introduce separate database-schemas base+rbac #103
@ -606,7 +606,7 @@ We have tested two variants of the query for the restricted view,
|
|||||||
both utilizing a PostgreSQL function like this:
|
both utilizing a PostgreSQL function like this:
|
||||||
|
|
||||||
FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
||||||
requiredOp RbacOp,
|
requiredOp rbac.RbacOp,
|
||||||
forObjectTable varchar,
|
forObjectTable varchar,
|
||||||
subjectIds uuid[],
|
subjectIds uuid[],
|
||||||
maxObjects integer = 16000)
|
maxObjects integer = 16000)
|
||||||
|
@ -156,6 +156,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
return old;
|
return old;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -166,13 +167,19 @@ create type rbac.RoleType as enum ('OWNER', 'ADMIN', 'AGENT', 'TENANT', 'GUEST',
|
|||||||
|
|
||||||
create table rbac.role
|
create table rbac.role
|
||||||
(
|
(
|
||||||
uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred
|
uuid uuid primary key references rbac.reference (uuid) on delete cascade initially deferred, -- initially deferred
|
||||||
objectUuid uuid not null references rbac.object (uuid) initially deferred,
|
objectUuid uuid not null references rbac.object (uuid) initially deferred,
|
||||||
roleType rbac.RoleType not null,
|
roleType rbac.RoleType not null,
|
||||||
unique (objectUuid, roleType)
|
unique (objectUuid, roleType)
|
||||||
);
|
);
|
||||||
|
|
||||||
call base.create_journal('rbac.role');
|
call base.create_journal('rbac.role');
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset rbac-base-ROLE-DESCRIPTOR:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create type rbac.RoleDescriptor as
|
create type rbac.RoleDescriptor as
|
||||||
(
|
(
|
||||||
@ -196,8 +203,7 @@ create or replace function rbac.unassumed()
|
|||||||
select false;
|
select false;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
|
create or replace function rbac.roleDescriptorOf(
|
||||||
create or replace function roleDescriptor(
|
|
||||||
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
objectTable varchar(63), objectUuid uuid, roleType rbac.RoleType,
|
||||||
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
assumed boolean = true) -- just for DSL readability, belongs actually to the grant
|
||||||
returns rbac.RoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
@ -207,7 +213,7 @@ create or replace function roleDescriptor(
|
|||||||
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
select objectTable, objectUuid, roleType::rbac.RoleType, assumed;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function createRole(roleDescriptor rbac.RoleDescriptor)
|
create or replace function rbac.createRole(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -224,9 +230,14 @@ begin
|
|||||||
return referenceId;
|
return referenceId;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
create or replace procedure deleteRole(roleUUid uuid)
|
-- ============================================================================
|
||||||
|
--changeset rbac-base-ROLE-FUNCTIONS:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
create or replace procedure rbac.deleteRole(roleUUid uuid)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
--raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid;
|
--raise exception '% deleting role uuid %', rbac.currentSubjectOrAssumedRolesUuids(), roleUUid;
|
||||||
@ -234,7 +245,7 @@ begin
|
|||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function findRoleId(roleIdName varchar)
|
create or replace function rbac.findRoleId(roleIdName varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -246,7 +257,7 @@ declare
|
|||||||
objectUuidOfRole uuid;
|
objectUuidOfRole uuid;
|
||||||
roleUuid uuid;
|
roleUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- TODO.refa: extract function toRbacRoleDescriptor(roleIdName varchar) + find other occurrences
|
-- TODO.refa: extract function rbac.toRoleDescriptor(roleIdName varchar) + find other occurrences
|
||||||
roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
|
roleParts = overlay(roleIdName placing '#' from length(roleIdName) + 1 - strpos(reverse(roleIdName), ':'));
|
||||||
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
||||||
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
||||||
@ -261,14 +272,14 @@ begin
|
|||||||
return roleUuid;
|
return roleUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function findRoleId(roleDescriptor rbac.RoleDescriptor)
|
create or replace function rbac.findRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
select uuid from rbac.role where objectUuid = roleDescriptor.objectUuid and roleType = roleDescriptor.roleType;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function getRoleId(roleDescriptor rbac.RoleDescriptor)
|
create or replace function rbac.getRoleId(roleDescriptor rbac.RoleDescriptor)
|
||||||
returns uuid
|
returns uuid
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -276,13 +287,14 @@ declare
|
|||||||
begin
|
begin
|
||||||
assert roleDescriptor is not null, 'roleDescriptor must not be null';
|
assert roleDescriptor is not null, 'roleDescriptor must not be null';
|
||||||
|
|
||||||
roleUuid := findRoleId(roleDescriptor);
|
roleUuid := rbac.findRoleId(roleDescriptor);
|
||||||
if (roleUuid is null) then
|
if (roleUuid is null) then
|
||||||
raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
|
raise exception 'rbac.role "%#%.%" not found', roleDescriptor.objectTable, roleDescriptor.objectUuid, roleDescriptor.roleType;
