introduce separate database-schemas base+rbac #103
@ -364,7 +364,7 @@ class RolesGrantsAndPermissionsGenerator {
|
||||
System.out.println("null");
|
||||
}
|
||||
if (roleDef.getEntityAlias().isGlobal()) {
|
||||
return "globalAdmin()";
|
||||
return "rbac.globalAdmin()";
|
||||
}
|
||||
final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
|
||||
return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())
|
||||
|
@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
|
||||
returns boolean
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
|
||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
@ -109,7 +109,7 @@ commit;
|
||||
/*
|
||||
A rbac.Global administrator role.
|
||||
*/
|
||||
create or replace function globalAdmin(assumed boolean = true)
|
||||
create or replace function rbac.globalAdmin(assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -119,7 +119,7 @@ $$;
|
||||
|
||||
begin transaction;
|
||||
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||
select rbac.createRole(globalAdmin());
|
||||
select rbac.createRole(rbac.globalAdmin());
|
||||
commit;
|
||||
--//
|
||||
|
||||
@ -130,7 +130,7 @@ commit;
|
||||
/*
|
||||
A rbac.Global guest role.
|
||||
*/
|
||||
create or replace function globalGuest(assumed boolean = true)
|
||||
create or replace function rbac.globalglobalGuest(assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@ -140,7 +140,7 @@ $$;
|
||||
|
||||
begin transaction;
|
||||
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||
select rbac.createRole(globalGuest());
|
||||
select rbac.createRole(rbac.globalglobalGuest());
|
||||
commit;
|
||||
--//
|
||||
|
||||
@ -157,7 +157,7 @@ do language plpgsql $$
|
||||
begin
|
||||
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
||||
|
||||
admins = rbac.findRoleId(globalAdmin());
|
||||
admins = rbac.findRoleId(rbac.globalAdmin());
|
||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||
|
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
testCustomerOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
|
||||
incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
@ -96,7 +96,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -112,7 +112,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeContactOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN()],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficePersonOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN()],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -50,7 +50,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeRelationOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN()],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -173,7 +173,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -189,7 +189,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -77,7 +77,7 @@ begin
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -93,7 +93,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -37,7 +37,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeBankAccountOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN()],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -146,7 +146,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -162,7 +162,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -50,7 +50,7 @@ begin
|
||||
perform rbac.defineRoleWithGrants(
|
||||
hsOfficeSepaMandateOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[globalADMIN()],
|
||||
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
);
|
||||
|
||||
|
@ -108,7 +108,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -124,7 +124,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -70,7 +70,7 @@ begin
|
||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||
);
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -130,7 +130,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -69,7 +69,7 @@ begin
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||
|
||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
@ -130,7 +130,7 @@ begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||
globalADMIN());
|
||||
rbac.globalAdmin());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
@ -50,7 +50,7 @@ begin
|
||||
hsHostingAssetOWNER(NEW),
|
||||
permissions => array['DELETE'],
|
||||
incomingSuperRoles => array[
|
||||
globalADMIN(rbac.unassumed()),
|
||||
rbac.globalADMIN(rbac.unassumed()),
|
||||
hsBookingItemADMIN(newBookingItem),
|
||||
hsHostingAssetADMIN(newParentAsset)],
|
||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||
|
Loading…
Reference in New Issue
Block a user
globalAdmin statt globalADMIN?
ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe