added some TODO.spec

doc/hs-office-data-structure.md

@@ -115,7 +115,7 @@ classDiagram
         +BankAccount refundBankAccount
         +String      defaultPrefix:          mei
     }
-    debitor-MeierGmbH o-- partner-MeierGmbH
+    debitor-MeierGmbH o-- rel-MeierGmbH
     debitor-MeierGmbH *-- rel-MeierGmbH-Buha
 
     class contactData-MeierGmbH-Buha {

src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java

@@ -56,6 +56,8 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
     @Column(name = "caption")
     private String caption;
 
+    // TODO:impl: alert-Contacts
+
     @Override
     public String toString() {
         return stringify.apply(this);

src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAsset.java

@@ -87,7 +87,7 @@ public abstract class HsHostingAsset implements Stringifyable, BaseEntity<HsHost
 
     @ManyToOne(fetch = FetchType.LAZY)
     @JoinColumn(name = "alarmcontactuuid")
-    private HsOfficeContactRealEntity alarmContact;
+    private HsOfficeContactRealEntity alarmContact; // TODO.impl: rename to alertContact, always/uncatched, 1:n
 
     @Builder.Default
     @OneToMany(cascade = CascadeType.REFRESH, orphanRemoval = true, fetch = FetchType.LAZY)

src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java

@@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
                         usingDefaultCase(),
                         directlyFetchedByDependsOnColumn(),
                         dependsOnColumn("partnerRelUuid"))
+                .toRole("partnerRel", AGENT).grantPermission(INSERT)
                 .createPermission(DELETE).grantedTo("partnerRel", OWNER)
                 .createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
                 .createPermission(SELECT).grantedTo("partnerRel", TENANT)

src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacEntity.java

@@ -98,6 +98,7 @@ public class HsOfficeRelationRbacEntity extends HsOfficeRelation {
                                     })
                                     .createSubRole(ADMIN, (with) -> {
                                         with.permission(UPDATE);
+                                        with.outgoingSubRole("holderPerson", ADMIN); // FIXME: only for type=partner
                                     })
                                     .createSubRole(AGENT, (with) -> {
                                         // TODO.rbac: we need relation:PROXY, to allow changing the relation contact.

src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md

@@ -90,6 +90,7 @@ role:relation:TENANT ==> role:anchorPerson:REFERRER
 role:relation:TENANT ==> role:holderPerson:REFERRER
 role:relation:TENANT ==> role:contact:REFERRER
 role:anchorPerson:ADMIN ==> role:relation:OWNER
+role:relation:ADMIN ==> role:holderPerson:ADMIN
 role:holderPerson:ADMIN ==> role:relation:AGENT
 
 %% granting permissions to roles

src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql

@@ -3,21 +3,21 @@
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--//
+--changeset RbacObjectGenerator:hs-office-relation-rbac-OBJECT endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRelatedRbacObject('hs_office_relation');
 --//
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
+--changeset RbacRoleDescriptorsGenerator:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
 --//
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--//
+--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-insert-trigger endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /*
@@ -50,7 +50,7 @@ begin
     perform rbac.defineRoleWithGrants(
         hsOfficeRelationOWNER(NEW),
             permissions => array['DELETE'],
-            incomingSuperRoles => array[rbac.globalAdmin()],
+            incomingSuperRoles => array[rbac.globalADMIN()],
             subjectUuids => array[rbac.currentSubjectUuid()]
     );
 
@@ -82,6 +82,7 @@ begin
         call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
         call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
     ELSE
+        call rbac.grantRoleToRole(hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationADMIN(NEW));
         call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
         call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
     END IF;
@@ -110,7 +111,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf();
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--//
+--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-update-trigger endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /*
@@ -151,7 +152,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
+--changeset InsertTriggerGenerator:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 -- granting INSERT permission to hs_office_person ----------------------------
@@ -178,7 +179,7 @@ $$;
 /**
     Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
 */
-create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
+create or replace function new_hsof_relation_grants_insert_to_hsof_person_tf()
     returns trigger
     language plpgsql
     strict as $$
@@ -192,14 +193,14 @@ begin
 end; $$;
 