|
||||||
end if;
|
end if;
|
||||||
return roleUuid;
|
return roleUuid;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -351,10 +363,7 @@ create trigger delete_roles_of_object_tg
|
|||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-base-PERMISSION:1 endDelimiter:--//
|
--changeset rbac-base-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
create domain rbac.RbacOp as varchar(6)
|
||||||
|
|
||||||
*/
|
|
||||||
create domain RbacOp as varchar(6)
|
|
||||||
check (
|
check (
|
||||||
VALUE = 'DELETE'
|
VALUE = 'DELETE'
|
||||||
or VALUE = 'UPDATE'
|
or VALUE = 'UPDATE'
|
||||||
@ -367,7 +376,7 @@ create table rbac.permission
|
|||||||
(
|
(
|
||||||
uuid uuid primary key references rbac.reference (uuid) on delete cascade,
|
uuid uuid primary key references rbac.reference (uuid) on delete cascade,
|
||||||
objectUuid uuid not null references rbac.object,
|
objectUuid uuid not null references rbac.object,
|
||||||
op RbacOp not null,
|
op rbac.RbacOp not null,
|
||||||
opTableName varchar(60)
|
opTableName varchar(60)
|
||||||
);
|
);
|
||||||
-- TODO.perf: check if these indexes are really useful
|
-- TODO.perf: check if these indexes are really useful
|
||||||
@ -379,7 +388,7 @@ ALTER TABLE rbac.permission
|
|||||||
|
|
||||||
call base.create_journal('rbac.permission');
|
call base.create_journal('rbac.permission');
|
||||||
|
|
||||||
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
create or replace function rbac.createPermission(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||||
returns uuid
|
returns uuid
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -415,7 +424,7 @@ begin
|
|||||||
return permissionUuid;
|
return permissionUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
@ -423,11 +432,11 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
|
|||||||
select uuid
|
select uuid
|
||||||
from rbac.permission p
|
from rbac.permission p
|
||||||
where p.objectUuid = forObjectUuid
|
where p.objectUuid = forObjectUuid
|
||||||
and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT'
|
and (forOp = 'SELECT' or p.op = forOp) -- all other rbac.RbacOp include 'SELECT'
|
||||||
and p.opTableName = forOpTableName
|
and p.opTableName = forOpTableName
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
create or replace function findPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
@ -439,7 +448,7 @@ select uuid
|
|||||||
and p.opTableName = forOpTableName
|
and p.opTableName = forOpTableName
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
create or replace function getPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
create or replace function getPermissionId(forObjectUuid uuid, forOp rbac.RbacOp, forOpTableName text = null)
|
||||||
returns uuid
|
returns uuid
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -567,7 +576,7 @@ create or replace function hasInsertPermission(objectUuid uuid, tableName text )
|
|||||||
declare
|
declare
|
||||||
permissionUuid uuid;
|
permissionUuid uuid;
|
||||||
begin
|
begin
|
||||||
permissionUuid = findPermissionId(objectUuid, 'INSERT'::RbacOp, tableName);
|
permissionUuid = findPermissionId(objectUuid, 'INSERT'::rbac.RbacOp, tableName);
|
||||||
return permissionUuid is not null;
|
return permissionUuid is not null;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -602,7 +611,7 @@ $$;
|
|||||||
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
create or replace procedure grantPermissionToRole(permissionUuid uuid, roleDesc rbac.RoleDescriptor)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
call grantPermissionToRole(permissionUuid, findRoleId(roleDesc));
|
call grantPermissionToRole(permissionUuid, rbac.findRoleId(roleDesc));
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
@ -634,8 +643,8 @@ begin
|
|||||||
return;
|
return;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
superRoleId := findRoleId(superRole);
|
superRoleId := rbac.findRoleId(superRole);
|
||||||
subRoleId := findRoleId(subRole);
|
subRoleId := rbac.findRoleId(subRole);
|
||||||
|
|
||||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||||
@ -656,8 +665,8 @@ declare
|
|||||||
superRoleId uuid;
|
superRoleId uuid;
|
||||||
subRoleId uuid;
|
subRoleId uuid;
|
||||||
begin
|
begin
|
||||||
superRoleId := findRoleId(superRole);
|
superRoleId := rbac.findRoleId(superRole);
|
||||||
subRoleId := findRoleId(subRole);
|
subRoleId := rbac.findRoleId(subRole);
|
||||||
|
|
||||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||||
@ -678,7 +687,7 @@ declare
|
|||||||
objectTable text;
|
objectTable text;
|
||||||
objectUuid uuid;
|
objectUuid uuid;
|
||||||
begin
|
begin
|
||||||
superRoleId := findRoleId(superRole);
|
superRoleId := rbac.findRoleId(superRole);
|
||||||
|
|
||||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'rbac.role');
|
||||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||||
@ -705,7 +714,7 @@ end; $$;
|
|||||||
|
|
||||||
*/
|
*/
|
||||||
create or replace function queryAccessibleObjectUuidsOfSubjectIds(
|
create or replace function queryAccessibleObjectUuidsOfSubjectIds(
|
||||||
requiredOp RbacOp,
|
requiredOp rbac.RbacOp,
|
||||||
forObjectTable varchar,
|
forObjectTable varchar,
|
||||||
subjectIds uuid[],
|
subjectIds uuid[],
|
||||||
maxObjects integer = 8000)
|
maxObjects integer = 8000)
|
||||||
|
@ -344,7 +344,7 @@ grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_
|
|||||||
which are also visible to the current user or assumed roles.
