Compare commits
4 Commits
master
...
office-rba
| Author | SHA1 | Date | |
|---|---|---|---|
|
04138fe991 | ||
|
|
5c2aec1c37 | ||
|
|
97059c75a1 | ||
|
|
5aec875680 |
@ -115,7 +115,7 @@ classDiagram
|
||||
+BankAccount refundBankAccount
|
||||
+String defaultPrefix: mei
|
||||
}
|
||||
debitor-MeierGmbH o-- partner-MeierGmbH
|
||||
debitor-MeierGmbH o-- rel-MeierGmbH
|
||||
debitor-MeierGmbH *-- rel-MeierGmbH-Buha
|
||||
|
||||
class contactData-MeierGmbH-Buha {
|
||||
|
||||
@ -56,6 +56,8 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
||||
@Column(name = "caption")
|
||||
private String caption;
|
||||
|
||||
// TODO:impl: alert-Contacts
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return stringify.apply(this);
|
||||
|
||||
@ -87,7 +87,7 @@ public abstract class HsHostingAsset implements Stringifyable, BaseEntity<HsHost
|
||||
|
||||
@ManyToOne(fetch = FetchType.LAZY)
|
||||
@JoinColumn(name = "alarmcontactuuid")
|
||||
private HsOfficeContactRealEntity alarmContact;
|
||||
private HsOfficeContactRealEntity alarmContact; // TODO.impl: rename to alertContact, always/uncatched, 1:n
|
||||
|
||||
@Builder.Default
|
||||
@OneToMany(cascade = CascadeType.REFRESH, orphanRemoval = true, fetch = FetchType.LAZY)
|
||||
|
||||
@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
|
||||
usingDefaultCase(),
|
||||
directlyFetchedByDependsOnColumn(),
|
||||
dependsOnColumn("partnerRelUuid"))
|
||||
.toRole("partnerRel", AGENT).grantPermission(INSERT)
|
||||
.createPermission(DELETE).grantedTo("partnerRel", OWNER)
|
||||
.createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
|
||||
.createPermission(SELECT).grantedTo("partnerRel", TENANT)
|
||||
|
||||
@ -98,6 +98,7 @@ public class HsOfficeRelationRbacEntity extends HsOfficeRelation {
|
||||
})
|
||||
.createSubRole(ADMIN, (with) -> {
|
||||
with.permission(UPDATE);
|
||||
with.outgoingSubRole("holderPerson", ADMIN); // FIXME: only for type=partner
|
||||
})
|
||||
.createSubRole(AGENT, (with) -> {
|
||||
// TODO.rbac: we need relation:PROXY, to allow changing the relation contact.
|
||||
|
||||
@ -90,6 +90,7 @@ role:relation:TENANT ==> role:anchorPerson:REFERRER
|
||||
role:relation:TENANT ==> role:holderPerson:REFERRER
|
||||
role:relation:TENANT ==> role:contact:REFERRER
|
||||
role:anchorPerson:ADMIN ==> role:relation:OWNER
|
||||
role:relation:ADMIN ==> role:holderPerson:ADMIN
|
||||
role:holderPerson:ADMIN ==> role:relation:AGENT
|
||||
|
||||
%% granting permissions to roles
|
||||
|
||||
@ -3,21 +3,21 @@
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--//
|
||||
--changeset RbacObjectGenerator:hs-office-relation-rbac-OBJECT endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRelatedRbacObject('hs_office_relation');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-insert-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -50,7 +50,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeRelationOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
incomingSuperRoles => array[rbac.globalADMIN()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
@ -82,6 +82,7 @@ begin
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
ELSE
|
||||
call rbac.grantRoleToRole(hsOfficePersonADMIN(newHolderPerson), hsOfficeRelationADMIN(NEW));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
END IF;
|
||||
@ -110,7 +111,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:hs-office-relation-rbac-update-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -151,7 +152,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to hs_office_person ----------------------------
|
||||
@ -178,7 +179,7 @@ $$;
|
||||
/**
|
||||
Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
|
||||
*/
|
||||
create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
|
||||
create or replace function new_hsof_relation_grants_insert_to_hsof_person_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -192,14 +193,14 @@ begin
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
|
||||
create trigger z_new_hs_office_relation_grants_after_insert_tg
|
||||
after insert on hs_office_person
|
||||
for each row
|
||||
execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
|
||||
execute procedure new_hsof_relation_grants_insert_to_hsof_person_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:hs-office-relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
@ -216,8 +217,8 @@ begin
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
||||
base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
raise exception '[403] insert into hs_office_relation values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_relation_insert_permission_check_tg
|
||||
@ -228,7 +229,7 @@ create trigger hs_office_relation_insert_permission_check_tg
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
--changeset RbacIdentityViewGenerator:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
|
||||
@ -241,7 +242,7 @@ call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
--changeset RbacRestrictedViewGenerator:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRestrictedView('hs_office_relation',
|
||||
$orderBy$
|
||||
|
||||
@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:rbac.global:ADMIN ==> perm:partner:INSERT
|
||||
role:partnerRel:AGENT ==> perm:partner:INSERT
|
||||
role:partnerRel:OWNER ==> perm:partner:DELETE
|
||||
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
||||
role:partnerRel:TENANT ==> perm:partner:SELECT
|
||||
|
||||
@ -42,6 +42,7 @@ begin
|
||||
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||
|
||||
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
|
||||
for each row
|
||||
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
|
||||
|
||||
-- granting INSERT permission to hs_office_relation ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row hs_office_relation;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
|
||||
|
||||
FOR row IN SELECT * FROM hs_office_relation
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
hsOfficeRelationAGENT(row));
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
|
||||
*/
|
||||
create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
hsOfficeRelationAGENT(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_partner_grants_after_insert_tg
|
||||
after insert on hs_office_relation
|
||||
for each row
|
||||
execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
@ -218,6 +262,10 @@ begin
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.partnerRelUuid
|
||||
if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
|
||||
@ -8,7 +8,7 @@ create table hs_office_debitor
|
||||
(
|
||||
uuid uuid unique references rbac.object (uuid) initially deferred,
|
||||
version int not null default 0,
|
||||
debitorNumberSuffix char(2) not null check (debitorNumberSuffix::text ~ '^[0-9][0-9]$'),
|
||||
debitorNumberSuffix char(2) not null check (debitorNumberSuffix::text ~ '^[0-9][0-9]$'), -- TODO.spec: more digits? max digits DATEV?
