allow-multiple-insert-permission-grants #49
@ -174,6 +174,6 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
rbac().generateWithBaseFileName("7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-generated");
|
rbac().generateWithBaseFileName("7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -7,6 +7,7 @@ import java.util.stream.Stream;
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.GUEST;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with;
|
||||||
import static org.apache.commons.lang3.StringUtils.capitalize;
|
import static org.apache.commons.lang3.StringUtils.capitalize;
|
||||||
import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
||||||
@ -22,121 +23,140 @@ public class InsertTriggerGenerator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
generateLiquibaseChangesetHeader(plPgSql);
|
generateInsertGrants(plPgSql);
|
||||||
generateGrantInsertRoleToExistingObjects(plPgSql);
|
generateInsertPermissionChecks(plPgSql);
|
||||||
generateInsertPermissionGrantTrigger(plPgSql);
|
|
||||||
generateInsertCheckTrigger(plPgSql);
|
|
||||||
plPgSql.writeLn("--//");
|
plPgSql.writeLn("--//");
|
||||||
}
|
}
|
||||||
|
|
||||||
private void generateLiquibaseChangesetHeader(final StringWriter plPgSql) {
|
private void generateInsertGrants(final StringWriter plPgSql) {
|
||||||
|
if (isInsertPermissionGrantedToGlobalGuest()) {
|
||||||
|
// any user is allowed to insert new rows => no insert check needed
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isInsertPermissionIsNotGrantedAtAll()) {
|
||||||
|
generateInsertPermissionTriggerAlwaysDisallow(plPgSql);
|
||||||
|
} else {
|
||||||
|
generateInsertPermissionGrants(plPgSql);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void generateInsertPermissionGrants(final StringWriter plPgSql) {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset ${liquibaseTagPrefix}-rbac-INSERT:1 endDelimiter:--//
|
--changeset ${liquibaseTagPrefix}-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
""",
|
""",
|
||||||
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
||||||
}
|
|
||||||
|
|
||||||
private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
|
getInsertGrants().forEach( g -> {
|
||||||
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
|
plPgSql.writeLn("""
|
||||||
|
-- granting INSERT permission to ${rawSubTable} ----------------------------
|
||||||
|
""",
|
||||||
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO ${rawSubTableName} permissions for the related ${rawSuperTableName} rows.
|
Grants INSERT INTO ${rawSubTable} permissions to specified role of pre-existing ${rawSuperTable} rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row ${rawSuperTableName};
|
preExistingRow ${rawSuperTable};
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO ${rawSubTableName} permissions for the related ${rawSuperTableName} rows');
|
call defineContext('create INSERT INTO ${rawSubTable} permissions for pre-exising ${rawSuperTable} rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM ${rawSuperTableName}${typeCondition}
|
FOR preExistingRow IN SELECT * FROM ${rawSuperTable}
|
||||||
|
${whenCondition}
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', '${rawSubTableName}'),
|
createPermission(preExistingRow.uuid, 'INSERT', '${rawSubTable}'),
|
||||||
${rawSuperRoleDescriptor});
|
hsBookingItemAGENT(preExistingRow));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
""",
|
""",
|
||||||
with("rawSubTableName", rbacDef.getRootEntityAlias().getRawTableName()),
|
with("whenCondition", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
||||||
with("rawSuperTableName", superRoleDef.getEntityAlias().getRawTableName()),
|
// TODO.impl: .type needs to be dynamically generated
|
||||||
with("rawSuperRoleDescriptor", toRoleDescriptor(superRoleDef, "row")),
|
? "WHERE preExistingRow.type = '${value}'"
|
||||||
with("typeCondition", superRoleDef.getEntityAlias().isCaseDependent()
|
.replace("${value}", g.getSuperRoleDef().getEntityAlias().usingCase().value)
|
||||||
? "\n\t\t\tWHERE type = '${case}'".replace("${case}", superRoleDef.getEntityAlias().usingCase().value)
|
: "-- unconditional for all rows in that table"),
|
||||||
: "")
|
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||||
);
|
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
private void generateInsertPermissionGrantTrigger(final StringWriter plPgSql) {
|
|
||||||
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
/**
|
||||||
Adds ${rawSubTableName} INSERT permission to specified role of new ${rawSuperTableName} rows.
|
Grants ${rawSubTable} INSERT permission to specified role of new ${rawSuperTable} rows.