|
which are also visible to the current user or assumed roles.
|
||||||
*/
|
*/
|
||||||
create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid)
|
create or replace function rbac.grantedPermissionsRaw(targetSubjectUuid uuid)
|
||||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
@ -380,13 +380,13 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function rbac.grantedPermissions(targetSubjectUuid uuid)
|
create or replace function rbac.grantedPermissions(targetSubjectUuid uuid)
|
||||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op rbac.RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select * from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
select * from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
||||||
union all
|
union all
|
||||||
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
select roleUuid, roleName, permissionUuid, 'SELECT'::rbac.RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
||||||
from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
from rbac.grantedPermissionsRaw(targetSubjectUuid)
|
||||||
where op <> 'SELECT'::RbacOp;
|
where op <> 'SELECT'::rbac.RbacOp;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
create or replace function rbac.defineRoleWithGrants(
|
create or replace function rbac.defineRoleWithGrants(
|
||||||
roleDescriptor rbac.RoleDescriptor,
|
roleDescriptor rbac.RoleDescriptor,
|
||||||
permissions RbacOp[] = array[]::RbacOp[],
|
permissions rbac.RbacOp[] = array[]::rbac.RbacOp[],
|
||||||
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
incomingSuperRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||||
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
outgoingSubRoles rbac.RoleDescriptor[] = array[]::rbac.RoleDescriptor[],
|
||||||
subjectUuids uuid[] = array[]::uuid[],
|
subjectUuids uuid[] = array[]::uuid[],
|
||||||
@ -19,7 +19,7 @@ create or replace function rbac.defineRoleWithGrants(
|
|||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
roleUuid uuid;
|
roleUuid uuid;
|
||||||
permission RbacOp;
|
permission rbac.RbacOp;
|
||||||
permissionUuid uuid;
|
permissionUuid uuid;
|
||||||
subRoleDesc rbac.RoleDescriptor;
|
subRoleDesc rbac.RoleDescriptor;
|
||||||
superRoleDesc rbac.RoleDescriptor;
|
superRoleDesc rbac.RoleDescriptor;
|
||||||
@ -28,23 +28,23 @@ declare
|
|||||||
subjectUuid uuid;
|
subjectUuid uuid;
|
||||||
userGrantsByRoleUuid uuid;
|
userGrantsByRoleUuid uuid;
|
||||||
begin
|
begin
|
||||||
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
|
roleUuid := coalesce(rbac.findRoleId(roleDescriptor), rbac.createRole(roleDescriptor));
|
||||||
|
|
||||||
foreach permission in array permissions
|
foreach permission in array permissions
|
||||||
loop
|
loop
|
||||||
permissionUuid := createPermission(roleDescriptor.objectuuid, permission);
|
permissionUuid := rbac.createPermission(roleDescriptor.objectuuid, permission);
|
||||||
call grantPermissionToRole(permissionUuid, roleUuid);
|
call grantPermissionToRole(permissionUuid, roleUuid);
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
|
foreach superRoleDesc in array array_remove(incomingSuperRoles, null)
|
||||||
loop
|
loop
|
||||||
superRoleUuid := getRoleId(superRoleDesc);
|
superRoleUuid := rbac.getRoleId(superRoleDesc);
|
||||||
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed);
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
|
foreach subRoleDesc in array array_remove(outgoingSubRoles, null)
|
||||||
loop
|
loop
|
||||||
subRoleUuid := getRoleId(subRoleDesc);
|
subRoleUuid := rbac.getRoleId(subRoleDesc);
|
||||||
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
@ -53,7 +53,7 @@ begin
|
|||||||
if grantedByRole is null then
|
if grantedByRole is null then
|
||||||
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
|
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
|
||||||
else
|
else
|
||||||
userGrantsByRoleUuid := getRoleId(grantedByRole);
|
userGrantsByRoleUuid := rbac.getRoleId(grantedByRole);
|
||||||
end if;
|
