introduce separate database-schemas base+rbac #103
@ -606,7 +606,7 @@ We have tested two variants of the query for the restricted view,
|
||||
both utilizing a PostgreSQL function like this:
|
||||
|
||||
FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
||||
requiredOp RbacOp,
|
||||
requiredOp rbac.RbacOp,
|
||||
forObjectTable varchar,
|
||||
subjectIds uuid[],
|
||||
maxObjects integer = 16000)
|
||||
|
@ -156,6 +156,7 @@ begin
|
||||
end if;
|
||||
return old;
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -173,6 +174,12 @@ create table rbac.role
|
||||
);
|
||||
|
||||
call base.create_journal('rbac.role');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-base-ROLE-DESCRIPTOR:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create type rbac.RoleDescriptor as
|
||||
(
|
||||
@ -196,8 +203,7 @@ create or replace function rbac.unassumed()
|
||||
select false;
|
||||
$$;
|
||||
|
||||
|
||||
create or replace function roleDescriptor(
|
||||
create or replace function rbac.roleDescriptorOf(
|
||||
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
||||
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
||||
returns rbac.RoleDescriptor
|
||||
@ -207,7 +213,7 @@ create or replace function roleDescriptor(
|
||||
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
||||
$$;
|
||||
|
||||
create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
|
||||
create or replace function rbac.createRole(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -224,9 +230,14 @@ begin
|
||||
return referenceId;
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
create or replace procedure deleteRole(roleUUid uuid)
|
||||
-- ============================================================================
|
||||
--changeset rbac-base-ROLE-FUNCTIONS:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create or replace procedure rbac.deleteRole(roleUUid uuid)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
--raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid;
|
||||
@ -234,7 +245,7 @@ begin
|
||||
end;
|
||||
$$;
|
||||
|
||||
create or replace function findRoleId(roleIdName varchar)
|
||||
create or replace function rbac.findRoleId(roleIdName varchar)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
@ -246,7 +257,7 @@ declare
|
||||
objectUuidOfRole uuid;
|
||||
roleUuid uuid;
|
||||
begin
|
||||
-- TODO.refa: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences
|
||||
-- TODO.refa: extract function rbac.toRoleDescriptor(roleIdName varchar) + find other occurrences
|
||||
roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
|
||||
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
||||
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
||||
@ -261,14 +272,14 @@ begin
|
||||
return roleUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
create or replace function rbac.findRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
||||
$$;
|
||||
|
||||
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
create or replace function rbac.getRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||
returns uuid
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -276,13 +287,14 @@ declare
|
||||
begin
|
||||
assert roleDescriptor is not null, 'roleDescriptor must not be null';
|
||||
|
||||
roleUuid := findRoleId(roleDescriptor);
|
||||
roleUuid := rbac.findRoleId(roleDescriptor);
|
||||
if (roleUuid is null) then
|
||||
raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
|
||||
end if;
|
||||
return roleUuid;
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -351,10 +363,7 @@ create trigger delete_roles_of_object_tg
|
||||
-- ============================================================================
|
||||
--changeset rbac-base-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
|
||||
*/
|
||||
create domain RbacOp as varchar(6)
|
||||
create domain rbac.RbacOp as varchar(6)
|
||||
check (
|
||||
VALUE = 'DELETE'
|
||||
or VALUE = 'UPDATE'
|
||||
@ -367,7 +376,7 @@ create table rbac.permission
|
||||
(
|
||||
uuid uuid primary key references rbac.reference (uuid) on delete cascade,
|
||||
objectUuid uuid not null references rbac.object,
|
||||
op RbacOp not null,
|
||||
op rbac.RbacOp not null,
|
||||
opTableName varchar(60)
|
||||
);
|
||||
-- TODO.perf: check if these indexes are really useful
|
||||
@ -379,7 +388,7 @@ ALTER TABLE rbac.permission
|
||||
|
||||
call base.create_journal('rbac.permission');
|
||||
|
||||
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
||||
create or replace function rbac.createPermission(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -415,7 +424,7 @@ begin
|
||||
return permissionUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
||||
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -423,11 +432,11 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
|
||||
select uuid
|
||||
from rbac.permission p
|
||||
where p.objectUuid = forObjectUuid
|
||||
and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT'
|
||||
and (forOp = 'SELECT' or p.op = forOp) -- all other rbac.RbacOp include 'SELECT'
|
||||
and p.opTableName = forOpTableName
|
||||
$$;
|
||||
|
||||
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
||||
create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -439,7 +448,7 @@ select uuid
|
||||
and p.opTableName = forOpTableName
|
||||
$$;
|
||||
|
||||
create or replace function getPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
||||
create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -567,7 +576,7 @@ create or replace function hasInsertPermission(objectUuid uuid, tableName text )
|
||||
declare
|
||||
permissionUuid uuid;
|
||||
begin
|
||||
permissionUuid = findPermissionId(objectUuid, 'INSERT'::RbacOp, tableName);
|
||||
permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
|
||||
return permissionUuid is not null;
|
||||
end;
|
||||
$$;
|
||||
@ -602,7 +611,7 @@ $$;
|
||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
|
||||
call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