 -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
-create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
+create trigger z_new_hs_office_relation_grants_after_insert_tg
     after insert on hs_office_person
     for each row
-execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
+execute procedure new_hsof_relation_grants_insert_to_hsof_person_tf();
 
 
 -- ============================================================================
---changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
+--changeset InsertTriggerGenerator:hs-office-relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 /**
@@ -216,8 +217,8 @@ begin
         return NEW;
     end if;
 
-    raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
+    raise exception '[403] insert into hs_office_relation values(%) not allowed for current subjects % (%)',
-            base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
+            NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
 end; $$;
 
 create trigger hs_office_relation_insert_permission_check_tg
@@ -228,7 +229,7 @@ create trigger hs_office_relation_insert_permission_check_tg
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
+--changeset RbacIdentityViewGenerator:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
 call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
@@ -241,7 +242,7 @@ call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
 
 
 -- ============================================================================
---changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
+--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call rbac.generateRbacRestrictedView('hs_office_relation',
     $orderBy$

src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md

@@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 
 %% granting permissions to roles
 role:rbac.global:ADMIN ==> perm:partner:INSERT
+role:partnerRel:AGENT ==> perm:partner:INSERT
 role:partnerRel:OWNER ==> perm:partner:DELETE
 role:partnerRel:ADMIN ==> perm:partner:UPDATE
 role:partnerRel:TENANT ==> perm:partner:SELECT

src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql

@@ -42,6 +42,7 @@ begin
     SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
+
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
@@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
     for each row
 execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
 
+-- granting INSERT permission to hs_office_relation ----------------------------
+
+/*
+    Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_office_relation;
+    begin
+        call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
+
+        FOR row IN SELECT * FROM hs_office_relation
+            -- unconditional for all rows in that table
+            LOOP
+                call rbac.grantPermissionToRole(
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
+                        hsOfficeRelationAGENT(row));
+            END LOOP;
+    end;
+$$;
+
+/**
+    Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
+*/
+create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    -- unconditional for all rows in that table
+        call rbac.grantPermissionToRole(
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
+            hsOfficeRelationAGENT(NEW));
+    -- end.
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_new_hs_office_partner_grants_after_insert_tg
+    after insert on hs_office_relation
+    for each row
+execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
+
 
 -- ============================================================================
 --changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
@@ -218,6 +262,10 @@ begin
     if rbac.isGlobalAdmin() then
         return NEW;
     end if;
+    -- check INSERT permission via direct foreign key: NEW.partnerRelUuid
+    if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
+        return NEW;
+    end if;
 
     raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
             NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();

src/main/resources/db/changelog/5-hs-office/506-debitor/5060-hs-office-debitor.sql

@@ -8,7 +8,7 @@ create table hs_office_debitor
 (
     uuid                    uuid unique references rbac.object (uuid) initially deferred,
     version                 int not null default 0,
-    debitorNumberSuffix     char(2) not null check (debitorNumberSuffix::text ~ '^[0-9][0-9]$'),
+    debitorNumberSuffix     char(2) not null check (debitorNumberSuffix::text ~ '^[0-9][0-9]$'), -- TODO.spec: more digits? max digits DATEV?
     debitorRelUuid          uuid not null references hs_office_relation(uuid),
     billable                boolean not null default true,
     vatId                   varchar(24),

src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md

@@ -158,6 +158,7 @@ role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:ADMIN -.-> role:debitorRel.holderPerson:ADMIN
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
 role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
@@ -182,6 +183,7 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:ADMIN ==> role:debitorRel:ADMIN
 role:partnerRel:AGENT ==> role:debitorRel:AGENT

src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md

@@ -117,6 +117,7 @@ role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:ADMIN -.-> role:debitorRel.holderPerson:ADMIN
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
 role:bankAccount:OWNER -.-> role:bankAccount:ADMIN

src/main/resources/db/changelog/5-hs-office/510-membership/5100-hs-office-membership.sql

