WIP: introduce separate database schemas #102
@ -74,7 +74,7 @@ For restricted DB-users, which are used by the backend, access to rows is filter
|
||||
FOR SELECT
|
||||
TO restricted
|
||||
USING (
|
||||
isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid())
|
||||
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid())
|
||||
);
|
||||
|
||||
SET SESSION AUTHORIZATION restricted;
|
||||
@ -101,7 +101,7 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
|
||||
CREATE OR REPLACE RULE "_RETURN" AS
|
||||
ON SELECT TO cust_view
|
||||
DO INSTEAD
|
||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid());
|
||||
SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid());
|
||||
|
||||
SET SESSION AUTHORIZATION restricted;
|
||||
SET hsadminng.currentSubject TO 'alex@example.com';
|
||||
|
@ -239,7 +239,7 @@ This did not improve the performance.
|
||||
We were suspicious about the sequential scan over all `rbacpermission` rows which was done by PostgreSQL to execute a HashJoin strategy. Turning off that strategy by
|
||||
|
||||
```SQL
|
||||
ALTER FUNCTION queryAccessibleObjectUuidsOfSubjectIds SET enable_hashjoin = off;
|
||||
ALTER FUNCTION rbac.queryAccessibleObjectUuidsOfSubjectIds SET enable_hashjoin = off;
|
||||
```
|
||||
|
||||
did not improve the performance though. The HashJoin was actually still applied, but no full table scan anymore:
|
||||
@ -273,9 +273,9 @@ At this point, the import took 21mins with these statistics:
|
||||
| select hore1_0.uuid,a1_0.uuid,a1_0.familyname,a1_0.givenname,a1_0.persontype,a1_0.salutation,a1_0.title,a1_0.tradename,a1_0.version,c1_0.uuid,c1_0.caption,c1_0.emailaddresses,c1_0.phonenumbers,c1_0.postaladdress, c1_0.version,h1_0.uuid,h1_0.familyname,h1_0.givenname,h1_0.persontype,h1_0.salutation,h1_0.title,h1_0.tradename,h1_0.version,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 left join public.hs_office_person_rv a1_0 on a1_0.uuid=hore1_0.anchoruuid left join public.hs_office_contact_rv c1_0 on c1_0.uuid=hore1_0.contactuuid left join public.hs_office_person_rv h1_0 on h1_0.uuid=hore1_0.holderuuid where hore1_0.uuid=$1 | 517 | 11 | 1282 |
|
||||
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 973 | 4 | 254 |
|
||||
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 973 | 4 | 253 |
|
||||
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||
| call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
|
||||
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||
| select * from rbac.isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
|
||||
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
|
||||
| insert into public.hs_office_relation_rv (anchoruuid,contactuuid,holderuuid,mark,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7) | 1261 | 0 | 9 |
|
||||
@ -297,8 +297,8 @@ We changed these mappings from `EAGER` (default) to `LAZY` to `@ManyToOne(fetch
|
||||
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 1015 | 4 | 238 |
|
||||
| select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 | 517 | 4 | 439 |
|
||||
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 497 | 2 | 213 |
|
||||
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||
| call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||
| select * from rbac.isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
|
||||
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
|
||||
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
|
||||
@ -333,8 +333,8 @@ Now, the longest running queries are these:
|
||||
| 1 | 13.093 | 4 | 21 | insert into hs_hosting_asset( uuid, type, bookingitemuuid, parentassetuuid, assignedtoassetuuid, alarmcontactuuid, identifier, caption, config, version) values ( $1, $2, $3, $4, $5, $6, $7, $8, cast($9 as jsonb), $10) |
|
||||
| 2 | 517 | 4 | 502 | select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 |
|
||||
| 3 | 13.144 | 4 | 21 | call buildRbacSystemForHsHostingAsset(NEW) |
|
||||
| 4 | 96.632 | 3 | 2 | call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) |
|
||||
| 5 | 120.815 | 3 | 2 | select * from isGranted(array[granteeId], grantedId) |
|
||||
| 4 | 96.632 | 3 | 2 | call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) |
|
||||
| 5 | 120.815 | 3 | 2 | select * from rbac.isGranted(array[granteeId], grantedId) |
|
||||
| 6 | 123.740 | 3 | 2 | with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select "grant".descendantUuid, "grant".ascendantUuid from RbacGrants "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) |
|
||||
| 7 | 497 | 2 | 259 | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 |
|
||||
| 8 | 497 | 2 | 255 | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 |
|
||||
|
@ -605,7 +605,7 @@ Find the SQL script here: `28-hs-tests.sql`.
|
||||
We have tested two variants of the query for the restricted view,
|
||||
both utilizing a PostgreSQL function like this:
|
||||
|
||||
FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
||||
FUNCTION rbac.queryAccessibleObjectUuidsOfSubjectIds(
|
||||
requiredOp rbac.RbacOp,
|
||||
forObjectTable varchar,
|
||||
subjectIds uuid[],
|
||||
@ -623,7 +623,7 @@ Let's have a look at the two view queries:
|
||||
FROM customer AS target
|
||||
WHERE target.uuid IN (
|
||||
SELECT uuid
|
||||
FROM queryAccessibleObjectUuidsOfSubjectIds(
|
||||
FROM rbac.queryAccessibleObjectUuidsOfSubjectIds(
|
||||
'SELECT, 'customer', currentSubjectOrAssumedRolesUuids()));
|
||||
|
||||
This view should be automatically updatable.
|
||||
@ -641,7 +641,7 @@ Looks like the query optimizer needed some statistics to find the best path.