|
||||
end;
|
||||
$$;
|
||||
|
||||
@ -634,8 +643,8 @@ begin
|
||||
return;
|
||||
end if;
|
||||
|
||||
superRoleId := findRoleId(superRole);
|
||||
subRoleId := findRoleId(subRole);
|
||||
superRoleId := rbac.findRoleId(superRole);
|
||||
subRoleId := rbac.findRoleId(subRole);
|
||||
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
@ -656,8 +665,8 @@ declare
|
||||
superRoleId uuid;
|
||||
subRoleId uuid;
|
||||
begin
|
||||
superRoleId := findRoleId(superRole);
|
||||
subRoleId := findRoleId(subRole);
|
||||
superRoleId := rbac.findRoleId(superRole);
|
||||
subRoleId := rbac.findRoleId(subRole);
|
||||
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||
@ -678,7 +687,7 @@ declare
|
||||
objectTable text;
|
||||
objectUuid uuid;
|
||||
begin
|
||||
superRoleId := findRoleId(superRole);
|
||||
superRoleId := rbac.findRoleId(superRole);
|
||||
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||
@ -705,7 +714,7 @@ end; $$;
|
||||
|
||||
*/
|
||||
create or replace function queryAccessibleObjectUuidsOfSubjectIds(
|
||||
requiredOp RbacOp,
|
||||
requiredOp rbac.RbacOp,
|
||||
forObjectTable varchar,
|
||||
subjectIds uuid[],
|
||||
maxObjects integer = 8000)
|
||||
|
@ -344,7 +344,7 @@ grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_
|
||||
which are also visible to the current user or assumed roles.
|
||||
*/
|
||||
create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid)
|
||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -380,13 +380,13 @@ begin
|
||||
end; $$;
|
||||
|
||||
create or replace function rbac.grantedPermissions(targetSubjectUuid uuid)
|
||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||
returns null on null input
|
||||
language sql as $$
|
||||
select * from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
||||
union all
|
||||
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
||||
select roleUuid, roleName, permissionUuid, 'SELECT'::rbac.RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
||||
from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
||||
where op <> 'SELECT'::RbacOp;
|
||||
where op <> 'SELECT'::rbac.RbacOp;
|
||||
$$;
|
||||
--//
|
||||
|
@ -8,7 +8,7 @@
|
||||
|
||||
create or replace function rbac.defineRoleWithGrants(
|
||||
roleDescriptor rbac.RoleDescriptor,
|
||||
permissions RbacOp[] = array[]::RbacOp[],
|
||||
permissions rbac.RbacOp[] = array[]::rbac.RbacOp[],
|
||||
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||
subjectUuids uuid[] = array[]::uuid[],
|
||||
@ -19,7 +19,7 @@ create or replace function rbac.defineRoleWithGrants(
|
||||
language plpgsql as $$
|
||||
declare
|
||||
roleUuid uuid;
|
||||
permission RbacOp;
|
||||
permission rbac.RbacOp;
|
||||
permissionUuid uuid;
|
||||
subRoleDesc rbac.RoleDescriptor;
|
||||
superRoleDesc rbac.RoleDescriptor;
|
||||
@ -28,23 +28,23 @@ declare
|
||||
subjectUuid uuid;
|
||||
userGrantsByRoleUuid uuid;
|
||||
begin
|
||||
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
|
||||
roleUuid := coalesce(rbac.findRoleId(roleDescriptor), rbac.createRole(roleDescriptor));
|
||||
|
||||
foreach permission in array permissions
|
||||
loop
|
||||
permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
|
||||
permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
|
||||
call grantPermissionToRole(permissionUuid, roleUuid);
|
||||
end loop;
|
||||
|
||||
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
|
||||
loop
|
||||
superRoleUuid := getRoleId(superRoleDesc);
|
||||
superRoleUuid := rbac.getRoleId(superRoleDesc);
|
||||
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
||||
end loop;
|
||||
|
||||
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
|
||||
loop
|
||||
subRoleUuid := getRoleId(subRoleDesc);
|
||||
subRoleUuid := rbac.getRoleId(subRoleDesc);
|
||||
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
||||
end loop;
|
||||
|
||||
@ -53,7 +53,7 @@ begin
|
||||
if grantedByRole is null then
|
||||
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
|
||||
else
|
||||
userGrantsByRoleUuid := getRoleId(grantedByRole);
|
||||
userGrantsByRoleUuid := rbac.getRoleId(grantedByRole);
|
||||
end if;
|
||||
foreach subjectUuid in array subjectUuids
|
||||
loop
|
||||
|
@ -46,7 +46,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed);
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
||||
@ -54,7 +54,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed);
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
||||
@ -62,7 +62,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed);
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
||||
@ -70,7 +70,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed);
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed);
|
||||
end; $f$;
|
||||
|
||||
-- TODO: remove guest role
|
||||
@ -79,7 +79,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed);
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sReferrer(entity %2$s)
|
||||
@ -87,7 +87,7 @@ begin
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'REFERRER');
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER');
|
||||
end; $f$;
|
||||
|
||||
$sql$, prefix, targetTable);
|
||||
|
@ -30,16 +30,16 @@ create or replace function rbac.isGlobalAdmin()
|
||||
returns boolean
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), findRoleId(globalAdmin()));
|
||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
|
||||
--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
|
||||
-- ------------------------------------------------------------------
|
||||
|
||||
create or replace function rbac.hasGlobalPermission(op RbacOp)
|
||||
create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
|
||||
returns boolean
|
||||
language sql as
|
||||
$$
|
||||
@ -87,7 +87,7 @@ $$;
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
@ -104,7 +104,7 @@ commit;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
|
||||
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A rbac.Global administrator role.
