optimize RBAC SELECT-queries for global-admins without assumed role #124
@ -223,7 +223,7 @@ begin
|
||||
)
|
||||
select target.*
|
||||
from %1$s as target
|
||||
where target.uuid in (select * from accessible_uuids)
|
||||
where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids)
|
||||
order by %2$s;
|
||||
|
||||
grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
|
@ -35,6 +35,30 @@ end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Returns true if the current user is a global admin and has no assumed role.
|
||||
*/
|
||||
create or replace function rbac.hasGlobalAdminRole()
|
||||
returns boolean
|
||||
stable -- leakproof
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentSubjectOrAssumedRolesUuids text;
|
||||
begin
|
||||
begin
|
||||
currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids');
|
||||
exception
|
||||
when others then
|
||||
currentSubjectOrAssumedRolesUuids := null;
|
||||
end;
|
||||
return currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0;
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
|
||||
-- ------------------------------------------------------------------
|
||||
|
Loading…
Reference in New Issue
Block a user