|
||||
CREATE OR REPLACE VIEW customer_rv AS
|
||||
SELECT DISTINCT target.*
|
||||
FROM customer AS target
|
||||
JOIN queryAccessibleObjectUuidsOfSubjectIds(
|
||||
JOIN rbac.queryAccessibleObjectUuidsOfSubjectIds(
|
||||
'SELECT, 'customer', currentSubjectOrAssumedRolesUuids()) AS allowedObjId
|
||||
ON target.uuid = allowedObjId;
|
||||
|
||||
|
@ -3,10 +3,10 @@
|
||||
-- --------------------------------------------------------
|
||||
|
||||
|
||||
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||
select isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||
select rbac.isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||
select rbac.isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||
|
||||
select count(*)
|
||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'),
|
||||
@ -19,11 +19,11 @@ select *
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com'));
|
||||
|
||||
select *
|
||||
FROM queryAllRbacSubjectsWithPermissionsFor(findEffectivePermissionId('customer',
|
||||
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer',
|
||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
|
||||
'add-package'));
|
||||
select *
|
||||
FROM queryAllRbacSubjectsWithPermissionsFor(findEffectivePermissionId('package',
|
||||
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package',
|
||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
|
||||
'DELETE'));
|
||||
|
||||
@ -34,12 +34,12 @@ $$
|
||||
result bool;
|
||||
BEGIN
|
||||
userId = findRbacSubject('superuser-alex@hostsharing.net');
|
||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
|
||||
result = (SELECT * FROM rbac.isPermissionGrantedToSubject(rbac.findPermissionId('package', 94928, 'add-package'), userId));
|
||||
IF (result) THEN
|
||||
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
||||
end if;
|
||||
|
||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'SELECT'), userId));
|
||||
result = (SELECT * FROM rbac.isPermissionGrantedToSubject(rbac.findPermissionId('package', 94928, 'SELECT'), userId));
|
||||
IF (NOT result) THEN
|
||||
RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
|
||||
end if;
|
||||
|
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
||||
TO restricted
|
||||
USING (
|
||||
-- id=1000
|
||||
isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
||||
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
||||
);
|
||||
|
||||
SET SESSION AUTHORIZATION restricted;
|
||||
@ -35,7 +35,7 @@ SELECT * FROM customer;
|
||||
CREATE OR REPLACE RULE "_RETURN" AS
|
||||
ON SELECT TO cust_view
|
||||
DO INSTEAD
|
||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
||||
SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
||||
SELECT * from cust_view LIMIT 10;
|
||||
|
||||
select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
|
||||
|
@ -69,7 +69,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
||||
public static RbacView rbac() {
|
||||
return rbacViewFor("project", HsBookingProject.class)
|
||||
.withIdentityView(SQL.query("""
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
|
||||
FROM hs_booking_project bookingProject
|
||||
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
|
||||
"""))
|
||||
|
@ -41,7 +41,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
|
||||
public static RbacView rbac() {
|
||||
return rbacViewFor("project", HsBookingProjectRbacEntity.class)
|
||||
.withIdentityView(SQL.query("""
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
|
||||
FROM hs_booking_project bookingProject
|
||||
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
|
||||
"""))
|
||||
|
@ -72,7 +72,7 @@ public class InsertTriggerGenerator {
|
||||
FOR row IN SELECT * FROM ${rawSuperTable}
|
||||
${whenCondition}
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', '${rawSubTable}'),
|
||||
${superRoleRef});
|
||||
END LOOP;
|
||||
@ -106,7 +106,7 @@ public class InsertTriggerGenerator {
|
||||
strict as $$
|
||||
begin
|
||||
${ifConditionThen}
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
||||
${superRoleRef});
|
||||
${ifConditionEnd}
|
||||
@ -225,7 +225,7 @@ public class InsertTriggerGenerator {
|
||||
plPgSql.writeLn(
|
||||
"""
|
||||
-- check INSERT permission via direct foreign key: NEW.${refColumn}
|
||||
if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
|
||||
if ${caseCondition}rbac.hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
|
||||
return NEW;
|
||||
end if;
|
||||
""",
|
||||
@ -238,7 +238,7 @@ public class InsertTriggerGenerator {
|
||||
-- check INSERT permission via indirect foreign key: NEW.${refColumn}
|
||||
superObjectUuid := (${fetchSql});
|
||||
assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL';
|
||||
if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then
|
||||
if ${caseCondition}rbac.hasInsertPermission(superObjectUuid, '${rawSubTable}') then
|
||||
return NEW;
|
||||
end if;
|
||||
""",
|
||||
@ -255,7 +255,7 @@ public class InsertTriggerGenerator {
|
||||
plPgSql.writeLn();
|
||||
plPgSql.writeLn("""
|
||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||
|
@ -309,7 +309,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
private String generateRevoke(RbacGrantDefinition grantDef) {
|
||||
return switch (grantDef.grantType()) {
|
||||
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
|
||||
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
|
||||
case ROLE_TO_ROLE -> "call rbac.revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
|
||||
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
|
||||
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
|
||||
case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});"
|
||||
@ -321,13 +321,13 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
private String generateGrant(RbacGrantDefinition grantDef) {
|
||||
final var grantSql = switch (grantDef.grantType()) {
|
||||
case ROLE_TO_USER -> throw new IllegalArgumentException("unexpected grant");
|
||||
case ROLE_TO_ROLE -> "call grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
|
||||
case ROLE_TO_ROLE -> "call rbac.grantRoleToRole(${subRoleRef}, ${superRoleRef}${assumed});"
|
||||
.replace("${assumed}", grantDef.isAssumed() ? "" : ", unassumed()")
|
||||
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
|
||||
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
||||
case PERM_TO_ROLE ->
|
||||
grantDef.getPermDef().getPermission() == INSERT ? ""
|
||||
: "call grantPermissionToRole(${permRef}, ${superRoleRef});"
|
||||
: "call rbac.grantPermissionToRole(${permRef}, ${superRoleRef});"
|
||||
.replace("${permRef}", createPerm(NEW, grantDef.getPermDef()))
|
||||
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
||||
};
|
||||