|
||||||
*/
|
*/
|
||||||
create or replace function ${rawSubTableName}_${rawSuperTableName}_insert_tf()
|
create or replace function new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
${typeConditionIf}call grantPermissionToRole(
|
${ifConditionThen}
|
||||||
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'),
|
call grantPermissionToRole(
|
||||||
${rawSuperRoleDescriptor});${typeConditionEndIf}
|
createPermission(NEW.uuid, 'INSERT', '${rawSubTable}'),
|
||||||
|
${superRoleRef});
|
||||||
|
${ifConditionEnd}
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_${rawSubTableName}_${rawSuperTableName}_insert_tg
|
create trigger z_new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tg
|
||||||
after insert on ${rawSuperTableName}
|
after insert on ${rawSuperTable}
|
||||||
for each row
|
for each row
|
||||||
execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();
|
execute procedure new_${rawSubTable}_grants_insert_to_${rawSuperTable}_tf();
|
||||||
""",
|
""",
|
||||||
with("rawSubTableName", rbacDef.getRootEntityAlias().getRawTableName()),
|
with("ifConditionThen", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
||||||
with("rawSuperTableName", superRoleDef.getEntityAlias().getRawTableName()),
|
// TODO.impl: .type needs to be dynamically generated
|
||||||
with("rawSuperRoleDescriptor", toRoleDescriptor(superRoleDef, NEW.name())),
|
? "if NEW.type = '" + g.getSuperRoleDef().getEntityAlias().usingCase().value + "' then"
|
||||||
with("typeConditionIf",
|
: "-- unconditional for all rows in that table"),
|
||||||
superRoleDef.getEntityAlias().isCaseDependent()
|
with("ifConditionEnd", g.getSuperRoleDef().getEntityAlias().isCaseDependent()
|
||||||
? "if NEW.type = '${case}' then\n\t\t".replace("${case}", superRoleDef.getEntityAlias().usingCase().value)
|
? "end if;"
|
||||||
: ""),
|
: "-- end."),
|
||||||
with("typeConditionEndIf", superRoleDef.getEntityAlias().isCaseDependent()
|
with("superRoleRef", toRoleDescriptor(g.getSuperRoleDef(), NEW.name())),
|
||||||
? "\n\tend if;"
|
with("rawSuperTable", g.getSuperRoleDef().getEntityAlias().getRawTableName()),
|
||||||
: "")
|
with("rawSubTable", g.getPermDef().getEntityAlias().getRawTableName()));
|
||||||
);
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
|
private void generateInsertPermissionTriggerAlwaysDisallow(final StringWriter plPgSql) {
|
||||||
getOptionalInsertGrant().ifPresentOrElse(g -> {
|
|
||||||
if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
|
|
||||||
switch (g.getSuperRoleDef().getRole()) {
|
|
||||||
case ADMIN -> {
|
|
||||||
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
|
|
||||||
}
|
|
||||||
case GUEST -> {
|
|
||||||
// no permission check trigger generated, as anybody can insert rows into this table
|
|
||||||
}
|
|
||||||
default -> {
|
|
||||||
throw new IllegalArgumentException(
|
|
||||||
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
|
|
||||||
generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(plPgSql, g);
|
|
||||||
} else {
|
|
||||||
generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(plPgSql, g);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
() -> {
|
|
||||||
System.err.println("WARNING: no explicit INSERT grant for " + rbacDef.getRootEntityAlias().simpleName() + " => implicitly grant INSERT to global:ADMIN");
|
|
||||||
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
private void generateInsertPermissionTriggerAllowByRoleOfDirectForeignKey(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset ${liquibaseTagPrefix}-rbac-ALWAYS-DISALLOW-INSERT:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
""",
|
||||||
|
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
||||||
|
|
||||||
|
plPgSql.writeLn("""
|
||||||
|
/**
|
||||||
|
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||||
|
where only global-admin has that permission.
|
||||||
|
*/
|
||||||
|
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||||
|
returns trigger
|
||||||
|
language plpgsql as $$
|
||||||
|
begin
|
||||||
|
raise exception '[403] insert into ${rawSubTable} not allowed regardless of current subject, no insert permissions grated at all';
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||||
|
before insert on ${rawSubTable}
|
||||||
|
for each row
|
||||||
|
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
||||||
|
""",
|
||||||
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
|
|
||||||
|
plPgSql.writeLn("--//");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void generateInsertPermissionChecks(final StringWriter plPgSql) {
|
||||||
|
plPgSql.writeLn("""
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset ${rawSubTable}-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||||
where the check is performed by a direct role.
|
where the check is performed by a direct role.
|
||||||
@ -154,80 +174,28 @@ public class InsertTriggerGenerator {
|
|||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||||
before insert on ${rawSubTable}
|
before insert on ${rawSubTable}
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.${referenceColumn}, 'INSERT', '${rawSubTable}') )
|
when ( not (
|
||||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
|
||||||
""",
|
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
|
||||||
with("referenceColumn", g.getSuperRoleDef().getEntityAlias().dependsOnColumName()));
|
|
||||||
}
|
|
||||||
|
|
||||||
private void generateInsertPermissionTriggerAllowByRoleOfIndirectForeignKey(
|
|
||||||
final StringWriter plPgSql,
|
|
||||||
final RbacView.RbacGrantDefinition g) {
|
|
||||||
plPgSql.writeLn("""
|
|
||||||
/**
|
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
|
||||||
where the check is performed by an indirect role.
