allow-multiple-insert-permission-grants #49
@ -77,55 +77,71 @@ execute procedure insertTriggerForTestCustomer_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
|
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO test_customer permissions for the related global rows.
|
Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row global;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO test_customer permissions for the related global rows');
|
call defineContext('create INSERT INTO test_customer permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM global
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_customer'),
|
createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds test_customer INSERT permission to specified role of new global rows.
|
Grants test_customer INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function test_customer_global_insert_tf()
|
create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_test_customer_global_insert_tg
|
create trigger z_new_test_customer_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on global
|
||||||
for each row
|
for each row
|
||||||
execute procedure test_customer_global_insert_tf();
|
execute procedure new_test_customer_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset test_customer-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_customer,
|
Checks if the user respectively the assumed roles are allowed to insert a row to test_customer.
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
*/
|
||||||
create or replace function test_customer_insert_permission_missing_tf()
|
create or replace function test_customer_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT INSERT if global ADMIN
|
||||||
|
if isGlobalAdmin() then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
|
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -133,10 +149,10 @@ end; $$;
|
|||||||
create trigger test_customer_insert_permission_check_tg
|
create trigger test_customer_insert_permission_check_tg
|
||||||
before insert on test_customer
|
before insert on test_customer
|
||||||
for each row
|
for each row
|
||||||
when ( not isGlobalAdmin() )
|
execute procedure test_customer_insert_permission_check_tf();
|
||||||
execute procedure test_customer_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -147,6 +163,7 @@ call generateRbacIdentityViewFromProjection('test_customer',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -142,57 +142,71 @@ execute procedure updateTriggerForTestPackage_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-package-rbac-INSERT:1 endDelimiter:--//
|
--changeset test-package-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to test_customer ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO test_package permissions for the related test_customer rows.
|
Grants INSERT INTO test_package permissions to specified role of pre-existing test_customer rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row test_customer;
|
row test_customer;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO test_package permissions for the related test_customer rows');
|
call defineContext('create INSERT INTO test_package permissions for pre-exising test_customer rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM test_customer
|
FOR row IN SELECT * FROM test_customer
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_package'),
|
createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||||
testCustomerADMIN(row));
|
testCustomerADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds test_package INSERT permission to specified role of new test_customer rows.
|
Grants test_package INSERT permission to specified role of new test_customer rows.
|
||||||
*/
|
*/
|
||||||
create or replace function test_package_test_customer_insert_tf()
|
create or replace function new_test_package_grants_insert_to_test_customer_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||||
testCustomerADMIN(NEW));
|
testCustomerADMIN(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_test_package_test_customer_insert_tg
|
create trigger z_new_test_package_grants_insert_to_test_customer_tg
|
||||||
after insert on test_customer
|
after insert on test_customer
|
||||||
for each row
|
for each row
|
||||||
execute procedure test_package_test_customer_insert_tf();
|
execute procedure new_test_package_grants_insert_to_test_customer_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset test_package-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_package,
|
Checks if the user respectively the assumed roles are allowed to insert a row to test_package.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function test_package_insert_permission_missing_tf()
|
create or replace function test_package_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.customerUuid
|
||||||
|
if hasInsertPermission(NEW.customerUuid, 'test_package') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into test_package not allowed for current subjects % (%)',
|
raise exception '[403] insert into test_package not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -200,10 +214,10 @@ end; $$;
|
|||||||
create trigger test_package_insert_permission_check_tg
|
create trigger test_package_insert_permission_check_tg
|
||||||
before insert on test_package
|
before insert on test_package
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.customerUuid, 'test_package') )
|
execute procedure test_package_insert_permission_check_tf();
|
||||||
execute procedure test_package_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -214,6 +228,7 @@ call generateRbacIdentityViewFromProjection('test_package',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -141,57 +141,71 @@ execute procedure updateTriggerForTestDomain_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-domain-rbac-INSERT:1 endDelimiter:--//
|
--changeset test-domain-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to test_package ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO test_domain permissions for the related test_package rows.
|
Grants INSERT INTO test_domain permissions to specified role of pre-existing test_package rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row test_package;
|
row test_package;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO test_domain permissions for the related test_package rows');
|
call defineContext('create INSERT INTO test_domain permissions for pre-exising test_package rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM test_package
|
FOR row IN SELECT * FROM test_package
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'test_domain'),
|
createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||||
testPackageADMIN(row));
|
testPackageADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds test_domain INSERT permission to specified role of new test_package rows.
|
Grants test_domain INSERT permission to specified role of new test_package rows.
