move Parter+Debitor person+contact to related Relationsship #20
@ -119,10 +119,12 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
|
||||
with.outgoingSubRole("holderPerson", REFERRER);
|
||||
with.outgoingSubRole("contact", REFERRER);
|
||||
with.permission(SELECT);
|
||||
});
|
||||
})
|
||||
|
||||
.toRole("anchorPerson", ADMIN).grantPermission(INSERT);
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac-generated");
|
||||
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac");
|
||||
}
|
||||
}
|
||||
|
@ -80,12 +80,13 @@ public class InsertTriggerGenerator {
|
||||
strict as $$
|
||||
begin
|
||||
call grantPermissionToRole(
|
||||
${rawSuperRoleDescriptor},
|
||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'));
|
||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'),
|
||||
${rawSuperRoleDescriptor});
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger ${rawSubTableName}_${rawSuperTableName}_insert_tg
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_${rawSubTableName}_${rawSuperTableName}_insert_tg
|
||||
after insert on ${rawSuperTableName}
|
||||
for each row
|
||||
execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();
|
||||
|
@ -179,7 +179,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger test_package_test_customer_insert_tg
|
||||
create trigger z_test_package_test_customer_insert_tg
|
||||
after insert on test_customer
|
||||
for each row
|
||||
execute procedure test_package_test_customer_insert_tf();
|
||||
|
@ -178,7 +178,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger test_domain_test_package_insert_tg
|
||||
create trigger z_test_domain_test_package_insert_tg
|
||||
after insert on test_package
|
||||
for each row
|
||||
execute procedure test_domain_test_package_insert_tf();
|
||||
|
@ -114,7 +114,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_contact_global_insert_tg
|
||||
create trigger z_hs_office_contact_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_contact_global_insert_tf();
|
||||
|
@ -114,7 +114,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_person_global_insert_tg
|
||||
create trigger z_hs_office_person_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_person_global_insert_tf();
|
||||
|
@ -1,6 +1,6 @@
|
||||
### rbac relationship
|
||||
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T15:30:23.331560468.
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:17:00.854621634.
|
||||
|
||||
```mermaid
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
@ -64,6 +64,7 @@ subgraph relationship["`**relationship**`"]
|
||||
perm:relationship:DELETE{{relationship:DELETE}}
|
||||
perm:relationship:UPDATE{{relationship:UPDATE}}
|
||||
perm:relationship:SELECT{{relationship:SELECT}}
|
||||
perm:relationship:INSERT{{relationship:INSERT}}
|
||||
end
|
||||
end
|
||||
|
||||
@ -96,5 +97,6 @@ role:relationship:tenant ==> role:contact:referrer
|
||||
role:relationship:owner ==> perm:relationship:DELETE
|
||||
role:relationship:admin ==> perm:relationship:UPDATE
|
||||
role:relationship:tenant ==> perm:relationship:SELECT
|
||||
role:anchorPerson:admin ==> perm:relationship:INSERT
|
||||
|
||||
```
|
||||
|
@ -1,5 +1,5 @@
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T15:30:23.341470108.
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:17:00.864301165.
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -186,13 +186,68 @@ execute procedure updateTriggerForHsOfficeRelationship_tf();
|
||||
--changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- FIXME: Where is this case necessary?
|
||||
/*
|
||||
Creates INSERT INTO hs_office_relationship permissions for the related hs_office_person rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row hs_office_person;
|
||||
permissionUuid uuid;
|
||||
roleUuid uuid;
|
||||
begin
|
||||
call defineContext('create INSERT INTO hs_office_relationship permissions for the related hs_office_person rows');
|
||||
|
||||
FOR row IN SELECT * FROM hs_office_person
|
||||
LOOP
|
||||
roleUuid := findRoleId(hsOfficePersonAdmin(row));
|
||||
permissionUuid := createPermission(row.uuid, 'INSERT', 'hs_office_relationship');
|
||||
call grantPermissionToRole(permissionUuid, roleUuid);
|
||||
END LOOP;
|
||||
END;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Adds hs_office_relationship INSERT permission to specified role of new hs_office_person rows.
|
||||
*/
|
||||
create or replace function hs_office_relationship_hs_office_person_insert_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_relationship'),
|
||||
hsOfficePersonAdmin(NEW));
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger z_hs_office_relationship_hs_office_person_insert_tg
|
||||
after insert on hs_office_person
|
||||
for each row
|
||||
execute procedure hs_office_relationship_hs_office_person_insert_tf();
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_relationship.
|
||||
*/
|
||||
create or replace function hs_office_relationship_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
begin
|
||||
if ( not hasInsertPermission(
|
||||
( SELECT anchorPerson.uuid FROM
|
||||
|
||||
(select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid) AS anchorPerson
|
||||
|
||||
), 'INSERT', 'hs_office_relationship') ) then
|
||||
raise exception
|
||||
'[403] insert into hs_office_relationship not allowed for current subjects % (%)',
|
||||
currentSubjects(), currentSubjectsUuids();
|
||||
end if;
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_relationship_insert_permission_check_tg
|
||||
before insert on hs_office_relationship
|
||||
for each row
|
||||
-- As there is no explicit INSERT grant specified for this table,
|
||||
-- only global admins are allowed to insert any rows.
|
||||
when ( not isGlobalAdmin() )
|
||||
execute procedure hs_office_relationship_insert_permission_missing_tf();
|
||||
--//
|
||||
|
||||
|
@ -110,7 +110,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_partner_global_insert_tg
|
||||
create trigger z_hs_office_partner_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_partner_global_insert_tf();
|
||||
|
@ -95,7 +95,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_partner_details_global_insert_tg
|
||||
create trigger z_hs_office_partner_details_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_partner_details_global_insert_tf();
|
||||
|
@ -114,7 +114,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_bankaccount_global_insert_tg
|
||||
create trigger z_hs_office_bankaccount_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_bankaccount_global_insert_tf();
|
||||
|
@ -1,6 +1,6 @@
|
||||
### rbac sepaMandate
|
||||
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T06:12:35.337470470.
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:18:45.736693565.
|
||||
|
||||
```mermaid
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
|
@ -1,5 +1,5 @@
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T06:12:35.345630060.
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:18:45.747792100.
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -134,12 +134,12 @@ create or replace function hs_office_sepamandate_hs_office_relationship_insert_t
|
||||
strict as $$
|
||||
begin
|
||||
call grantPermissionToRole(
|
||||
hsOfficeRelationshipAdmin(NEW),
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'));
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||
hsOfficeRelationshipAdmin(NEW));
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_sepamandate_hs_office_relationship_insert_tg
|
||||
create trigger z_hs_office_sepamandate_hs_office_relationship_insert_tg
|
||||
after insert on hs_office_relationship
|
||||
for each row
|
||||
execute procedure hs_office_sepamandate_hs_office_relationship_insert_tf();
|
||||
|
@ -225,7 +225,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_debitor_global_insert_tg
|
||||
create trigger z_hs_office_debitor_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_debitor_global_insert_tf();
|
||||
|
@ -124,7 +124,7 @@ begin
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
create trigger hs_office_membership_global_insert_tg
|
||||
create trigger z_hs_office_membership_global_insert_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure hs_office_membership_global_insert_tf();
|
||||
|
@ -223,7 +223,17 @@ class HsOfficeCoopSharesTransactionControllerAcceptanceTest extends ContextBased
|
||||
final var givenCoopShareTransactionUuid = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(null, LocalDate.of(2010, 3, 15), LocalDate.of(2010, 3, 15)).get(0).getUuid();
|
||||
|
||||
RestAssured // @formatter:off
|
||||
.given().header("current-user", "contact-admin@firstcontact.example.com").port(port).when().get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid).then().log().body().assertThat().statusCode(200).contentType("application/json").body("", lenientlyEquals("""
|
||||
.given()
|
||||
.header("current-user", "contact-admin@firstcontact.example.com")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid)
|
||||
.then()
|
||||
.log().body()
|
||||
.assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("", lenientlyEquals("""
|
||||
{
|
||||
"transactionType": "SUBSCRIPTION",
|
||||
"shareCount": 4
|
||||
|
@ -88,7 +88,6 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
|
||||
context("superuser-alex@hostsharing.net");
|
||||
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
|
||||
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
|
||||
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
|
||||
.map(s -> s.replace("hs_office_", ""))
|
||||
.toList();
|
||||
|
||||
@ -109,11 +108,10 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
|
||||
final var all = rawRoleRepo.findAll();
|
||||
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(initialRoleNames)); // no new roles created
|
||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
|
||||
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
|
||||
.map(s -> s.replace("hs_office_", ""))
|
||||
.containsExactlyInAnyOrder(Array.fromFormatted(
|
||||
initialGrantNames,
|
||||
"{ grant perm SELECT on coopsharestransaction#temprefB to role membership#1000101:....tenant by system and assume }",
|
||||
"{ grant perm SELECT on coopsharestransaction#temprefB to role membership#M-1000101.referrer by system and assume }",
|
||||
null));
|
||||
}
|
||||
|
||||
@ -194,7 +192,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
|
||||
@Test
|
||||
public void normalUser_canViewOnlyRelatedCoopSharesTransactions() {
|
||||
// given:
|
||||
context("superuser-alex@hostsharing.net", "hs_office_partner#10001:FirstGmbH-firstcontact.admin");
|
||||
context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101.admin");
|
||||
|
||||
// when:
|
||||
final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(
|
||||
|
@ -127,16 +127,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
|
||||
"hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant"));
|
||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||
initialGrantNames,
|
||||
"{ grant perm INSERT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
|
||||
|
||||
"{ grant perm DELETE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to user superuser-alex@hostsharing.net by hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner and assume }",
|
||||
|
||||
"{ grant perm edit on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
|
||||
"{ grant perm UPDATE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
|
||||
|
||||
"{ grant perm UPDATE on hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.owner by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_person#BesslerBert.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
|
||||
|
||||
"{ grant perm SELECT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }",
|
||||
@ -145,7 +147,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
|
||||
"{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
|
||||
|
||||
// REPRESENTATIVE holder person -> (represented) anchor person
|
||||
"{ grant role hs_office_person#BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_contact#fourthcontact.admin by system and assume }",
|
||||
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_person#BesslerBert.admin by system and assume }",
|
||||
|
||||
null)
|
||||
);
|
||||
@ -195,7 +198,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
|
||||
result,
|
||||
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
|
||||
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')",
|
||||
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')");
|
||||
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
|
||||
"rel(relAnchor='NP Smith, Peter', relType='ACCOUNTING', relHolder='NP Smith, Peter', contact='third contact')");
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user