src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java

@@ -161,7 +161,8 @@ public class InsertTriggerGenerator {
                     Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
                     where the check is performed by an indirect role.
                     
-                    An indirect role is a role FIXME.
+                    An indirect role is a role which depends on an object uuid which is not a direct foreign key
+                    of the source entity, but needs to be fetched via joined tables.
                 */
                 create or replace function ${rawSubTable}_insert_permission_check_tf()
                     returns trigger

src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java

@@ -71,10 +71,6 @@ public class RbacGrantsDiagramService {
     private void traverseGrantsTo(final Set<RawRbacGrantEntity> graph, final UUID refUuid, final EnumSet<Include> includes) {
         final var grants = rawGrantRepo.findByAscendingUuid(refUuid);
         grants.forEach(g -> {
-            if ( g.getDescendantIdName() == null ) {
-                // FIXME: what's that?
-                return;
-            }
             if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm ")) {
                 return;
             }

src/main/resources/db/changelog/050-rbac-base.sql

@@ -691,7 +691,7 @@ declare
     superRoleId uuid;
     subRoleId uuid;
 begin
-    -- FIXME: maybe separate method grantRoleToRoleIfNotNull(...)?
+    -- TODO: maybe separate method grantRoleToRoleIfNotNull(...) for NULLABLE references
     if superRole.objectUuid is null or subRole.objectuuid is null then
         return;
     end if;

src/main/resources/db/changelog/057-rbac-role-builder.sql

@@ -60,7 +60,7 @@ begin
     if cardinality(userUuids) > 0 then
         -- direct grants to users need a grantedByRole which can revoke the grant
         if grantedByRole is null then
-            userGrantsByRoleUuid := roleUuid; -- FIXME: or do we want to require an explicit userGrantsByRoleUuid?
+            userGrantsByRoleUuid := roleUuid; -- TODO: or do we want to require an explicit userGrantsByRoleUuid?
         else
             userGrantsByRoleUuid := getRoleId(grantedByRole);
         end if;

src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql

@@ -149,7 +149,8 @@ execute procedure hs_office_sepamandate_hs_office_relation_insert_tf();
     Checks if the user or assumed roles are allowed to insert a row to hs_office_sepamandate,
     where the check is performed by an indirect role.
 
-    An indirect role is a role FIXME.
+    An indirect role is a role which depends on an object uuid which is not a direct foreign key
+    of the source entity, but needs to be fetched via joined tables.
 */
 create or replace function hs_office_sepamandate_insert_permission_check_tf()
     returns trigger

src/main/resources/db/changelog/303-hs-office-membership-rbac.sql

@@ -136,7 +136,8 @@ execute procedure hs_office_membership_hs_office_relation_insert_tf();
     Checks if the user or assumed roles are allowed to insert a row to hs_office_membership,
     where the check is performed by an indirect role.
 
-    An indirect role is a role FIXME.
+    An indirect role is a role which depends on an object uuid which is not a direct foreign key
+    of the source entity, but needs to be fetched via joined tables.
 */
 create or replace function hs_office_membership_insert_permission_check_tf()
     returns trigger