|
||||||
*/
|
*/
|
||||||
create or replace function test_domain_test_package_insert_tf()
|
create or replace function new_test_domain_grants_insert_to_test_package_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||||
testPackageADMIN(NEW));
|
testPackageADMIN(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_test_domain_test_package_insert_tg
|
create trigger z_new_test_domain_grants_insert_to_test_package_tg
|
||||||
after insert on test_package
|
after insert on test_package
|
||||||
for each row
|
for each row
|
||||||
execute procedure test_domain_test_package_insert_tf();
|
execute procedure new_test_domain_grants_insert_to_test_package_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset test_domain-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_domain,
|
Checks if the user respectively the assumed roles are allowed to insert a row to test_domain.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function test_domain_insert_permission_missing_tf()
|
create or replace function test_domain_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.packageUuid
|
||||||
|
if hasInsertPermission(NEW.packageUuid, 'test_domain') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
|
raise exception '[403] insert into test_domain not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -199,10 +213,10 @@ end; $$;
|
|||||||
create trigger test_domain_insert_permission_check_tg
|
create trigger test_domain_insert_permission_check_tg
|
||||||
before insert on test_domain
|
before insert on test_domain
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.packageUuid, 'test_domain') )
|
execute procedure test_domain_insert_permission_check_tf();
|
||||||
execute procedure test_domain_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -213,6 +227,7 @@ call generateRbacIdentityViewFromProjection('test_domain',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-domain-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeContact_tf();
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset hs-office-contact-rbac-INSERT:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Creates INSERT INTO hs_office_contact permissions for the related global rows.
|
|
||||||
*/
|
|
||||||
do language plpgsql $$
|
|
||||||
declare
|
|
||||||
row global;
|
|
||||||
begin
|
|
||||||
call defineContext('create INSERT INTO hs_office_contact permissions for the related global rows');
|
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
|
||||||
LOOP
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_contact'),
|
|
||||||
globalGUEST());
|
|
||||||
END LOOP;
|
|
||||||
END;
|
|
||||||
$$;
|
|
||||||
|
|
||||||
/**
|
|
||||||
Adds hs_office_contact INSERT permission to specified role of new global rows.
|
|
||||||
*/
|
|
||||||
create or replace function hs_office_contact_global_insert_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_contact'),
|
|
||||||
globalGUEST());
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_hs_office_contact_global_insert_tg
|
|
||||||
after insert on global
|
|
||||||
for each row
|
|
||||||
execute procedure hs_office_contact_global_insert_tf();
|
|
||||||
--//
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_contact',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficePerson_tf();
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset hs-office-person-rbac-INSERT:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Creates INSERT INTO hs_office_person permissions for the related global rows.
|
|
||||||
*/
|
|
||||||
do language plpgsql $$
|
|
||||||
declare
|
|
||||||
row global;
|
|
||||||
begin
|
|
||||||
call defineContext('create INSERT INTO hs_office_person permissions for the related global rows');
|
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
|
||||||
LOOP
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_person'),
|
|
||||||
globalGUEST());
|
|
||||||
END LOOP;
|
|
||||||
END;
|
|
||||||
$$;
|
|
||||||
|
|
||||||
/**
|
|
||||||
Adds hs_office_person INSERT permission to specified role of new global rows.
|
|
||||||
*/
|
|
||||||
create or replace function hs_office_person_global_insert_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_person'),
|
|
||||||
globalGUEST());
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_hs_office_person_global_insert_tg
|
|
||||||
after insert on global
|
|
||||||
for each row
|
|
||||||
execute procedure hs_office_person_global_insert_tf();
|
|
||||||
--//
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_person',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -151,57 +151,71 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-relation-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-relation-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_person ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_relation permissions for the related hs_office_person rows.
|
Grants INSERT INTO hs_office_relation permissions to specified role of pre-existing hs_office_person rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_office_person;
|
row hs_office_person;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_relation permissions for the related hs_office_person rows');
|
call defineContext('create INSERT INTO hs_office_relation permissions for pre-exising hs_office_person rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office_person
|
FOR row IN SELECT * FROM hs_office_person
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
|
||||||
hsOfficePersonADMIN(row));
|
hsOfficePersonADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_relation INSERT permission to specified role of new hs_office_person rows.