@ -335,11 +335,11 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
}
|
||||
|
||||
private String findPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||
return permRef("findPermissionId", ref, permDef);
|
||||
return permRef("rbac.findPermissionId", ref, permDef);
|
||||
}
|
||||
|
||||
private String getPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||
return permRef("getPermissionId", ref, permDef);
|
||||
return permRef("rbac.getPermissionId", ref, permDef);
|
||||
}
|
||||
|
||||
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
|
||||
|
@ -142,7 +142,7 @@ begin
|
||||
return string_to_array(current_setting('hsadminng.assumedRoles', true), ';');
|
||||
end; $$;
|
||||
|
||||
create or replace function cleanIdentifier(rawIdentifier varchar)
|
||||
create or replace function base.cleanIdentifier(rawIdentifier varchar)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -153,21 +153,21 @@ begin
|
||||
return cleanIdentifier;
|
||||
end; $$;
|
||||
|
||||
create or replace function pureIdentifier(rawIdentifier varchar)
|
||||
create or replace function base.pureIdentifier(rawIdentifier varchar)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
cleanIdentifier varchar;
|
||||
begin
|
||||
cleanIdentifier := cleanIdentifier(rawIdentifier);
|
||||
cleanIdentifier := base.cleanIdentifier(rawIdentifier);
|
||||
if cleanIdentifier != rawIdentifier then
|
||||
raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier;
|
||||
end if;
|
||||
return cleanIdentifier;
|
||||
end; $$;
|
||||
|
||||
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||
create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -175,8 +175,8 @@ declare
|
||||
sql varchar;
|
||||
uuid uuid;
|
||||
begin
|
||||
objectTable := pureIdentifier(objectTable);
|
||||
objectIdName := pureIdentifier(objectIdName);
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
objectIdName := base.pureIdentifier(objectIdName);
|
||||
sql := format('select * from %sUuidByIdName(%L);', objectTable, objectIdName);
|
||||
begin
|
||||
execute sql into uuid;
|
||||
@ -187,7 +187,7 @@ begin
|
||||
return uuid;
|
||||
end ; $$;
|
||||
|
||||
create or replace function findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
|
||||
create or replace function base.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -195,7 +195,7 @@ declare
|
||||
sql varchar;
|
||||
idName varchar;
|
||||
begin
|
||||
objectTable := pureIdentifier(objectTable);
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
sql := format('select * from %sIdNameByUuid(%L::uuid);', objectTable, objectUuid);
|
||||
begin
|
||||
execute sql into idName;
|
||||
@ -206,7 +206,7 @@ begin
|
||||
return idName;
|
||||
end ; $$;
|
||||
|
||||
create or replace function currentSubjects()
|
||||
create or replace function base.currentSubjects()
|
||||
returns varchar(1023)[]
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -221,7 +221,7 @@ begin
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
create or replace function hasAssumedRole()
|
||||
create or replace function base.hasAssumedRole()
|
||||
returns boolean
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
|
@ -8,8 +8,8 @@
|
||||
*/
|
||||
do $$
|
||||
begin
|
||||
if not exists(select 1 from pg_type where typname = 'operation') then
|
||||
create type "operation" as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
||||
if not exists(select 1 from pg_type where typname = 'base.tx_operation') then
|
||||
create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
||||
end if;
|
||||
--more types here...
|
||||
end $$;
|
||||
@ -45,7 +45,7 @@ create table base.tx_journal
|
||||
txId xid8 not null references base.tx_context (txId),
|
||||
targetTable text not null,
|
||||
targetUuid uuid not null, -- Assumes that all audited tables have a uuid column.
|
||||
targetOp operation not null,
|
||||
targetOp base.tx_operation not null,
|
||||
targetDelta jsonb
|
||||
);
|
||||
|
||||
@ -91,17 +91,17 @@ begin
|
||||
when 'INSERT' then insert
|
||||
into base.tx_journal
|
||||
values (curTxId,
|
||||
tg_table_name, new.uuid, tg_op::operation,
|
||||
tg_table_name, new.uuid, tg_op::base.tx_operation,
|
||||
to_jsonb(new));
|
||||
when 'UPDATE' then insert
|
||||
into base.tx_journal
|
||||
values (curTxId,
|
||||
tg_table_name, old.uuid, tg_op::operation,
|
||||
tg_table_name, old.uuid, tg_op::base.tx_operation,
|
||||
base.jsonb_changes_delta(to_jsonb(old), to_jsonb(new)));
|
||||
when 'DELETE' then insert
|
||||
into base.tx_journal
|
||||
values (curTxId,
|
||||
tg_table_name, old.uuid, 'DELETE'::operation,
|
||||
tg_table_name, old.uuid, 'DELETE'::base.tx_operation,
|
||||
null::jsonb);
|
||||
else raise exception 'Trigger op % not supported for %.', tg_op, tg_table_name;
|
||||
end case;
|
||||
|
@ -40,9 +40,9 @@ end; $$;
|
||||
--changeset hs-global-historization-tx-historicize-tf:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
||||
-- create type base.tx_operation as enum ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
||||
|
||||
create or replace function tx_historicize_tf()
|
||||
create or replace function base.tx_historicize_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
@ -153,7 +153,7 @@ begin
|
||||
-- "-9-" to put the trigger execution after any alphabetically lesser tx-triggers
|
||||
createTriggerSQL = 'CREATE TRIGGER tx_9_historicize_tg' ||
|
||||
' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable ||
|
||||
' FOR EACH ROW EXECUTE PROCEDURE tx_historicize_tf()';
|
||||
' FOR EACH ROW EXECUTE PROCEDURE base.tx_historicize_tf()';
|
||||
raise notice 'sql: %', createTriggerSQL;
|
||||
execute createTriggerSQL;
|
||||
|
||||
|
@ -262,7 +262,7 @@ begin
|
||||
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
||||
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
||||
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
|
||||
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
objectUuidOfRole = base.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
|
||||
select uuid
|
||||
from rbac.role
|
||||
@ -424,7 +424,7 @@ begin
|
||||
return permissionUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
create or replace function rbac.findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -436,7 +436,7 @@ select uuid
|
||||
and p.opTableName = forOpTableName
|
||||
$$;
|
||||
|
||||
create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
create or replace function rbac.findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -448,7 +448,7 @@ select uuid
|
||||
and p.opTableName = forOpTableName
|
||||
$$;
|
||||
|
||||
create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
create or replace function rbac.getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -471,7 +471,7 @@ end; $$;
