introduce separate database-schemas base+rbac #103
@ -364,7 +364,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
System.out.println("null");
|
System.out.println("null");
|
||||||
}
|
}
|
||||||
if (roleDef.getEntityAlias().isGlobal()) {
|
if (roleDef.getEntityAlias().isGlobal()) {
|
||||||
return "globalAdmin()";
|
return "rbac.globalAdmin()";
|
||||||
}
|
}
|
||||||
final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
|
final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
|
||||||
return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())
|
return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())
|
||||||
|
@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
|
|||||||
returns boolean
|
returns boolean
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin()));
|
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -109,7 +109,7 @@ commit;
|
|||||||
/*
|
/*
|
||||||
A rbac.Global administrator role.
|
A rbac.Global administrator role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalAdmin(assumed boolean = true)
|
create or replace function rbac.globalAdmin(assumed boolean = true)
|
||||||
returns rbac.RoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
@ -119,7 +119,7 @@ $$;
|
|||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||||
select rbac.createRole(globalAdmin());
|
select rbac.createRole(rbac.globalAdmin());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -130,7 +130,7 @@ commit;
|
|||||||
/*
|
/*
|
||||||
A rbac.Global guest role.
|
A rbac.Global guest role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalGuest(assumed boolean = true)
|
create or replace function rbac.globalglobalGuest(assumed boolean = true)
|
||||||
returns rbac.RoleDescriptor
|
returns rbac.RoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
@ -140,7 +140,7 @@ $$;
|
|||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||||
select rbac.createRole(globalGuest());
|
select rbac.createRole(rbac.globalglobalGuest());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -157,7 +157,7 @@ do language plpgsql $$
|
|||||||
begin
|
begin
|
||||||
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
||||||
|
|
||||||
admins = rbac.findRoleId(globalAdmin());
|
admins = rbac.findRoleId(rbac.globalAdmin());
|
||||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||||
hsh-michaelhoennig marked this conversation as resolved
Outdated
|
|||||||
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
testCustomerOWNER(NEW),
|
testCustomerOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN(rbac.unassumed())],
|
incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -96,7 +96,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
hsh-marcsandlus
commented
globalAdmin statt globalADMIN? globalAdmin statt globalADMIN?
hsh-michaelhoennig
commented
ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe
|
|||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -112,7 +112,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeContactOWNER(NEW),
|
hsOfficeContactOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficePersonOWNER(NEW),
|
hsOfficePersonOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeRelationOWNER(NEW),
|
hsOfficeRelationOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -189,7 +189,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -77,7 +77,7 @@ begin
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -93,7 +93,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -37,7 +37,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeBankAccountOWNER(NEW),
|
hsOfficeBankAccountOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -146,7 +146,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -162,7 +162,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -50,7 +50,7 @@ begin
|
|||||||
perform rbac.defineRoleWithGrants(
|
perform rbac.defineRoleWithGrants(
|
||||||
hsOfficeSepaMandateOWNER(NEW),
|
hsOfficeSepaMandateOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[rbac.globalAdmin()],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -108,7 +108,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -124,7 +124,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -70,7 +70,7 @@ begin
|
|||||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -69,7 +69,7 @@ begin
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -130,7 +130,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -69,7 +69,7 @@ begin
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin());
|
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
|
||||||
|
|
||||||
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
|||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -130,7 +130,7 @@ begin
|
|||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
|
||||||
globalADMIN());
|
rbac.globalAdmin());
|
||||||
-- end.
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -50,7 +50,7 @@ begin
|
|||||||
hsHostingAssetOWNER(NEW),
|
hsHostingAssetOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
globalADMIN(rbac.unassumed()),
|
rbac.globalADMIN(rbac.unassumed()),
|
||||||
hsBookingItemADMIN(newBookingItem),
|
hsBookingItemADMIN(newBookingItem),
|
||||||
hsHostingAssetADMIN(newParentAsset)],
|
hsHostingAssetADMIN(newParentAsset)],
|
||||||
subjectUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
|
Loading…
Reference in New Issue
Block a user
müsste das nicht grantRoleToSubjectUnchecked heißen