introduce separate database-schemas base+rbac #103
@ -110,7 +110,7 @@ end; $$;
|
||||
/*
|
||||
Returns the current user as defined by `basis.defineContext(...)`.
|
||||
*/
|
||||
create or replace function currentUser()
|
||||
create or replace function basis.currentUser()
|
||||
returns varchar(63)
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -134,7 +134,7 @@ end; $$;
|
||||
Returns assumed role names as set in `hsadminng.assumedRoles`
|
||||
or empty array, if not set.
|
||||
*/
|
||||
create or replace function assumedRoles()
|
||||
create or replace function basis.assumedRoles()
|
||||
returns varchar(1023)[]
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
@ -213,11 +213,11 @@ create or replace function currentSubjects()
|
||||
declare
|
||||
assumedRoles varchar(1023)[];
|
||||
begin
|
||||
assumedRoles := assumedRoles();
|
||||
assumedRoles := basis.assumedRoles();
|
||||
if array_length(assumedRoles, 1) > 0 then
|
||||
return assumedRoles;
|
||||
else
|
||||
return array [currentUser()]::varchar(1023)[];
|
||||
return array [basis.currentUser()]::varchar(1023)[];
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
@ -226,7 +226,7 @@ create or replace function hasAssumedRole()
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return array_length(assumedRoles(), 1) > 0;
|
||||
return array_length(basis.assumedRoles(), 1) > 0;
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
@ -84,7 +84,7 @@ begin
|
||||
insert
|
||||
into basis.tx_context (txId, txTimestamp, currentUser, assumedRoles, currentTask, currentRequest)
|
||||
values ( curTxId, now(),
|
||||
currentUser(), assumedRoles(), curTask, basis.currentRequest())
|
||||
basis.currentUser(), basis.assumedRoles(), curTask, basis.currentRequest())
|
||||
on conflict do nothing;
|
||||
|
||||
case tg_op
|
||||
|
@ -12,8 +12,8 @@ declare
|
||||
currentSubjectsUuids uuid[];
|
||||
begin
|
||||
-- exactly one role must be assumed, not none not more than one
|
||||
if cardinality(assumedRoles()) <> 1 then
|
||||
raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', assumedRoles();
|
||||
if cardinality(basis.assumedRoles()) <> 1 then
|
||||
raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', basis.assumedRoles();
|
||||
end if;
|
||||
|
||||
currentSubjectsUuids := currentSubjectsUuids();
|
||||
|
@ -66,10 +66,10 @@ begin
|
||||
and r.roleType = roleTypeToAssume
|
||||
into roleUuidToAssume;
|
||||
if roleUuidToAssume is null then
|
||||
raise exception '[403] role % does not exist or is not accessible for user %', roleName, currentUser();
|
||||
raise exception '[403] role % does not exist or is not accessible for user %', roleName, basis.currentUser();
|
||||
end if;
|
||||
if not isGranted(currentUserUuid, roleUuidToAssume) then
|
||||
raise exception '[403] user % has no permission to assume role %', currentUser(), roleName;
|
||||
raise exception '[403] user % has no permission to assume role %', basis.currentUser(), roleName;
|
||||
end if;
|
||||
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
|
||||
end loop;
|
||||
@ -132,7 +132,7 @@ begin
|
||||
currentUserUuid := null;
|
||||
end;
|
||||
if (currentUserUuid is null or currentUserUuid = '') then
|
||||
currentUserName := currentUser();
|
||||
currentUserName := basis.currentUser();
|
||||
if (length(currentUserName) > 0) then
|
||||
raise exception '[401] currentUserUuid cannot be determined, unknown user name "%"', currentUserName;
|
||||
else
|
||||
@ -166,7 +166,7 @@ begin
|
||||
currentSubjectsUuids := null;
|
||||
end;
|
||||
if (currentSubjectsUuids is null or length(currentSubjectsUuids) = 0 ) then
|
||||
currentUserName := currentUser();
|
||||
currentUserName := basis.currentUser();
|
||||
if (length(currentUserName) > 0) then
|
||||
raise exception '[401] currentSubjectsUuids (%) cannot be determined, unknown user name "%"', currentSubjectsUuids, currentUserName;
|
||||
else
|
||||
|
@ -241,7 +241,7 @@ create or replace view RbacUser_rv as
|
||||
union
|
||||
select users.*
|
||||
from RbacUser as users
|
||||
where cardinality(assumedRoles()) = 0 and
|
||||
where cardinality(basis.assumedRoles()) = 0 and
|
||||
(currentUserUuid() = users.uuid or hasGlobalRoleGranted(currentUserUuid()))
|
||||
|
||||
) as unordered
|
||||
@ -303,7 +303,7 @@ begin
|
||||
delete from RbacUser where uuid = old.uuid;
|
||||
return old;
|
||||
end if;
|
||||
raise exception '[403] User % not allowed to delete user uuid %', currentUser(), old.uuid;
|
||||
raise exception '[403] User % not allowed to delete user uuid %', basis.currentUser(), old.uuid;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
@ -354,7 +354,7 @@ begin
|
||||
currentUserUuid := currentUserUuid();
|
||||
|
||||
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentUserUuid) then
|
||||
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, currentUser();
|
||||
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentUser();
|
||||
end if;
|
||||
|
||||
return query select
|
||||
|
Loading…
Reference in New Issue
Block a user