|
Grants hs_office_relation INSERT permission to specified role of new hs_office_person rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_relation_hs_office_person_insert_tf()
|
create or replace function new_hs_office_relation_grants_insert_to_hs_office_person_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
|
||||||
hsOfficePersonADMIN(NEW));
|
hsOfficePersonADMIN(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_relation_hs_office_person_insert_tg
|
create trigger z_new_hs_office_relation_grants_insert_to_hs_office_person_tg
|
||||||
after insert on hs_office_person
|
after insert on hs_office_person
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_relation_hs_office_person_insert_tf();
|
execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_relation-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_relation,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_relation.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_relation_insert_permission_missing_tf()
|
create or replace function hs_office_relation_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.anchorUuid
|
||||||
|
if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -209,10 +223,10 @@ end; $$;
|
|||||||
create trigger hs_office_relation_insert_permission_check_tg
|
create trigger hs_office_relation_insert_permission_check_tg
|
||||||
before insert on hs_office_relation
|
before insert on hs_office_relation
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') )
|
execute procedure hs_office_relation_insert_permission_check_tf();
|
||||||
execute procedure hs_office_relation_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -225,6 +239,7 @@ call generateRbacIdentityViewFromProjection('hs_office_relation',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -154,55 +154,71 @@ execute procedure updateTriggerForHsOfficePartner_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_partner permissions for the related global rows.
|
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row global;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_partner permissions for the related global rows');
|
call defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM global
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_partner INSERT permission to specified role of new global rows.
|
Grants hs_office_partner INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_partner_global_insert_tf()
|
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_partner_global_insert_tg
|
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on global
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_partner_global_insert_tf();
|
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_partner-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_partner,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner.
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_partner_insert_permission_missing_tf()
|
create or replace function hs_office_partner_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT INSERT if global ADMIN
|
||||||
|
if isGlobalAdmin() then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_partner not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_partner not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -210,10 +226,10 @@ end; $$;
|
|||||||
create trigger hs_office_partner_insert_permission_check_tg
|
create trigger hs_office_partner_insert_permission_check_tg
|
||||||
before insert on hs_office_partner
|
before insert on hs_office_partner
|
||||||
for each row
|
for each row
|
||||||
when ( not isGlobalAdmin() )
|
execute procedure hs_office_partner_insert_permission_check_tf();
|
||||||
execute procedure hs_office_partner_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -224,6 +240,7 @@ call generateRbacIdentityViewFromProjection('hs_office_partner',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -58,55 +58,71 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-details-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_partner_details permissions for the related global rows.
|
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row global;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_partner_details permissions for the related global rows');
|
call defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM global
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_partner_details INSERT permission to specified role of new global rows.
|
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_partner_details_global_insert_tf()
|
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_partner_details_global_insert_tg
|
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on global
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_partner_details_global_insert_tf();
|
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_partner_details-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_partner_details,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_partner_details.
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_partner_details_insert_permission_missing_tf()
|
create or replace function hs_office_partner_details_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT INSERT if global ADMIN
|
||||||
|
if isGlobalAdmin() then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -114,10 +130,10 @@ end; $$;
|
|||||||
create trigger hs_office_partner_details_insert_permission_check_tg
|
create trigger hs_office_partner_details_insert_permission_check_tg
|
||||||
before insert on hs_office_partner_details
|
before insert on hs_office_partner_details
|
||||||
for each row
|
for each row
|
||||||
when ( not isGlobalAdmin() )
|
execute procedure hs_office_partner_details_insert_permission_check_tf();
|
||||||
execute procedure hs_office_partner_details_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -131,6 +147,7 @@ create trigger hs_office_partner_details_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -76,49 +76,6 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf();
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
|
||||||
--changeset hs-office-bankaccount-rbac-INSERT:1 endDelimiter:--//
|
|
||||||
-- ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
|
||||||
Creates INSERT INTO hs_office_bankaccount permissions for the related global rows.
|
|
||||||
*/
|
|
||||||
do language plpgsql $$
|
|
||||||
declare
|
|
||||||
row global;
|
|
||||||
begin
|
|
||||||
call defineContext('create INSERT INTO hs_office_bankaccount permissions for the related global rows');
|
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
|
||||||
LOOP
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_bankaccount'),
|
|
||||||
globalGUEST());
|
|
||||||
END LOOP;
|
|
||||||
END;
|
|
||||||
$$;
|
|
||||||
|
|
||||||
/**
|
|
||||||
Adds hs_office_bankaccount INSERT permission to specified role of new global rows.
|
|
||||||
*/
|
|
||||||
create or replace function hs_office_bankaccount_global_insert_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql
|
|
||||||
strict as $$
|
|
||||||
begin
|
|
||||||
call grantPermissionToRole(
|
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_bankaccount'),
|
|
||||||
globalGUEST());
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
||||||
create trigger z_hs_office_bankaccount_global_insert_tg
|
|
||||||
after insert on global
|
|
||||||
for each row
|
|
||||||
execute procedure hs_office_bankaccount_global_insert_tf();
|
|
||||||
--//
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -129,6 +86,7 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -127,55 +127,71 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-debitor-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_debitor permissions for the related global rows.
|
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row global;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_debitor permissions for the related global rows');
|
call defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM global
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_debitor INSERT permission to specified role of new global rows.
|
Grants hs_office_debitor INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_debitor_global_insert_tf()
|
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_debitor_global_insert_tg
|
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on global
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_debitor_global_insert_tf();
|
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_debitor-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_debitor,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_debitor.