|
||||
--changeset rbac-base-duplicate-role-grant-exception:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create or replace procedure raiseDuplicateRoleGrantException(subRoleId uuid, superRoleId uuid)
|
||||
create or replace procedure rbac.raiseDuplicateRoleGrantException(subRoleId uuid, superRoleId uuid)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
subRoleIdName text;
|
||||
@ -505,7 +505,7 @@ create index on rbac.grants (ascendantUuid);
|
||||
create index on rbac.grants (descendantUuid);
|
||||
|
||||
call base.create_journal('rbac.grants');
|
||||
create or replace function findGrantees(grantedId uuid)
|
||||
create or replace function rbac.findGrantees(grantedId uuid)
|
||||
returns setof rbac.reference
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
@ -523,7 +523,7 @@ select ref.*
|
||||
join rbac.reference ref on ref.uuid = grants.ascendantUuid;
|
||||
$$;
|
||||
|
||||
create or replace function isGranted(granteeIds uuid[], grantedId uuid)
|
||||
create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid)
|
||||
returns bool
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
@ -543,13 +543,13 @@ select exists (
|
||||
) or grantedId = any(granteeIds);
|
||||
$$;
|
||||
|
||||
create or replace function isGranted(granteeId uuid, grantedId uuid)
|
||||
create or replace function rbac.isGranted(granteeId uuid, grantedId uuid)
|
||||
returns bool
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
select * from isGranted(array[granteeId], grantedId);
|
||||
select * from rbac.isGranted(array[granteeId], grantedId);
|
||||
$$;
|
||||
create or replace function isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
|
||||
create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid, subjectId uuid)
|
||||
returns BOOL
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
@ -569,19 +569,19 @@ select exists(
|
||||
);
|
||||
$$;
|
||||
|
||||
create or replace function hasInsertPermission(objectUuid uuid, tableName text )
|
||||
create or replace function rbac.hasInsertPermission(objectUuid uuid, tableName text )
|
||||
returns BOOL
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
permissionUuid uuid;
|
||||
begin
|
||||
permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
|
||||
permissionUuid = rbac.findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
|
||||
return permissionUuid is not null;
|
||||
end;
|
||||
$$;
|
||||
|
||||
create or replace function hasGlobalRoleGranted(forAscendantUuid uuid)
|
||||
create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid)
|
||||
returns bool
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
@ -595,7 +595,7 @@ select exists(
|
||||
);
|
||||
$$;
|
||||
|
||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleUuid uuid)
|
||||
create or replace procedure rbac.grantPermissionToRole(permissionUuid uuid, roleUuid uuid)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'rbac.role');
|
||||
@ -608,21 +608,21 @@ begin
|
||||
end;
|
||||
$$;
|
||||
|
||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||
create or replace procedure rbac.grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
|
||||
call rbac.grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
|
||||
end;
|
||||
$$;
|
||||
|
||||
create or replace procedure grantRoleToRole(subRoleId uuid, superRoleId uuid, doAssume bool = true)
|
||||
create or replace procedure rbac.grantRoleToRole(subRoleId uuid, superRoleId uuid, doAssume bool = true)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
|
||||
if isGranted(subRoleId, superRoleId) then
|
||||
call raiseDuplicateRoleGrantException(subRoleId, superRoleId);
|
||||
if rbac.isGranted(subRoleId, superRoleId) then
|
||||
call rbac.raiseDuplicateRoleGrantException(subRoleId, superRoleId);
|
||||
end if;
|
||||
|
||||
insert
|
||||
@ -632,13 +632,13 @@ begin
|
||||
end; $$;
|
||||
|
||||
|
||||
create or replace procedure grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
|
||||
create or replace procedure rbac.grantRoleToRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor, doAssume bool = true)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superRoleId uuid;
|
||||
subRoleId uuid;
|
||||
begin
|
||||
-- TODO.refa: maybe separate method grantRoleToRoleIfNotNull(...) for NULLABLE references
|
||||
-- TODO.refa: maybe separate method rbac.grantRoleToRoleIfNotNull(...) for NULLABLE references
|
||||
if superRole.objectUuid is null or subRole.objectuuid is null then
|
||||
return;
|
||||
end if;
|
||||
@ -649,8 +649,8 @@ begin
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
|
||||
if isGranted(subRoleId, superRoleId) then
|
||||
call raiseDuplicateRoleGrantException(subRoleId, superRoleId);
|
||||
if rbac.isGranted(subRoleId, superRoleId) then
|
||||
call rbac.raiseDuplicateRoleGrantException(subRoleId, superRoleId);
|
||||
end if;
|
||||
|
||||
insert
|
||||
@ -659,7 +659,7 @@ begin
|
||||
on conflict do nothing; -- allow granting multiple times
|
||||
end; $$;
|
||||
|
||||
create or replace procedure revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
|
||||
create or replace procedure rbac.revokeRoleFromRole(subRole rbac.RoleDescriptor, superRole rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superRoleId uuid;
|
||||
@ -671,7 +671,7 @@ begin
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
|
||||
if (isGranted(superRoleId, subRoleId)) then
|
||||
if (rbac.isGranted(superRoleId, subRoleId)) then
|
||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId;
|
||||
else
|
||||
raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
|
||||
@ -692,7 +692,7 @@ begin
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||
|
||||
if (isGranted(superRoleId, permissionId)) then
|
||||
if (rbac.isGranted(superRoleId, permissionId)) then
|
||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
||||
else
|
||||
select p.op, o.objectTable, o.uuid
|
||||
@ -713,7 +713,7 @@ end; $$;
|
||||
/*
|
||||
|
||||
*/
|
||||
create or replace function queryAccessibleObjectUuidsOfSubjectIds(
|
||||
create or replace function rbac.queryAccessibleObjectUuidsOfSubjectIds(
|
||||
requiredOp rbac.RbacOp,
|
||||
forObjectTable varchar,
|
||||
subjectIds uuid[],
|
||||
@ -765,7 +765,7 @@ $$;
|
||||
/*
|
||||
Returns all permissions accessible to the given subject UUID (subject or role).
|
||||
*/
|
||||
create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid)
|
||||
create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uuid)
|
||||
returns setof rbac.permission
|
||||
strict
|
||||
language sql as $$
|
||||
@ -795,7 +795,7 @@ $$;
|
||||
Returns all subject UUIDs which have any permission for the given object UUID.