|
||||
@ -119,13 +119,13 @@ $$;
|
||||
|
||||
begin transaction;
|
||||
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||
select createRole(globalAdmin());
|
||||
select rbac.createRole(globalAdmin());
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
|
||||
--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A rbac.Global guest role.
|
||||
@ -140,13 +140,13 @@ $$;
|
||||
|
||||
begin transaction;
|
||||
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||
select createRole(globalGuest());
|
||||
select rbac.createRole(globalGuest());
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators' role.
|
||||
@ -157,7 +157,7 @@ do language plpgsql $$
|
||||
begin
|
||||
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
||||
|
||||
admins = findRoleId(globalAdmin());
|
||||
admins = rbac.findRoleId(globalAdmin());
|
||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||
@ -168,7 +168,7 @@ $$;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
|
@ -95,7 +95,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
globalADMIN());
|
||||
|
||||
END LOOP;
|
||||
end;
|
||||
@ -111,7 +111,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -41,8 +41,8 @@ begin
|
||||
select * into newCust
|
||||
from test_customer where reference=custReference;
|
||||
call rbac.grantRoleToSubject(
|
||||
getRoleId(testCustomerOwner(newCust)),
|
||||
getRoleId(testCustomerAdmin(newCust)),
|
||||
rbac.getRoleId(testCustomerOwner(newCust)),
|
||||
rbac.getRoleId(testCustomerAdmin(newCust)),
|
||||
custAdminUuid,
|
||||
true);
|
||||
end; $$;
|
||||
|
@ -160,7 +160,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||
testCustomerADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -176,7 +176,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||
testCustomerADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -30,8 +30,8 @@ begin
|
||||
returning * into pac;
|
||||
|
||||
call rbac.grantRoleToSubject(
|
||||
getRoleId(testCustomerAdmin(cust)),
|
||||
findRoleId(testPackageAdmin(pac)),
|
||||
rbac.getRoleId(testCustomerAdmin(cust)),
|
||||
rbac.findRoleId(testPackageAdmin(pac)),
|
||||
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||
true);
|
||||
|
||||
|
@ -159,7 +159,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||
testPackageADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -175,7 +175,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||
testPackageADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -169,7 +169,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
||||
hsOfficePersonADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -185,7 +185,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
||||
hsOfficePersonADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -42,12 +42,12 @@ begin
|
||||
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -111,22 +111,22 @@ begin
|
||||
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||
|
||||
end if;
|
||||
|
||||
@ -172,7 +172,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -188,7 +188,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -76,7 +76,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -92,7 +92,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -57,9 +57,9 @@ begin
|
||||
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
|
||||
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -145,7 +145,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -161,7 +161,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -120,7 +120,7 @@ do language plpgsql $$
|
||||
WHERE type = 'DEBITOR'
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
hsOfficeRelationADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -136,7 +136,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
|
||||
begin
|
||||
if NEW.type = 'DEBITOR' then
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
hsOfficeRelationADMIN(NEW));
|
||||
end if;
|
||||
return NEW;
|
||||
|
@ -107,7 +107,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -123,7 +123,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -38,8 +38,8 @@ begin
|
||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -83,7 +83,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
hsOfficeMembershipADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||
hsOfficeMembershipADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -38,8 +38,8 @@ begin
|
||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -83,7 +83,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
hsOfficeMembershipADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||
hsOfficeMembershipADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -70,7 +70,7 @@ begin
|
||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||
);
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
||||
WHERE type = 'DEBITOR'
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
|
||||
hsOfficeRelationADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -130,7 +130,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
|
||||
begin
|
||||
if NEW.type = 'DEBITOR' then
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
|
||||
hsOfficeRelationADMIN(NEW));
|
||||
end if;
|
||||
return NEW;
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -113,7 +113,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
@ -156,7 +156,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingItemADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -113,7 +113,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
@ -156,7 +156,7 @@ do language plpgsql $$
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingProjectADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
hsBookingItemADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
|
Loading…
Reference in New Issue
Block a user
globalAdmin statt globalADMIN?
ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe