move Parter+Debitor person+contact to related Relationsship #20

Merged
hsh-michaelhoennig merged 101 commits from remove-direct-partner-person-and-contact into master 2024-03-28 12:15:14 +01:00
18 changed files with 112 additions and 40 deletions
Showing only changes of commit 86148c3258 - Show all commits

View File

@ -119,10 +119,12 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
with.outgoingSubRole("holderPerson", REFERRER);
with.outgoingSubRole("contact", REFERRER);
with.permission(SELECT);
});
})
.toRole("anchorPerson", ADMIN).grantPermission(INSERT);
}
public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac-generated");
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac");
}
}

View File

@ -80,12 +80,13 @@ public class InsertTriggerGenerator {
strict as $$
begin
call grantPermissionToRole(
${rawSuperRoleDescriptor},
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'));
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'),
${rawSuperRoleDescriptor});
return NEW;
end; $$;
create trigger ${rawSubTableName}_${rawSuperTableName}_insert_tg
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_${rawSubTableName}_${rawSuperTableName}_insert_tg
after insert on ${rawSuperTableName}
for each row
execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();

View File

@ -179,7 +179,7 @@ begin
return NEW;
end; $$;
create trigger test_package_test_customer_insert_tg
create trigger z_test_package_test_customer_insert_tg
after insert on test_customer
for each row
execute procedure test_package_test_customer_insert_tf();

View File

@ -178,7 +178,7 @@ begin
return NEW;
end; $$;
create trigger test_domain_test_package_insert_tg
create trigger z_test_domain_test_package_insert_tg
after insert on test_package
for each row
execute procedure test_domain_test_package_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_contact_global_insert_tg
create trigger z_hs_office_contact_global_insert_tg
after insert on global
for each row
execute procedure hs_office_contact_global_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_person_global_insert_tg
create trigger z_hs_office_person_global_insert_tg
after insert on global
for each row
execute procedure hs_office_person_global_insert_tf();

View File

@ -1,6 +1,6 @@
### rbac relationship
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T15:30:23.331560468.
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:17:00.854621634.
```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%%
@ -64,6 +64,7 @@ subgraph relationship["`**relationship**`"]
perm:relationship:DELETE{{relationship:DELETE}}
perm:relationship:UPDATE{{relationship:UPDATE}}
perm:relationship:SELECT{{relationship:SELECT}}
perm:relationship:INSERT{{relationship:INSERT}}
end
end
@ -96,5 +97,6 @@ role:relationship:tenant ==> role:contact:referrer
role:relationship:owner ==> perm:relationship:DELETE
role:relationship:admin ==> perm:relationship:UPDATE
role:relationship:tenant ==> perm:relationship:SELECT
role:anchorPerson:admin ==> perm:relationship:INSERT
```

View File

@ -1,5 +1,5 @@
--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T15:30:23.341470108.
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:17:00.864301165.
-- ============================================================================
@ -186,13 +186,68 @@ execute procedure updateTriggerForHsOfficeRelationship_tf();
--changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
-- FIXME: Where is this case necessary?
/*
Creates INSERT INTO hs_office_relationship permissions for the related hs_office_person rows.
*/
do language plpgsql $$
declare
row hs_office_person;
permissionUuid uuid;
roleUuid uuid;
begin
call defineContext('create INSERT INTO hs_office_relationship permissions for the related hs_office_person rows');
FOR row IN SELECT * FROM hs_office_person
LOOP
roleUuid := findRoleId(hsOfficePersonAdmin(row));
permissionUuid := createPermission(row.uuid, 'INSERT', 'hs_office_relationship');
call grantPermissionToRole(permissionUuid, roleUuid);
END LOOP;
END;
$$;
/**
Adds hs_office_relationship INSERT permission to specified role of new hs_office_person rows.
*/
create or replace function hs_office_relationship_hs_office_person_insert_tf()
returns trigger
language plpgsql
strict as $$
begin
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_relationship'),
hsOfficePersonAdmin(NEW));
return NEW;
end; $$;
create trigger z_hs_office_relationship_hs_office_person_insert_tg
after insert on hs_office_person
for each row
execute procedure hs_office_relationship_hs_office_person_insert_tf();
/**
Checks if the user or assumed roles are allowed to insert a row to hs_office_relationship.
*/
create or replace function hs_office_relationship_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
if ( not hasInsertPermission(
( SELECT anchorPerson.uuid FROM
(select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid) AS anchorPerson
), 'INSERT', 'hs_office_relationship') ) then
raise exception
'[403] insert into hs_office_relationship not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
end if;
return NEW;
end; $$;
create trigger hs_office_relationship_insert_permission_check_tg
before insert on hs_office_relationship
for each row
-- As there is no explicit INSERT grant specified for this table,
-- only global admins are allowed to insert any rows.
when ( not isGlobalAdmin() )
execute procedure hs_office_relationship_insert_permission_missing_tf();
--//