|
||||
*/
|
||||
|
||||
create or replace function queryAllRbacSubjectsWithPermissionsFor(objectId uuid)
|
||||
create or replace function rbac.queryAllRbacSubjectsWithPermissionsFor(objectId uuid)
|
||||
returns setof rbac.subject
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
|
@ -48,12 +48,12 @@ begin
|
||||
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
|
||||
assert subjectUuid is not null, 'subjectUuid must not be null';
|
||||
|
||||
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
|
||||
raise exception '[403] Access to granted-by-role % (%) forbidden for % (%)',
|
||||
grantedByRoleIdName, grantedByRoleUuid, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
grantedByRoleIdName, grantedByRoleUuid, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end if;
|
||||
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then
|
||||
if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
|
||||
select roleIdName from rbac.role_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
|
||||
select roleIdName from rbac.role_ev where uuid=grantedRoleUuid into grantedRoleIdName;
|
||||
raise exception '[403] Access to granted role % (%) forbidden for % (%)',
|
||||
@ -81,20 +81,20 @@ begin
|
||||
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||
|
||||
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
||||
if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, rbac.currentSubjects();
|
||||
end if;
|
||||
|
||||
if NOT isGranted(grantedByRoleUuid, grantedRoleUuid) then
|
||||
raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, currentSubjects();
|
||||
if NOT rbac.isGranted(grantedByRoleUuid, grantedRoleUuid) then
|
||||
raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, rbac.currentSubjects();
|
||||
end if;
|
||||
|
||||
--raise exception 'isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid;
|
||||
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
||||
--raise exception 'rbac.isGranted(%, %)', rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid;
|
||||
if NOT rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, rbac.currentSubjects();
|
||||
end if;
|
||||
|
||||
if NOT isGranted(subjectUuid, grantedRoleUuid) then
|
||||
if NOT rbac.isGranted(subjectUuid, grantedRoleUuid) then
|
||||
raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;
|
||||
end if;
|
||||
end; $$;
|
||||
|
@ -5,7 +5,7 @@
|
||||
--changeset rbac-context-DETERMINE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create or replace function determineCurrentSubjectUuid(currentSubject varchar)
|
||||
create or replace function rbac.determineCurrentSubjectUuid(currentSubject varchar)
|
||||
returns uuid
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -23,7 +23,7 @@ begin
|
||||
return currentSubjectUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function determineCurrentSubjectOrAssumedRolesUuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles varchar)
|
||||
create or replace function rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles varchar)
|
||||
returns uuid[]
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -55,7 +55,7 @@ begin
|
||||
objectNameToAssume = split_part(roleNameParts, '#', 2);
|
||||
roleTypeToAssume = split_part(roleNameParts, '#', 3);
|
||||
|
||||
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
objectUuidToAssume = base.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
if objectUuidToAssume is null then
|
||||
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
|
||||
end if;
|
||||
@ -68,7 +68,7 @@ begin
|
||||
if roleUuidToAssume is null then
|
||||
raise exception '[403] role % does not exist or is not accessible for subject %', roleName, base.currentSubject();
|
||||
end if;
|
||||
if not isGranted(currentSubjectOrAssumedRolesUuids, roleUuidToAssume) then
|
||||
if not rbac.isGranted(currentSubjectOrAssumedRolesUuids, roleUuidToAssume) then
|
||||
raise exception '[403] subject % has no permission to assume role %', base.currentSubject(), roleName;
|
||||
end if;
|
||||
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
|
||||
@ -99,12 +99,12 @@ begin
|
||||
execute format('set local hsadminng.currentRequest to %L', currentRequest);
|
||||
|
||||
execute format('set local hsadminng.currentSubject to %L', currentSubject);
|
||||
select determineCurrentSubjectUuid(currentSubject) into currentSubjectUuid;
|
||||
select rbac.determineCurrentSubjectUuid(currentSubject) into currentSubjectUuid;
|
||||
execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
|
||||
|
||||
execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
|
||||
execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L',
|
||||
(select array_to_string(determineCurrentSubjectOrAssumedRolesUuids(currentSubjectUuid, assumedRoles), ';')));
|
||||
(select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
|
||||
|
||||
raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
|
||||
end; $$;
|
||||
|
@ -13,7 +13,7 @@ select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*,
|
||||
o.objectTable, findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
o.objectTable, base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
) as unordered
|
||||
@ -34,10 +34,10 @@ select *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*, o.objectTable,
|
||||
findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
where isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
) as unordered
|
||||
-- @formatter:on
|
||||
order by objectTable || '#' || objectIdName || ':' || roleType;
|
||||
@ -57,7 +57,7 @@ create or replace view rbacgrants_ev as
|
||||
-- @formatter:off
|
||||
select x.grantUuid as uuid,
|
||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||
go.objectTable || '#' || findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
go.objectTable || '#' || base.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
x.ascendingIdName as ascendantIdName,
|
||||
x.descendingIdName as descendantIdName,
|
||||
x.grantedByRoleUuid,
|
||||
@ -72,15 +72,15 @@ create or replace view rbacgrants_ev as
|
||||
|
||||
coalesce(
|
||||
'user:' || au.name,
|
||||
'role:' || aro.objectTable || '#' || findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
'role:' || aro.objectTable || '#' || base.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
) as ascendingIdName,
|
||||
aro.objectTable, aro.uuid,
|
||||
( case
|
||||
when dro is not null
|
||||
then ('role:' || dro.objectTable || '#' || findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
then ('role:' || dro.objectTable || '#' || base.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
when dp.op = 'INSERT'
|
||||
then 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
then 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
end
|
||||
) as descendingIdName,
|
||||
dro.objectTable, dro.uuid,
|
||||
@ -115,19 +115,19 @@ create or replace view rbacgrants_ev as
|
||||
drop view if exists rbacgrants_rv;
|
||||
create or replace view rbacgrants_rv as
|
||||
-- @formatter:off
|
||||
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
|
||||
from (
|
||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
||||
findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.grants as g
|
||||
join rbac.role as r on r.uuid = g.descendantUuid
|
||||
join rbac.object o on o.uuid = r.objectuuid
|
||||
left outer join rbac.subject u on u.uuid = g.ascendantuuid
|
||||
where isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
) as g
|
||||
join rbac.role as r on r.uuid = grantedByRoleUuid
|
||||
join rbac.object as o on o.uuid = r.objectUuid
|
||||
@ -242,7 +242,7 @@ create or replace view rbac.subject_rv as
|
||||
select users.*
|
||||
from rbac.subject as users
|
||||
where cardinality(base.assumedRoles()) = 0 and
|
||||
(rbac.currentSubjectUuid() = users.uuid or hasGlobalRoleGranted(rbac.currentSubjectUuid()))
|
||||
(rbac.currentSubjectUuid() = users.uuid or rbac.hasGlobalRoleGranted(rbac.currentSubjectUuid()))
|
||||
|
||||
) as unordered
|
||||
-- @formatter:on
|
||||
@ -295,11 +295,11 @@ execute function rbac.insert_subject_tf();
|
||||
|
||||
Checks if the current subject (user / assumed role) has the permission to delete the user.
