src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java

@@ -14,7 +14,7 @@ import java.io.IOException;
 import java.util.UUID;
 
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
@@ -51,7 +51,7 @@ public class TestDomainEntity implements HasUuid {
                 .importEntityAlias("package", TestPackageEntity.class,
                         dependsOnColumn("packageUuid"),
                         directlyFetchedByDependsOnColumn(),
-                        NULLABLE)
+                        NOT_NULL)
                 .toRole("package", ADMIN).grantPermission(INSERT)
 
                 .createRole(OWNER, (with) -> {

src/main/resources/db/changelog/133-test-domain-rbac.sql

@@ -36,6 +36,8 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     SELECT * FROM test_package WHERE uuid = NEW.packageUuid    INTO newPackage;
+    assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
+
 
     perform createRoleWithGrants(
         testDomainOwner(NEW),
@@ -87,12 +89,37 @@ create or replace procedure updateRbacRulesForTestDomain(
     NEW test_domain
 )
     language plpgsql as $$
-begin
 
-    if NEW.packageUuid is distinct from OLD.packageUuid then
-        delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
-        call buildRbacSystemForTestDomain(NEW);
+declare
+    oldPackage test_package;
+    newPackage test_package;
+
+begin
+    call enterTriggerForObjectUuid(NEW.uuid);
+
+    SELECT * FROM test_package WHERE uuid = OLD.packageUuid    INTO oldPackage;
+    assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s', OLD.packageUuid);
+
+    SELECT * FROM test_package WHERE uuid = NEW.packageUuid    INTO newPackage;
+    assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
+
+
+    if NEW.packageUuid <> OLD.packageUuid then
+
+        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage));
+
+        call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
+        call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
+
+        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainOwner(OLD));
+        call grantRoleToRole(testPackageTenant(newPackage), testDomainOwner(NEW));
+
+        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainAdmin(OLD));
+        call grantRoleToRole(testPackageTenant(newPackage), testDomainAdmin(NEW));
+
     end if;
+
+    call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
 
 /*

src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql

@@ -54,8 +54,8 @@ begin
         hsOfficeRelationAdmin(NEW),
             permissions => array['UPDATE'],
             incomingSuperRoles => array[
-            	hsOfficeRelationOwner(NEW),
-            	hsOfficePersonAdmin(newAnchorPerson)]
+            	hsOfficePersonAdmin(newAnchorPerson),
+            	hsOfficeRelationOwner(NEW)]
     );
 
     perform createRoleWithGrants(
@@ -74,8 +74,8 @@ begin
             	hsOfficePersonAdmin(newHolderPerson)],
             outgoingSubRoles => array[
             	hsOfficePersonReferrer(newAnchorPerson),
-            	hsOfficePersonReferrer(newHolderPerson),
-            	hsOfficeContactReferrer(newContact)]
+            	hsOfficeContactReferrer(newContact),
+            	hsOfficePersonReferrer(newHolderPerson)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);

src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql

@@ -65,8 +65,8 @@ begin
         hsOfficeSepaMandateReferrer(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
-            	hsOfficeBankAccountAdmin(newBankAccount),
             	hsOfficeRelationAgent(newDebitorRel),
+            	hsOfficeBankAccountAdmin(newBankAccount),
             	hsOfficeSepaMandateAgent(NEW)],
             outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
     );

src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java

@@ -204,7 +204,7 @@ class TestCustomerControllerAcceptanceTest {
                     .statusCode(403)
                     .contentType(ContentType.JSON)
                     .statusCode(403)
-                    .body("message", containsString("insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
+                    .body("message", containsString("ERROR: [403] insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
                 // @formatter:on
 
             // finally, the new customer was not created