hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 1 Activity

optimize RBAC SELECT-queries for global-admins without assumed role #124

Merged
hsh-michaelhoennig merged 8 commits from feature/introduce-hasGlobalAdminRole-to-optimize-rbac-select-queries into master 2024-11-25 10:56:17 +01:00
Conversation 0 Commits 8 Files Changed 3 +25 -1
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 2cdee9f693 - Show all commits

2
src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
View File

@ -223,7 +223,7 @@ begin
) )
select target.* select target.*
from %1$s as target from %1$s as target
where target.uuid in (select * from accessible_uuids) where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids)
order by %2$s; order by %2$s;
grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};

24
src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
View File

@ -35,6 +35,30 @@ end; $$;
--// --//
-- ============================================================================
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Returns true if the current user is a global admin and has no assumed role.
*/
create or replace function rbac.hasGlobalAdminRole()
returns boolean
stable -- leakproof
language plpgsql as $$
declare
currentSubjectOrAssumedRolesUuids text;
begin
begin
currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids');
exception
when others then
currentSubjectOrAssumedRolesUuids := null;
end;
return currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0;
end; $$;
--//
-- ============================================================================ -- ============================================================================
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--// --changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
-- ------------------------------------------------------------------ -- ------------------------------------------------------------------