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_debitor_insert_permission_missing_tf()
|
create or replace function hs_office_debitor_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT INSERT if global ADMIN
|
||||||
|
if isGlobalAdmin() then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_debitor not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_debitor not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -183,10 +199,10 @@ end; $$;
|
|||||||
create trigger hs_office_debitor_insert_permission_check_tg
|
create trigger hs_office_debitor_insert_permission_check_tg
|
||||||
before insert on hs_office_debitor
|
before insert on hs_office_debitor
|
||||||
for each row
|
for each row
|
||||||
when ( not isGlobalAdmin() )
|
execute procedure hs_office_debitor_insert_permission_check_tf();
|
||||||
execute procedure hs_office_debitor_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -206,6 +222,7 @@ create trigger hs_office_debitor_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -102,17 +102,19 @@ execute procedure insertTriggerForHsOfficeSepaMandate_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-sepamandate-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_relation ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows.
|
Grants INSERT INTO hs_office_sepamandate permissions to specified role of pre-existing hs_office_relation rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_office_relation;
|
row hs_office_relation;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows');
|
call defineContext('create INSERT INTO hs_office_sepamandate permissions for pre-exising hs_office_relation rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office_relation
|
FOR row IN SELECT * FROM hs_office_relation
|
||||||
WHERE type = 'DEBITOR'
|
WHERE type = 'DEBITOR'
|
||||||
@ -121,13 +123,13 @@ do language plpgsql $$
|
|||||||
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
|
||||||
hsOfficeRelationADMIN(row));
|
hsOfficeRelationADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
|
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_sepamandate_hs_office_relation_insert_tf()
|
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
@ -141,39 +143,38 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_sepamandate_hs_office_relation_insert_tg
|
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
|
||||||
after insert on hs_office_relation
|
after insert on hs_office_relation
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_sepamandate_hs_office_relation_insert_tf();
|
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_sepamandate-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_sepamandate,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_sepamandate.
|
||||||
where the check is performed by an indirect role.
|
|
||||||
|
|
||||||
An indirect role is a role which depends on an object uuid which is not a direct foreign key
|
|
||||||
of the source entity, but needs to be fetched via joined tables.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_sepamandate_insert_permission_check_tf()
|
create or replace function hs_office_sepamandate_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
|
||||||
declare
|
declare
|
||||||
superRoleObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
|
|
||||||
begin
|
begin
|
||||||
superRoleObjectUuid := (SELECT debitorRel.uuid
|
-- check INSERT permission via indirect foreign key: NEW.debitorUuid
|
||||||
|
superObjectUuid := (SELECT debitorRel.uuid
|
||||||
FROM hs_office_relation debitorRel
|
FROM hs_office_relation debitorRel
|
||||||
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
WHERE debitor.uuid = NEW.debitorUuid
|
WHERE debitor.uuid = NEW.debitorUuid
|
||||||
);
|
);
|
||||||
assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';
|
assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL';
|
||||||
|
if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
|
||||||
if ( not hasInsertPermission(superRoleObjectUuid, 'hs_office_sepamandate') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
|
raise exception '[403] insert into hs_office_sepamandate not allowed for current subjects % (%)',
|
||||||
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger hs_office_sepamandate_insert_permission_check_tg
|
create trigger hs_office_sepamandate_insert_permission_check_tg
|
||||||
@ -182,6 +183,7 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
|
|||||||
execute procedure hs_office_sepamandate_insert_permission_check_tf();
|
execute procedure hs_office_sepamandate_insert_permission_check_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -194,6 +196,7 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -89,55 +89,71 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-membership-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_membership permissions for the related global rows.
|
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row global;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_membership permissions for the related global rows');
|
call defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM global
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_membership INSERT permission to specified role of new global rows.
|
Grants hs_office_membership INSERT permission to specified role of new global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_membership_global_insert_tf()
|
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_membership_global_insert_tg
|
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on global
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_membership_global_insert_tf();
|
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_membership-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_membership,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_membership.
