--liquibase formatted sql -- This code generated was by RbacViewPostgresGenerator at 2024-03-15T15:30:23.341470108. -- ============================================================================ --changeset hs-office-relationship-rbac-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRelatedRbacObject('hs_office_relationship'); --// -- ============================================================================ --changeset hs-office-relationship-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRbacRoleDescriptors('hsOfficeRelationship', 'hs_office_relationship'); --// -- ============================================================================ --changeset hs-office-relationship-rbac-insert-trigger:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles, grants and permission for the AFTER INSERT TRIGGER. */ create or replace procedure buildRbacSystemForHsOfficeRelationship( NEW hs_office_relationship ) language plpgsql as $$ declare newHolderPerson hs_office_person; newAnchorPerson hs_office_person; newContact hs_office_contact; begin call enterTriggerForObjectUuid(NEW.uuid); select * from hs_office_person as p where p.uuid = NEW.relHolderUuid INTO newHolderPerson; assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.relHolderUuid = %s', NEW.relHolderUuid); select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid INTO newAnchorPerson; assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.relAnchorUuid = %s', NEW.relAnchorUuid); select * from hs_office_contact as c where c.uuid = NEW.contactUuid INTO newContact; assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid); perform createRoleWithGrants( hsOfficeRelationshipOwner(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalAdmin()], userUuids => array[currentUserUuid()] ); perform createRoleWithGrants( hsOfficeRelationshipAdmin(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[ hsOfficeRelationshipOwner(NEW), hsOfficePersonAdmin(newAnchorPerson)] ); perform createRoleWithGrants( hsOfficeRelationshipAgent(NEW), incomingSuperRoles => array[ hsOfficePersonAdmin(newHolderPerson), hsOfficeRelationshipAdmin(NEW)] ); perform createRoleWithGrants( hsOfficeRelationshipTenant(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ hsOfficeRelationshipAgent(NEW), hsOfficeContactAdmin(newContact), hsOfficePersonAdmin(newHolderPerson)], outgoingSubRoles => array[ hsOfficeContactReferrer(newContact), hsOfficePersonReferrer(newHolderPerson), hsOfficePersonReferrer(newAnchorPerson)] ); call leaveTriggerForObjectUuid(NEW.uuid); end; $$; /* AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_relationship row. */ create or replace function insertTriggerForHsOfficeRelationship_tf() returns trigger language plpgsql strict as $$ begin call buildRbacSystemForHsOfficeRelationship(NEW); return NEW; end; $$; create trigger insertTriggerForHsOfficeRelationship_tg after insert on hs_office_relationship for each row execute procedure insertTriggerForHsOfficeRelationship_tf(); --// -- ============================================================================ --changeset hs-office-relationship-rbac-update-trigger:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Called from the AFTER UPDATE TRIGGER to re-wire the grants. */ create or replace procedure updateRbacRulesForHsOfficeRelationship( OLD hs_office_relationship, NEW hs_office_relationship ) language plpgsql as $$ declare oldHolderPerson hs_office_person; newHolderPerson hs_office_person; oldAnchorPerson hs_office_person; newAnchorPerson hs_office_person; oldContact hs_office_contact; newContact hs_office_contact; begin call enterTriggerForObjectUuid(NEW.uuid); select * from hs_office_person as p where p.uuid = OLD.relHolderUuid INTO oldHolderPerson; assert oldHolderPerson.uuid is not null, format('oldHolderPerson must not be null for OLD.relHolderUuid = %s', OLD.relHolderUuid); select * from hs_office_person as p where p.uuid = NEW.relHolderUuid INTO newHolderPerson; assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.relHolderUuid = %s', NEW.relHolderUuid); select * from hs_office_person as p where p.uuid = OLD.relAnchorUuid INTO oldAnchorPerson; assert oldAnchorPerson.uuid is not null, format('oldAnchorPerson must not be null for OLD.relAnchorUuid = %s', OLD.relAnchorUuid); select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid INTO newAnchorPerson; assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.relAnchorUuid = %s', NEW.relAnchorUuid); select * from hs_office_contact as c where c.uuid = OLD.contactUuid INTO oldContact; assert oldContact.uuid is not null, format('oldContact must not be null for OLD.contactUuid = %s', OLD.contactUuid); select * from hs_office_contact as c where c.uuid = NEW.contactUuid INTO newContact; assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid); if NEW.contactUuid <> OLD.contactUuid then call revokeRoleFromRole(hsOfficeRelationshipTenant(OLD), hsOfficeContactAdmin(oldContact)); call grantRoleToRole(hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact)); call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeRelationshipTenant(OLD)); call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeRelationshipTenant(NEW)); end if; call leaveTriggerForObjectUuid(NEW.uuid); end; $$; /* AFTER INSERT TRIGGER to re-wire the grant structure for a new hs_office_relationship row. */ create or replace function updateTriggerForHsOfficeRelationship_tf() returns trigger language plpgsql strict as $$ begin call updateRbacRulesForHsOfficeRelationship(OLD, NEW); return NEW; end; $$; create trigger updateTriggerForHsOfficeRelationship_tg after update on hs_office_relationship for each row execute procedure updateTriggerForHsOfficeRelationship_tf(); --// -- ============================================================================ --changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -- FIXME: Where is this case necessary? create trigger hs_office_relationship_insert_permission_check_tg before insert on hs_office_relationship for each row -- As there is no explicit INSERT grant specified for this table, -- only global admins are allowed to insert any rows. when ( not isGlobalAdmin() ) execute procedure hs_office_relationship_insert_permission_missing_tf(); --// -- ============================================================================ --changeset hs-office-relationship-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRbacIdentityViewFromProjection('hs_office_relationship', $idName$ (select idName from hs_office_person_iv p where p.uuid = relAnchorUuid) || '-with-' || target.relType || '-' || (select idName from hs_office_person_iv p where p.uuid = relHolderUuid) $idName$); --// -- ============================================================================ --changeset hs-office-relationship-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- call generateRbacRestrictedView('hs_office_relationship', $orderBy$ (select idName from hs_office_person_iv p where p.uuid = target.relHolderUuid) $orderBy$, $updates$ contactUuid = new.contactUuid $updates$); --//