end if;
|
||||||
foreach subjectUuid in array subjectUuids
|
foreach subjectUuid in array subjectUuids
|
||||||
loop
|
loop
|
||||||
|
@ -46,7 +46,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'OWNER', assumed);
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed);
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
||||||
@ -54,7 +54,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'ADMIN', assumed);
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed);
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
||||||
@ -62,7 +62,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'AGENT', assumed);
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed);
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
||||||
@ -70,7 +70,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed);
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed);
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
-- TODO: remove guest role
|
-- TODO: remove guest role
|
||||||
@ -79,7 +79,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed);
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed);
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
create or replace function %1$sReferrer(entity %2$s)
|
create or replace function %1$sReferrer(entity %2$s)
|
||||||
@ -87,7 +87,7 @@ begin
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $f$
|
strict as $f$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('%2$s', entity.uuid, 'REFERRER');
|
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER');
|
||||||
end; $f$;
|
end; $f$;
|
||||||
|
|
||||||
$sql$, prefix, targetTable);
|
$sql$, prefix, targetTable);
|
||||||
|
@ -30,16 +30,16 @@ create or replace function rbac.isGlobalAdmin()
|
|||||||
returns boolean
|
returns boolean
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), findRoleId(globalAdmin()));
|
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
|
--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
|
||||||
-- ------------------------------------------------------------------
|
-- ------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function rbac.hasGlobalPermission(op RbacOp)
|
create or replace function rbac.hasGlobalPermission(op rbac.RbacOp)
|
||||||
returns boolean
|
returns boolean
|
||||||
language sql as
|
language sql as
|
||||||
$$
|
$$
|
||||||
@ -87,7 +87,7 @@ $$;
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
|
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -104,7 +104,7 @@ commit;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
|
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
A rbac.Global administrator role.
|
A rbac.Global administrator role.
|
||||||
@ -119,13 +119,13 @@ $$;
|
|||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||||
select createRole(globalAdmin());
|
select rbac.createRole(globalAdmin());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
|
--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
A rbac.Global guest role.
|
A rbac.Global guest role.
|
||||||
@ -140,13 +140,13 @@ $$;
|
|||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||||
select createRole(globalGuest());
|
select rbac.createRole(globalGuest());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Create two users and assign both to the administrators' role.
|
Create two users and assign both to the administrators' role.
|
||||||
@ -157,7 +157,7 @@ do language plpgsql $$
|
|||||||
begin
|
begin
|
||||||
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
||||||
|
|
||||||
admins = findRoleId(globalAdmin());
|
admins = rbac.findRoleId(globalAdmin());
|
||||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||||
hsh-michaelhoennig marked this conversation as resolved
Outdated
|
|||||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||||
@ -168,7 +168,7 @@ $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -95,7 +95,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
hsh-marcsandlus
commented
globalAdmin statt globalADMIN? globalAdmin statt globalADMIN?