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_membership_insert_permission_missing_tf()
|
create or replace function hs_office_membership_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT INSERT if global ADMIN
|
||||||
|
if isGlobalAdmin() then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_membership not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_membership not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -145,10 +161,10 @@ end; $$;
|
|||||||
create trigger hs_office_membership_insert_permission_check_tg
|
create trigger hs_office_membership_insert_permission_check_tg
|
||||||
before insert on hs_office_membership
|
before insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
when ( not isGlobalAdmin() )
|
execute procedure hs_office_membership_insert_permission_check_tf();
|
||||||
execute procedure hs_office_membership_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -162,6 +178,7 @@ create trigger hs_office_membership_insert_permission_check_tg
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -65,57 +65,71 @@ execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopsharestransaction-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-coopsharestransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_membership ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows.
|
Grants INSERT INTO hs_office_coopsharestransaction permissions to specified role of pre-existing hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_office_membership;
|
row hs_office_membership;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for the related hs_office_membership rows');
|
call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for pre-exising hs_office_membership rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office_membership
|
FOR row IN SELECT * FROM hs_office_membership
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||||
hsOfficeMembershipADMIN(row));
|
hsOfficeMembershipADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
|
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_coopsharestransaction_hs_office_membership_insert_tf()
|
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
|
||||||
hsOfficeMembershipADMIN(NEW));
|
hsOfficeMembershipADMIN(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_coopsharestransaction_hs_office_membership_insert_tg
|
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
|
||||||
after insert on hs_office_membership
|
after insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_coopsharestransaction_hs_office_membership_insert_tf();
|
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_coopsharestransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_coopsharestransaction,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopsharestransaction.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_coopsharestransaction_insert_permission_missing_tf()
|
create or replace function hs_office_coopsharestransaction_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.membershipUuid
|
||||||
|
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_coopsharestransaction not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -123,10 +137,10 @@ end; $$;
|
|||||||
create trigger hs_office_coopsharestransaction_insert_permission_check_tg
|
create trigger hs_office_coopsharestransaction_insert_permission_check_tg
|
||||||
before insert on hs_office_coopsharestransaction
|
before insert on hs_office_coopsharestransaction
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') )
|
execute procedure hs_office_coopsharestransaction_insert_permission_check_tf();
|
||||||
execute procedure hs_office_coopsharestransaction_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -65,57 +65,71 @@ execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopassetstransaction-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- granting INSERT permission to hs_office_membership ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows.
|
Grants INSERT INTO hs_office_coopassetstransaction permissions to specified role of pre-existing hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_office_membership;
|
row hs_office_membership;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for the related hs_office_membership rows');
|
call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office_membership
|
FOR row IN SELECT * FROM hs_office_membership
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||||
hsOfficeMembershipADMIN(row));
|
hsOfficeMembershipADMIN(row));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_coopassetstransaction_hs_office_membership_insert_tf()
|
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
||||||
hsOfficeMembershipADMIN(NEW));
|
hsOfficeMembershipADMIN(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_office_coopassetstransaction_hs_office_membership_insert_tg
|
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
|
||||||
after insert on hs_office_membership
|
after insert on hs_office_membership
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_office_coopassetstransaction_hs_office_membership_insert_tf();
|
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs_office_coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_office_coopassetstransaction,
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopassetstransaction.
|
||||||
where the check is performed by a direct role.
|
|
||||||
|
|
||||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
|
||||||
*/
|
*/
|
||||||
create or replace function hs_office_coopassetstransaction_insert_permission_missing_tf()
|
create or replace function hs_office_coopassetstransaction_insert_permission_check_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
|
-- check INSERT permission via direct foreign key: NEW.membershipUuid
|
||||||
|
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
|
||||||
|
return NEW;
|
||||||
|
end if;
|
||||||
|
|
||||||
raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)',
|
raise exception '[403] insert into hs_office_coopassetstransaction not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -123,10 +137,10 @@ end; $$;
|
|||||||
create trigger hs_office_coopassetstransaction_insert_permission_check_tg
|
create trigger hs_office_coopassetstransaction_insert_permission_check_tg
|
||||||
before insert on hs_office_coopassetstransaction
|
before insert on hs_office_coopassetstransaction
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') )
|
execute procedure hs_office_coopassetstransaction_insert_permission_check_tf();
|
||||||
execute procedure hs_office_coopassetstransaction_insert_permission_missing_tf();
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
@ -137,6 +151,7 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
|
|||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user