View File

@ -110,7 +110,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_partner_global_insert_tg
create trigger z_hs_office_partner_global_insert_tg
after insert on global
for each row
execute procedure hs_office_partner_global_insert_tf();

View File

@ -95,7 +95,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_partner_details_global_insert_tg
create trigger z_hs_office_partner_details_global_insert_tg
after insert on global
for each row
execute procedure hs_office_partner_details_global_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_bankaccount_global_insert_tg
create trigger z_hs_office_bankaccount_global_insert_tg
after insert on global
for each row
execute procedure hs_office_bankaccount_global_insert_tf();

View File

@ -1,6 +1,6 @@
### rbac sepaMandate
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T06:12:35.337470470.
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:18:45.736693565.
```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T06:12:35.345630060.
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:18:45.747792100.
-- ============================================================================
@ -134,12 +134,12 @@ create or replace function hs_office_sepamandate_hs_office_relationship_insert_t
strict as $$
begin
call grantPermissionToRole(
hsOfficeRelationshipAdmin(NEW),
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'));
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationshipAdmin(NEW));
return NEW;
end; $$;
create trigger hs_office_sepamandate_hs_office_relationship_insert_tg
create trigger z_hs_office_sepamandate_hs_office_relationship_insert_tg
after insert on hs_office_relationship
for each row
execute procedure hs_office_sepamandate_hs_office_relationship_insert_tf();

View File

@ -225,7 +225,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_debitor_global_insert_tg
create trigger z_hs_office_debitor_global_insert_tg
after insert on global
for each row
execute procedure hs_office_debitor_global_insert_tf();

View File

@ -124,7 +124,7 @@ begin
return NEW;
end; $$;
create trigger hs_office_membership_global_insert_tg
create trigger z_hs_office_membership_global_insert_tg
after insert on global
for each row
execute procedure hs_office_membership_global_insert_tf();

View File

@ -223,12 +223,22 @@ class HsOfficeCoopSharesTransactionControllerAcceptanceTest extends ContextBased
final var givenCoopShareTransactionUuid = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(null, LocalDate.of(2010, 3, 15), LocalDate.of(2010, 3, 15)).get(0).getUuid();
RestAssured // @formatter:off
.given().header("current-user", "contact-admin@firstcontact.example.com").port(port).when().get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid).then().log().body().assertThat().statusCode(200).contentType("application/json").body("", lenientlyEquals("""
{
"transactionType": "SUBSCRIPTION",
"shareCount": 4
}
""")); // @formatter:on
.given()
.header("current-user", "contact-admin@firstcontact.example.com")
.port(port)
.when()
.get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid)
.then()
.log().body()
.assertThat()
.statusCode(200)
.contentType("application/json")
.body("", lenientlyEquals("""
{
"transactionType": "SUBSCRIPTION",
"shareCount": 4
}
""")); // @formatter:on
}
}
}

View File

@ -88,7 +88,6 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
context("superuser-alex@hostsharing.net");
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
.map(s -> s.replace("hs_office_", ""))
.toList();
@ -109,11 +108,10 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
final var all = rawRoleRepo.findAll();
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(initialRoleNames)); // no new roles created
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
.map(s -> s.replace("hs_office_", ""))
.containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames,
"{ grant perm SELECT on coopsharestransaction#temprefB to role membership#1000101:....tenant by system and assume }",
"{ grant perm SELECT on coopsharestransaction#temprefB to role membership#M-1000101.referrer by system and assume }",
null));
}
@ -194,7 +192,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
@Test
public void normalUser_canViewOnlyRelatedCoopSharesTransactions() {
// given:
context("superuser-alex@hostsharing.net", "hs_office_partner#10001:FirstGmbH-firstcontact.admin");
context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101.admin");
// when:
final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(

View File

@ -127,16 +127,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
"hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant"));
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames,
"{ grant perm INSERT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant perm DELETE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to user superuser-alex@hostsharing.net by hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner and assume }",
"{ grant perm edit on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant perm UPDATE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
"{ grant perm UPDATE on hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin by system and assume }",
"{ grant role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.owner by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_person#BesslerBert.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant perm SELECT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }",
@ -145,7 +147,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
"{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
// REPRESENTATIVE holder person -> (represented) anchor person
"{ grant role hs_office_person#BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_contact#fourthcontact.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_person#BesslerBert.admin by system and assume }",
null)
);
@ -195,7 +198,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
result,
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')",
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')");
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
"rel(relAnchor='NP Smith, Peter', relType='ACCOUNTING', relHolder='NP Smith, Peter', contact='third contact')");
}
}