation_grants_insert_to_hsof_person_tf();
+execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
 
 
 -- ============================================================================
---changeset InsertTriggerGenerator:hs-office-relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
+--changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /**
@@ -217,8 +216,8 @@ begin
         return NEW;
     end if;
 
-    raise exception '[403] insert into hs_office_relation values(%) not allowed for current subjects % (%)',
-            NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
+    raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
+            base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
 end; $$;
 
 create trigger hs_office_relation_insert_permission_check_tg
@@ -229,7 +228,7 @@ create trigger hs_office_relation_insert_permission_check_tg
 
 
 -- ============================================================================
---changeset RbacIdentityViewGenerator:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
@@ -242,7 +241,7 @@ call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
 
 
 -- ============================================================================
---changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
+--changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRbacRestrictedView('hs_office_relation',
     $orderBy$

src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md

@@ -105,12 +105,10 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
-role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 
 %% granting permissions to roles
 role:rbac.global:ADMIN ==> perm:partner:INSERT
-role:partnerRel:AGENT ==> perm:partner:INSERT
 role:partnerRel:OWNER ==> perm:partner:DELETE
 role:partnerRel:ADMIN ==> perm:partner:UPDATE
 role:partnerRel:TENANT ==> perm:partner:SELECT

src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql

@@ -42,7 +42,6 @@ begin
     SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
-
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
@@ -201,49 +200,6 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
     for each row
 execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
 
--- granting INSERT permission to hs_office_relation ----------------------------
-
-/*
-    Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
- */
-do language plpgsql $$
-    declare
-        row hs_office_relation;
-    begin
-        call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
-
-        FOR row IN SELECT * FROM hs_office_relation
-            -- unconditional for all rows in that table
-            LOOP
-                call rbac.grantPermissionToRole(
-                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
-                        hsOfficeRelationAGENT(row));
-            END LOOP;
-    end;
-$$;
-
-/**
-    Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
-*/
-create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
-    returns trigger
-    language plpgsql
-    strict as $$
-begin
-    -- unconditional for all rows in that table
-        call rbac.grantPermissionToRole(
-            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
-            hsOfficeRelationAGENT(NEW));
-    -- end.
-    return NEW;
-end; $$;
-
--- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_new_hs_office_partner_grants_after_insert_tg
-    after insert on hs_office_relation
-    for each row
-execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
-
 
 -- ============================================================================
 --changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
@@ -262,10 +218,6 @@ begin
     if rbac.isGlobalAdmin() then
         return NEW;
     end if;
-    -- check INSERT permission via direct foreign key: NEW.partnerRelUuid
-    if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
-        return NEW;
-    end if;
 
     raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
             NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();