|
||||
*/
|
||||
create or replace function delete_subject_tf()
|
||||
create or replace function rbac.delete_subject_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
begin
|
||||
if rbac.currentSubjectUuid() = old.uuid or hasGlobalRoleGranted(rbac.currentSubjectUuid()) then
|
||||
if rbac.currentSubjectUuid() = old.uuid or rbac.hasGlobalRoleGranted(rbac.currentSubjectUuid()) then
|
||||
delete from rbac.subject where uuid = old.uuid;
|
||||
return old;
|
||||
end if;
|
||||
@ -313,7 +313,7 @@ create trigger delete_subject_tg
|
||||
instead of delete
|
||||
on rbac.subject_rv
|
||||
for each row
|
||||
execute function delete_subject_tf();
|
||||
execute function rbac.delete_subject_tf();
|
||||
--/
|
||||
|
||||
-- ============================================================================
|
||||
@ -353,7 +353,7 @@ begin
|
||||
-- @formatter:off
|
||||
currentSubjectUuid := rbac.currentSubjectUuid();
|
||||
|
||||
if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
|
||||
if rbac.hasGlobalRoleGranted(targetSubjectUuid) and not rbac.hasGlobalRoleGranted(currentSubjectUuid) then
|
||||
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, base.currentSubject();
|
||||
end if;
|
||||
|
||||
@ -364,17 +364,17 @@ begin
|
||||
xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
|
||||
from (select
|
||||
r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
|
||||
findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
base.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
p.uuid as permissionUuid, p.op, p.opTableName,
|
||||
po.objecttable as permissionObjectTable,
|
||||
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
base.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
po.uuid as permissionObjectUuid
|
||||
from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||
join rbac.grants as g on g.descendantUuid = p.uuid
|
||||
join rbac.object as po on po.uuid = p.objectUuid
|
||||
join rbac.role_rv as r on r.uuid = g.ascendantUuid
|
||||
join rbac.object as ro on ro.uuid = r.objectUuid
|
||||
where isGranted(targetSubjectUuid, r.uuid)
|
||||
where rbac.isGranted(targetSubjectUuid, r.uuid)
|
||||
) xp;
|
||||
-- @formatter:on
|
||||
end; $$;
|
||||
|
@ -33,19 +33,19 @@ begin
|
||||
foreach permission in array permissions
|
||||
loop
|
||||
permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
|
||||
call grantPermissionToRole(permissionUuid, roleUuid);
|
||||
call rbac.grantPermissionToRole(permissionUuid, roleUuid);
|
||||
end loop;
|
||||
|
||||
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
|
||||
loop
|
||||
superRoleUuid := rbac.getRoleId(superRoleDesc);
|
||||
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
||||
call rbac.grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
||||
end loop;
|
||||
|
||||
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
|
||||
loop
|
||||
subRoleUuid := rbac.getRoleId(subRoleDesc);
|
||||
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
||||
call rbac.grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
||||
end loop;
|
||||
|
||||
if cardinality(subjectUuids) > 0 then
|
||||
|
@ -148,7 +148,7 @@ begin
|
||||
targettable := lower(targettable);
|
||||
|
||||
sqlQuery = format($sql$
|
||||
select target.uuid, cleanIdentifier(%2$s) as idName
|
||||
select target.uuid, base.cleanIdentifier(%2$s) as idName
|
||||
from %1$s as target;
|
||||
$sql$, targetTable, sqlProjection);
|
||||
call rbac.generateRbacIdentityViewFromQuery(targetTable, sqlQuery);
|
||||
@ -256,7 +256,7 @@ begin
|
||||
returns trigger
|
||||
language plpgsql as $f$
|
||||
begin
|
||||
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('DELETE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
|
||||
if old.uuid in (select rbac.queryAccessibleObjectUuidsOfSubjectIds('DELETE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
|
||||
delete from %1$s p where p.uuid = old.uuid;
|
||||
return old;
|
||||
end if;
|
||||
@ -287,7 +287,7 @@ begin
|
||||
returns trigger
|
||||
language plpgsql as $f$
|
||||
begin
|
||||
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('UPDATE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
|
||||
if old.uuid in (select rbac.queryAccessibleObjectUuidsOfSubjectIds('UPDATE', '%1$s', rbac.currentSubjectOrAssumedRolesUuids())) then
|
||||
update %1$s
|
||||
set %2$s
|
||||
where uuid = old.uuid;
|
||||
|
@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
|
||||
returns boolean
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
|
||||
return rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
@ -45,7 +45,7 @@ create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
|
||||
$$
|
||||
-- TODO.perf: this could to be optimized
|
||||
select (select uuid from rbac.global) in
|
||||
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
|
||||
(select rbac.queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
@ -94,7 +94,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -110,7 +110,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -143,7 +143,7 @@ begin
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_customer values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_customer_insert_permission_check_tg
|
||||
|
@ -110,11 +110,11 @@ begin
|
||||
|
||||
if NEW.customerUuid <> OLD.customerUuid then
|
||||
|
||||
call revokeRoleFromRole(testPackageOWNER(OLD), testCustomerADMIN(oldCustomer));
|
||||
call grantRoleToRole(testPackageOWNER(NEW), testCustomerADMIN(newCustomer));
|
||||
call rbac.revokeRoleFromRole(testPackageOWNER(OLD), testCustomerADMIN(oldCustomer));
|
||||
call rbac.grantRoleToRole(testPackageOWNER(NEW), testCustomerADMIN(newCustomer));
|
||||
|
||||
call revokeRoleFromRole(testCustomerTENANT(oldCustomer), testPackageTENANT(OLD));
|
||||
call grantRoleToRole(testCustomerTENANT(newCustomer), testPackageTENANT(NEW));
|
||||
call rbac.revokeRoleFromRole(testCustomerTENANT(oldCustomer), testPackageTENANT(OLD));
|
||||
call rbac.grantRoleToRole(testCustomerTENANT(newCustomer), testPackageTENANT(NEW));
|
||||
|
||||
end if;
|
||||
|
||||
@ -159,7 +159,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM test_customer
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||
testCustomerADMIN(row));
|
||||
END LOOP;
|
||||
@ -175,7 +175,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||
testCustomerADMIN(NEW));
|
||||
-- end.