|
|
||||||
|
|
||||||
An indirect role is a role which depends on an object uuid which is not a direct foreign key
|
|
||||||
of the source entity, but needs to be fetched via joined tables.
|
|
||||||
*/
|
|
||||||
create or replace function ${rawSubTable}_insert_permission_check_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql as $$
|
|
||||||
|
|
||||||
declare
|
|
||||||
superRoleObjectUuid uuid;
|
|
||||||
|
|
||||||
begin
|
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
plPgSql.chopEmptyLines();
|
|
||||||
plPgSql.indented(2, () -> {
|
plPgSql.indented(2, () -> {
|
||||||
plPgSql.writeLn(
|
getInsertGrants().forEach(g -> {
|
||||||
"superRoleObjectUuid := (" + g.getSuperRoleDef().getEntityAlias().fetchSql().sql + ");\n" +
|
final RbacView.EntityAlias superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
|
||||||
"assert superRoleObjectUuid is not null, 'superRoleObjectUuid must not be null';",
|
final var caseCondition = superRoleEntityAlias.isCaseDependent()
|
||||||
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
? "NEW.type = '" + superRoleEntityAlias.usingCase().value + "' and "
|
||||||
with("ref", NEW.name()));
|
: "";
|
||||||
});
|
plPgSql.writeLn("${caseCondition}hasInsertPermission(NEW.${refColumn}, 'INSERT', '${rawSubTable}') or",
|
||||||
plPgSql.writeLn();
|
with("caseCondition", caseCondition),
|
||||||
plPgSql.writeLn("""
|
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||||
if ( not hasInsertPermission(superRoleObjectUuid, 'INSERT', '${rawSubTable}') ) then
|
|
||||||
raise exception
|
|
||||||
'[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end if;
|
|
||||||
return NEW;
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
|
||||||
before insert on ${rawSubTable}
|
|
||||||
for each row
|
|
||||||
execute procedure ${rawSubTable}_insert_permission_check_tf();
|
|
||||||
|
|
||||||
""",
|
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
}
|
});
|
||||||
|
plPgSql.chopTail(" or\n");
|
||||||
|
});
|
||||||
|
|
||||||
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
) )
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
|
||||||
where only global-admin has that permission.
|
|
||||||
*/
|
|
||||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql as $$
|
|
||||||
begin
|
|
||||||
raise exception '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
|
||||||
before insert on ${rawSubTable}
|
|
||||||
for each row
|
|
||||||
when ( not isGlobalAdmin() )
|
|
||||||
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
execute procedure ${rawSubTable}_insert_permission_missing_tf();
|
||||||
|
--//
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
}
|
}
|
||||||
@ -238,6 +206,15 @@ public class InsertTriggerGenerator {
|
|||||||
.filter(g -> g.getPermDef().toCreate && g.getPermDef().getPermission() == INSERT);
|
.filter(g -> g.getPermDef().toCreate && g.getPermDef().getPermission() == INSERT);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private boolean isInsertPermissionIsNotGrantedAtAll() {
|
||||||
|
return getInsertGrants().findAny().isEmpty();
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isInsertPermissionGrantedToGlobalGuest() {
|
||||||
|
return getInsertGrants().anyMatch(g ->
|
||||||
|
g.getSuperRoleDef().getEntityAlias().isGlobal() && g.getSuperRoleDef().getRole() == GUEST);
|
||||||
|
}
|
||||||
|
|
||||||
private Optional<RbacView.RbacGrantDefinition> getOptionalInsertGrant() {
|
private Optional<RbacView.RbacGrantDefinition> getOptionalInsertGrant() {
|
||||||
return getInsertGrants()
|
return getInsertGrants()
|
||||||
.reduce(singleton());
|
.reduce(singleton());
|
||||||
@ -252,7 +229,8 @@ public class InsertTriggerGenerator {
|
|||||||
private static <T> BinaryOperator<T> singleton() {
|
private static <T> BinaryOperator<T> singleton() {
|
||||||
return (x, y) -> {
|
return (x, y) -> {
|
||||||
if ( !x.equals(y) ) {
|
if ( !x.equals(y) ) {
|
||||||
throw new IllegalStateException("only a single INSERT permission grant allowed");
|
return x;
|
||||||
|
// throw new IllegalStateException("only a single INSERT permission grant allowed");
|
||||||
}
|
}
|
||||||
return x;
|
return x;
|
||||||
};
|
};
|
||||||
|
@ -93,25 +93,23 @@ execute procedure insertTriggerForHsHostingAsset_tf();
|
|||||||
--changeset hs-hosting-asset-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-hosting-asset-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- ---------------------------------------------------------------------------------------
|
-- granting INSERT permission to hs_hosting_asset ----------------------------
|
||||||
-- to hs_booking_item
|
|
||||||
-- ---------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_booking_item rows.