hsh-michaelhoennig
commented
ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe
|
|||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -111,7 +111,7 @@ create or replace function new_test_customer_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -41,8 +41,8 @@ begin
|
|||||||
select * into newCust
|
select * into newCust
|
||||||
from test_customer where reference=custReference;
|
from test_customer where reference=custReference;
|
||||||
call rbac.grantRoleToSubject(
|
call rbac.grantRoleToSubject(
|
||||||
getRoleId(testCustomerOwner(newCust)),
|
rbac.getRoleId(testCustomerOwner(newCust)),
|
||||||
getRoleId(testCustomerAdmin(newCust)),
|
rbac.getRoleId(testCustomerAdmin(newCust)),
|
||||||
custAdminUuid,
|
custAdminUuid,
|
||||||
true);
|
true);
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -160,7 +160,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_package'),
|
rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||||
testCustomerADMIN(row));
|
testCustomerADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -176,7 +176,7 @@ create or replace function new_test_package_grants_insert_to_test_customer_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||||
testCustomerADMIN(NEW));
|
testCustomerADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -30,8 +30,8 @@ begin
|
|||||||
returning * into pac;
|
returning * into pac;
|
||||||
|
|
||||||
call rbac.grantRoleToSubject(
|
call rbac.grantRoleToSubject(
|
||||||
getRoleId(testCustomerAdmin(cust)),
|
rbac.getRoleId(testCustomerAdmin(cust)),
|
||||||
findRoleId(testPackageAdmin(pac)),
|
rbac.findRoleId(testPackageAdmin(pac)),
|
||||||
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||||
true);
|
true);
|
||||||
|
|
||||||
|
@ -159,7 +159,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_domain'),
|
rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||||
testPackageADMIN(row));
|
testPackageADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -175,7 +175,7 @@ create or replace function new_test_domain_grants_insert_to_test_package_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||||
testPackageADMIN(NEW));
|
testPackageADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -169,7 +169,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
||||||
hsOfficePersonADMIN(row));
|
hsOfficePersonADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -185,7 +185,7 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
||||||
hsOfficePersonADMIN(NEW));
|
hsOfficePersonADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -42,12 +42,12 @@ begin
|
|||||||
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
|
||||||
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -111,22 +111,22 @@ begin
|
|||||||
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
|
|
||||||
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
|
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
@ -172,7 +172,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -188,7 +188,7 @@ create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -76,7 +76,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -92,7 +92,7 @@ create or replace function new_hs_office_partner_details_grants_insert_to_global
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -57,9 +57,9 @@ begin
|
|||||||
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
|
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
|
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -145,7 +145,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -161,7 +161,7 @@ create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -120,7 +120,7 @@ do language plpgsql $$
|
|||||||
WHERE type = 'DEBITOR'
|
WHERE type = 'DEBITOR'
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||||
hsOfficeRelationADMIN(row));
|
hsOfficeRelationADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -136,7 +136,7 @@ create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_
|
|||||||
begin
|
begin
|
||||||
if NEW.type = 'DEBITOR' then
|
if NEW.type = 'DEBITOR' then
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||||
hsOfficeRelationADMIN(NEW));
|
hsOfficeRelationADMIN(NEW));
|
||||||
end if;
|
end if;
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -107,7 +107,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -123,7 +123,7 @@ create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -38,8 +38,8 @@ begin
|
|||||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -83,7 +83,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||||
hsOfficeMembershipADMIN(row));
|
hsOfficeMembershipADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopsharestransaction_grants_insert_to_
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||||
hsOfficeMembershipADMIN(NEW));
|
hsOfficeMembershipADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -38,8 +38,8 @@ begin
|
|||||||
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
||||||
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -83,7 +83,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||||
hsOfficeMembershipADMIN(row));
|
hsOfficeMembershipADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -99,7 +99,7 @@ create or replace function new_hs_office_coopassetstransaction_grants_insert_to_
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||||
hsOfficeMembershipADMIN(NEW));
|
hsOfficeMembershipADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -70,7 +70,7 @@ begin
|
|||||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
|||||||
WHERE type = 'DEBITOR'
|
WHERE type = 'DEBITOR'
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_project'),
|
||||||
hsOfficeRelationADMIN(row));
|
hsOfficeRelationADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -130,7 +130,7 @@ create or replace function new_hs_booking_project_grants_insert_to_hs_office_rel
|
|||||||
begin
|
begin
|
||||||
if NEW.type = 'DEBITOR' then
|
if NEW.type = 'DEBITOR' then
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_project'),
|
||||||
hsOfficeRelationADMIN(NEW));
|
hsOfficeRelationADMIN(NEW));
|
||||||
end if;
|
end if;
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -69,7 +69,7 @@ begin
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -113,7 +113,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
@ -156,7 +156,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingProjectADMIN(row));
|
hsBookingProjectADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingProjectADMIN(NEW));
|
hsBookingProjectADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingItemADMIN(NEW));
|
hsBookingItemADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
@ -69,7 +69,7 @@ begin
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -113,7 +113,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -129,7 +129,7 @@ create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
@ -156,7 +156,7 @@ do language plpgsql $$
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingProjectADMIN(row));
|
hsBookingProjectADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
@ -172,7 +172,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_proje
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingProjectADMIN(NEW));
|
hsBookingProjectADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
@ -199,7 +199,7 @@ create or replace function new_hs_booking_item_grants_insert_to_hs_booking_item_
|
|||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
hsBookingItemADMIN(NEW));
|
hsBookingItemADMIN(NEW));
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
|
Loading…
Reference in New Issue
Block a user
müsste das nicht grantRoleToSubjectUnchecked heißen