|
||||
@ -203,12 +203,12 @@ declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.customerUuid
|
||||
if hasInsertPermission(NEW.customerUuid, 'test_package') then
|
||||
if rbac.hasInsertPermission(NEW.customerUuid, 'test_package') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_package values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_package_insert_permission_check_tg
|
||||
|
@ -106,14 +106,14 @@ begin
|
||||
|
||||
if NEW.packageUuid <> OLD.packageUuid then
|
||||
|
||||
call revokeRoleFromRole(testDomainOWNER(OLD), testPackageADMIN(oldPackage));
|
||||
call grantRoleToRole(testDomainOWNER(NEW), testPackageADMIN(newPackage));
|
||||
call rbac.revokeRoleFromRole(testDomainOWNER(OLD), testPackageADMIN(oldPackage));
|
||||
call rbac.grantRoleToRole(testDomainOWNER(NEW), testPackageADMIN(newPackage));
|
||||
|
||||
call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainOWNER(OLD));
|
||||
call grantRoleToRole(testPackageTENANT(newPackage), testDomainOWNER(NEW));
|
||||
call rbac.revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainOWNER(OLD));
|
||||
call rbac.grantRoleToRole(testPackageTENANT(newPackage), testDomainOWNER(NEW));
|
||||
|
||||
call revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainADMIN(OLD));
|
||||
call grantRoleToRole(testPackageTENANT(newPackage), testDomainADMIN(NEW));
|
||||
call rbac.revokeRoleFromRole(testPackageTENANT(oldPackage), testDomainADMIN(OLD));
|
||||
call rbac.grantRoleToRole(testPackageTENANT(newPackage), testDomainADMIN(NEW));
|
||||
|
||||
end if;
|
||||
|
||||
@ -158,7 +158,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM test_package
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||
testPackageADMIN(row));
|
||||
END LOOP;
|
||||
@ -174,7 +174,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||
testPackageADMIN(NEW));
|
||||
-- end.
|
||||
@ -202,12 +202,12 @@ declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.packageUuid
|
||||
if hasInsertPermission(NEW.packageUuid, 'test_domain') then
|
||||
if rbac.hasInsertPermission(NEW.packageUuid, 'test_domain') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_domain values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_domain_insert_permission_check_tg
|
||||
|
@ -14,7 +14,7 @@ declare
|
||||
postalAddr varchar;
|
||||
emailAddr varchar;
|
||||
begin
|
||||
emailAddr = 'contact-admin@' || cleanIdentifier(contCaption) || '.example.com';
|
||||
emailAddr = 'contact-admin@' || base.cleanIdentifier(contCaption) || '.example.com';
|
||||
call base.defineContext('creating contact test-data');
|
||||
perform rbac.create_subject(emailAddr);
|
||||
call base.defineContext('creating contact test-data', null, emailAddr);
|
||||
|
@ -20,7 +20,7 @@ declare
|
||||
emailAddr varchar;
|
||||
begin
|
||||
fullName := concat_ws(', ', newTradeName, newFamilyName, newGivenName);
|
||||
emailAddr = 'person-' || left(cleanIdentifier(fullName), 32) || '@example.com';
|
||||
emailAddr = 'person-' || left(base.cleanIdentifier(fullName), 32) || '@example.com';
|
||||
call base.defineContext('creating person test-data');
|
||||
perform rbac.create_subject(emailAddr);
|
||||
call base.defineContext('creating person test-data', null, emailAddr);
|
||||
|
@ -78,12 +78,12 @@ begin
|
||||
);
|
||||
|
||||
IF NEW.type = 'REPRESENTATIVE' THEN
|
||||
call grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
|
||||
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
call rbac.grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
ELSE
|
||||
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
||||
END IF;
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
@ -168,7 +168,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_office_person
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
||||
hsOfficePersonADMIN(row));
|
||||
END LOOP;
|
||||
@ -184,7 +184,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
||||
hsOfficePersonADMIN(NEW));
|
||||
-- end.