|
||||
debitorRelUuid uuid not null references hs_office_relation(uuid),
|
||||
billable boolean not null default true,
|
||||
vatId varchar(24),
|
||||
|
||||
@ -158,6 +158,7 @@ role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel.holderPerson:ADMIN
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
|
||||
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
|
||||
@ -182,6 +183,7 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||
role:partnerRel:ADMIN ==> role:debitorRel:ADMIN
|
||||
role:partnerRel:AGENT ==> role:debitorRel:AGENT
|
||||
|
||||
@ -117,6 +117,7 @@ role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel.holderPerson:ADMIN
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
|
||||
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
|
||||
|
||||
@ -8,7 +8,7 @@ CREATE TYPE HsOfficeMembershipStatus AS ENUM (
|
||||
'INVALID',
|
||||
'ACTIVE',
|
||||
'CANCELLED',
|
||||
'TRANSFERRED',
|
||||
'TRANSFERRED', -- only in legally mandatory cases (e.g. community of heirs -> single heir)
|
||||
'DECEASED',
|
||||
'LIQUIDATED',
|
||||
'EXPULSED',
|
||||
@ -22,7 +22,7 @@ create table if not exists hs_office_membership
|
||||
uuid uuid unique references rbac.object (uuid) initially deferred,
|
||||
version int not null default 0,
|
||||
partnerUuid uuid not null references hs_office_partner(uuid),
|
||||
memberNumberSuffix char(2) not null check (memberNumberSuffix::text ~ '^[0-9][0-9]$'),
|
||||
memberNumberSuffix char(2) not null check (memberNumberSuffix::text ~ '^[0-9][0-9]$'), -- TODO.spec: more digits?
|
||||
validity daterange not null,
|
||||
status HsOfficeMembershipStatus not null default 'ACTIVE',
|
||||
membershipFeeBillable boolean not null default true,
|
||||
|
||||
@ -103,6 +103,7 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||
role:membership:OWNER ==> role:membership:ADMIN
|
||||
role:partnerRel:ADMIN ==> role:membership:ADMIN
|
||||
|
||||
@ -4,7 +4,13 @@
|
||||
--changeset michael.hoennig:hs-office-coopshares-MAIN-TABLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
CREATE TYPE HsOfficeCoopSharesTransactionType AS ENUM ('ADJUSTMENT', 'SUBSCRIPTION', 'CANCELLATION');
|
||||
CREATE TYPE HsOfficeCoopSharesTransactionType AS ENUM (
|
||||
'ADJUSTMENT',
|
||||
'SUBSCRIPTION',
|
||||
'CANCELLATION',
|
||||
'TRANSFER', -- only for legally mandatory cases (member deceased) TODO.spec: clarify if that's true
|
||||
'ADOPTION' -- only for legally mandatory cases (member deceased) TODO.spec: clarify if that's true
|
||||
);
|
||||
|
||||
CREATE CAST (character varying as HsOfficeCoopSharesTransactionType) WITH INOUT AS IMPLICIT;
|
||||
|
||||
|
||||
@ -104,6 +104,7 @@ role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:R
|
||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
|
||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||
role:membership:OWNER -.-> role:membership:ADMIN
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
|
||||
|
||||
@ -4,14 +4,16 @@
|
||||
--changeset michael.hoennig:hs-office-coopassets-MAIN-TABLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
CREATE TYPE HsOfficeCoopAssetsTransactionType AS ENUM ('ADJUSTMENT',
|
||||
'DEPOSIT',
|
||||
'DISBURSAL',
|
||||
'TRANSFER',
|
||||
'ADOPTION',
|
||||
'CLEARING',
|
||||
'LOSS',
|
||||
'LIMITATION');
|
||||
CREATE TYPE HsOfficeCoopAssetsTransactionType AS ENUM (
|
||||
'ADJUSTMENT',
|
||||
'DEPOSIT',
|
||||
'DISBURSAL',
|
||||
'TRANSFER',
|
||||
'ADOPTION',
|
||||
'CLEARING',
|
||||
'LOSS',
|
||||
'LIMITATION'
|
||||
);
|
||||
|
||||
CREATE CAST (character varying as HsOfficeCoopAssetsTransactionType) WITH INOUT AS IMPLICIT;
|
||||
|
||||
|
||||
@ -104,6 +104,7 @@ role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:R
|
||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
|
||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||
role:membership:OWNER -.-> role:membership:ADMIN
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
|
||||
|
||||
Loading…
Reference in New Issue
Block a user