|
Grants INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_booking_item rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
hsBookingItem hs_booking_item;
|
preExistingRow hs_booking_item;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_booking_item rows');
|
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_booking_item rows');
|
||||||
|
|
||||||
FOR hsBookingItem IN SELECT * FROM hs_booking_item
|
FOR preExistingRow IN SELECT * FROM hs_booking_item
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(hsBookingItem.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(preExistingRow.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsBookingItemAGENT(hsBookingItem));
|
hsBookingItemAGENT(preExistingRow));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
@ -124,7 +122,7 @@ create or replace function new_hs_hosting_asset_grants_insert_to_hs_booking_item
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
-- unconditional for all rows in that table:
|
-- unconditional for all rows in that table
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsBookingItemAGENT(NEW));
|
hsBookingItemAGENT(NEW));
|
||||||
@ -138,14 +136,26 @@ create trigger z_new_hs_hosting_asset_grants_insert_to_hs_booking_item_tg
|
|||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_hosting_asset_grants_insert_to_hs_booking_item_tf();
|
execute procedure new_hs_hosting_asset_grants_insert_to_hs_booking_item_tf();
|
||||||
|
|
||||||
-- ---------------------------------------------------------------------------------------
|
-- granting INSERT permission to hs_hosting_asset ----------------------------
|
||||||
-- to hs_hosting_asset
|
|
||||||
-- ---------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_hosting_asset permissions to specified role of new hs_hosting_asset rows.
|
Grants INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows.
|
||||||
*/
|
*/
|
||||||
-- such rows cannot yet exist => code block skipped
|
do language plpgsql $$
|
||||||
|
declare
|
||||||
|
preExistingRow hs_hosting_asset;
|
||||||
|
begin
|
||||||
|
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_hosting_asset rows');
|
||||||
|
|
||||||
|
FOR preExistingRow IN SELECT * FROM hs_hosting_asset
|
||||||
|
WHERE preExistingRow.type = 'MANAGED_SERVER'
|
||||||
|
LOOP
|
||||||
|
call grantPermissionToRole(
|
||||||
|
createPermission(preExistingRow.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
|
hsBookingItemAGENT(preExistingRow));
|
||||||
|
END LOOP;
|
||||||
|
end;
|
||||||
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_hosting_asset INSERT permission to specified role of new hs_hosting_asset rows.
|
Grants hs_hosting_asset INSERT permission to specified role of new hs_hosting_asset rows.
|
||||||
@ -155,7 +165,7 @@ create or replace function new_hs_hosting_asset_grants_insert_to_hs_hosting_asse
|
|||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
if NEW.type in ('MANAGED_SERVER') then
|
if NEW.type = 'MANAGED_SERVER' then
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsHostingAssetADMIN(NEW));
|
hsHostingAssetADMIN(NEW));
|
||||||
@ -168,11 +178,10 @@ create trigger z_new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tg
|
|||||||
after insert on hs_hosting_asset
|
after insert on hs_hosting_asset
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf();
|
execute procedure new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf();
|
||||||
--//
|
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs_hosting_asset-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -193,11 +202,12 @@ create trigger hs_hosting_asset_insert_permission_check_tg
|
|||||||
before insert on hs_hosting_asset
|
before insert on hs_hosting_asset
|
||||||
for each row
|
for each row
|
||||||
when ( not (
|
when ( not (
|
||||||
|
|
||||||
hasInsertPermission(NEW.bookingItemUuid, 'INSERT', 'hs_hosting_asset') or
|
hasInsertPermission(NEW.bookingItemUuid, 'INSERT', 'hs_hosting_asset') or
|
||||||
NEW.type = 'MANAGED_WEBSPACE' and hasInsertPermission(NEW.parentAssetUuid, 'INSERT', 'hs_hosting_asset')
|
NEW.type = 'MANAGED_SERVER' and hasInsertPermission(NEW.parentAssetUuid, 'INSERT', 'hs_hosting_asset') ) )
|
||||||
) )
|
|
||||||
execute procedure hs_hosting_asset_insert_permission_missing_tf();
|
execute procedure hs_hosting_asset_insert_permission_missing_tf();
|
||||||
--//
|
--//
|
||||||
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
|
Loading…
Reference in New Issue
Block a user