|
||||
@ -212,12 +212,12 @@ declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.anchorUuid
|
||||
if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
|
||||
if rbac.hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
||||
currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_relation_insert_permission_check_tg
|
||||
|
@ -22,7 +22,7 @@ declare
|
||||
contact hs_office_contact;
|
||||
|
||||
begin
|
||||
idName := cleanIdentifier( anchorPersonName || '-' || holderPersonName);
|
||||
idName := base.cleanIdentifier( anchorPersonName || '-' || holderPersonName);
|
||||
|
||||
select p.*
|
||||
into anchorPerson
|
||||
|
@ -42,12 +42,12 @@ begin
|
||||
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -110,23 +110,23 @@ begin
|
||||
|
||||
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
end if;
|
||||
|
||||
@ -171,7 +171,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -187,7 +187,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -220,7 +220,7 @@ begin
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_partner_insert_permission_check_tg
|
||||
|
@ -75,7 +75,7 @@ begin
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -91,7 +91,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -124,7 +124,7 @@ begin
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_partner_details values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_partner_details_insert_permission_check_tg
|
||||
|
@ -21,7 +21,7 @@ declare
|
||||
relatedPerson hs_office_person;
|
||||
relatedDetailsUuid uuid;
|
||||
begin
|
||||
idName := cleanIdentifier( partnerPersonName|| '-' || contactCaption);
|
||||
idName := base.cleanIdentifier( partnerPersonName|| '-' || contactCaption);
|
||||
|
||||
select p.* from hs_office_person p
|
||||
where p.tradeName = mandantTradeName
|
||||
|
@ -13,7 +13,7 @@ create or replace procedure createHsOfficeBankAccountTestData(givenHolder varcha
|
||||
declare
|
||||
emailAddr varchar;
|
||||
begin
|
||||
emailAddr = 'bankaccount-admin@' || cleanIdentifier(givenHolder) || '.example.com';
|
||||
emailAddr = 'bankaccount-admin@' || base.cleanIdentifier(givenHolder) || '.example.com';
|
||||
perform rbac.create_subject(emailAddr);
|
||||
call base.defineContext('creating bankaccount test-data', null, emailAddr);
|
||||
|
||||
|
@ -51,15 +51,15 @@ begin
|
||||
|
||||
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
|
||||
|
||||
call grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
|
||||
call grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
|
||||
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
|
||||
call rbac.grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call rbac.grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -144,7 +144,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -160,7 +160,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -193,7 +193,7 @@ begin
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_debitor values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_debitor_insert_permission_check_tg
|
||||
|
@ -20,7 +20,7 @@ declare
|
||||
relatedDebitorRelUuid uuid;
|
||||
relatedBankAccountUuid uuid;
|
||||
begin
|
||||
idName := cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption);
|
||||
idName := base.cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption);
|
||||
|
||||
select debitorRel.uuid
|
||||
into relatedDebitorRelUuid
|
||||
|
@ -119,7 +119,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_office_relation
|
||||
WHERE type = 'DEBITOR'
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
hsOfficeRelationADMIN(row));
|
||||
END LOOP;
|
||||
@ -135,7 +135,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
|
||||
strict as $$
|
||||
begin
|
||||
if NEW.type = 'DEBITOR' then
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
hsOfficeRelationADMIN(NEW));
|
||||
end if;
|
||||
@ -169,12 +169,12 @@ begin
|
||||
WHERE debitor.uuid = NEW.debitorUuid
|
||||
);
|
||||
assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL';
|
||||
if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
|
||||
if rbac.hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_sepamandate values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_sepamandate_insert_permission_check_tg
|
||||
|
@ -106,7 +106,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -122,7 +122,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -155,7 +155,7 @@ begin
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_membership values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_membership_insert_permission_check_tg
|
||||
|
@ -38,8 +38,8 @@ begin
|
||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -82,7 +82,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_office_membership
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
hsOfficeMembershipADMIN(row));
|
||||
END LOOP;
|
||||
@ -98,7 +98,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
hsOfficeMembershipADMIN(NEW));
|
||||
-- end.
|
||||
@ -126,12 +126,12 @@ declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.membershipUuid
|
||||
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
|
||||
if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_coopsharestransaction values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_coopsharestransaction_insert_permission_check_tg
|
||||
|
@ -38,8 +38,8 @@ begin
|
||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -82,7 +82,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_office_membership
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
hsOfficeMembershipADMIN(row));
|
||||
END LOOP;
|
||||
@ -98,7 +98,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
hsOfficeMembershipADMIN(NEW));
|
||||
-- end.
|
||||
@ -126,12 +126,12 @@ declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.membershipUuid
|
||||
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
|
||||
if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_office_coopassetstransaction values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_coopassetstransaction_insert_permission_check_tg
|
||||
|
@ -70,7 +70,7 @@ begin
|
||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||
);
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -113,7 +113,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_office_relation
|
||||
WHERE type = 'DEBITOR'
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
|
||||
hsOfficeRelationADMIN(row));
|
||||
END LOOP;
|
||||
@ -129,7 +129,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
|
||||
strict as $$
|
||||
begin
|
||||
if NEW.type = 'DEBITOR' then
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
|
||||
hsOfficeRelationADMIN(NEW));
|
||||
end if;
|
||||
@ -163,12 +163,12 @@ begin
|
||||
WHERE debitor.uuid = NEW.debitorUuid
|
||||
);
|
||||
assert superObjectUuid is not null, 'object uuid fetched depending on hs_booking_project.debitorUuid must not be null, also check fetchSql in RBAC DSL';
|
||||
if hasInsertPermission(superObjectUuid, 'hs_booking_project') then
|
||||
if rbac.hasInsertPermission(superObjectUuid, 'hs_booking_project') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_booking_project values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_booking_project_insert_permission_check_tg
|
||||
@ -184,7 +184,7 @@ create trigger hs_booking_project_insert_permission_check_tg
|
||||
|
||||
call rbac.generateRbacIdentityViewFromQuery('hs_booking_project',
|
||||
$idName$
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
|
||||
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || base.cleanIdentifier(bookingProject.caption) as idName
|
||||
FROM hs_booking_project bookingProject
|
||||
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
|
||||
$idName$);
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -112,7 +112,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -128,7 +128,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -155,7 +155,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_booking_project
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(row));
|
||||
END LOOP;
|
||||
@ -171,7 +171,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(NEW));
|
||||
-- end.
|
||||
@ -198,7 +198,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingItemADMIN(NEW));
|
||||
-- end.
|
||||
@ -230,16 +230,16 @@ begin
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||
if hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
|
||||
if rbac.hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.parentItemUuid
|
||||
if hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
|
||||
if rbac.hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_booking_item_insert_permission_check_tg
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -112,7 +112,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
@ -128,7 +128,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
@ -155,7 +155,7 @@ do language plpgsql $$
|
||||
FOR row IN SELECT * FROM hs_booking_project
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(row));
|
||||
END LOOP;
|
||||
@ -171,7 +171,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(NEW));
|
||||
-- end.
|
||||
@ -198,7 +198,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingItemADMIN(NEW));
|
||||
-- end.
|
||||
@ -230,16 +230,16 @@ begin
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||
if hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
|
||||
if rbac.hasInsertPermission(NEW.projectUuid, 'hs_booking_item') then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.parentItemUuid
|
||||
if hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
|
||||
if rbac.hasInsertPermission(NEW.parentItemUuid, 'hs_booking_item') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_booking_item values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
NEW, rbac.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_booking_item_insert_permission_check_tg
|
||||
|
Loading…
Reference in New Issue
Block a user