@@ -8,7 +8,7 @@ CREATE TYPE HsOfficeMembershipStatus AS ENUM (
     'INVALID',
     'ACTIVE',
     'CANCELLED',
-    'TRANSFERRED',
+    'TRANSFERRED', -- only in legally mandatory cases (e.g. community of heirs -> single heir)
     'DECEASED',
     'LIQUIDATED',
     'EXPULSED',
@@ -22,7 +22,7 @@ create table if not exists hs_office_membership
     uuid                    uuid unique references rbac.object (uuid) initially deferred,
     version                 int not null default 0,
     partnerUuid             uuid not null references hs_office_partner(uuid),
-    memberNumberSuffix      char(2) not null check (memberNumberSuffix::text ~ '^[0-9][0-9]$'),
+    memberNumberSuffix      char(2) not null check (memberNumberSuffix::text ~ '^[0-9][0-9]$'), -- TODO.spec: more digits?
     validity                daterange not null,
     status                  HsOfficeMembershipStatus not null default 'ACTIVE',
     membershipFeeBillable   boolean not null default true,

src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md

@@ -103,6 +103,7 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:membership:OWNER ==> role:membership:ADMIN
 role:partnerRel:ADMIN ==> role:membership:ADMIN

src/main/resources/db/changelog/5-hs-office/511-coopshares/5110-hs-office-coopshares.sql

@@ -4,7 +4,13 @@
 --changeset michael.hoennig:hs-office-coopshares-MAIN-TABLE endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-CREATE TYPE HsOfficeCoopSharesTransactionType AS ENUM ('ADJUSTMENT', 'SUBSCRIPTION', 'CANCELLATION');
+CREATE TYPE HsOfficeCoopSharesTransactionType AS ENUM (
+    'ADJUSTMENT',
+    'SUBSCRIPTION',
+    'CANCELLATION',
+    'TRANSFER', -- only for legally mandatory cases (member deceased) TODO.spec: clarify if that's true
+    'ADOPTION'  -- only for legally mandatory cases (member deceased) TODO.spec: clarify if that's true
+);
 
 CREATE CAST (character varying as HsOfficeCoopSharesTransactionType) WITH INOUT AS IMPLICIT;
 

src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md

@@ -104,6 +104,7 @@ role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:R
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.holderPerson:ADMIN
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership:OWNER -.-> role:membership:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN

src/main/resources/db/changelog/5-hs-office/512-coopassets/5120-hs-office-coopassets.sql

@@ -4,14 +4,16 @@
 --changeset michael.hoennig:hs-office-coopassets-MAIN-TABLE endDelimiter:--//
 -- ----------------------------------------------------------------------------
 
-CREATE TYPE HsOfficeCoopAssetsTransactionType AS ENUM ('ADJUSTMENT',
+CREATE TYPE HsOfficeCoopAssetsTransactionType AS ENUM (
-                                                       'DEPOSIT',
+    'ADJUSTMENT',
-                                                       'DISBURSAL',
+    'DEPOSIT',
-                                                       'TRANSFER',
+    'DISBURSAL',
-                                                       'ADOPTION',
+    'TRANSFER',
-                                                       'CLEARING',
+    'ADOPTION',
-                                                       'LOSS',
+    'CLEARING',
-                                                       'LIMITATION');
+    'LOSS',
+    'LIMITATION'
+);
 
 CREATE CAST (character varying as HsOfficeCoopAssetsTransactionType) WITH INOUT AS IMPLICIT;
 

src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md

@@ -104,6 +104,7 @@ role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:R
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.holderPerson:ADMIN
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership:OWNER -.-> role:membership:ADMIN
 role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN