--liquibase formatted sql -- This code generated was by RbacViewPostgresGenerator, do not amend manually. -- ============================================================================ --changeset RbacObjectGenerator:hs-office-sepamandate-rbac-OBJECT endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRelatedRbacObject('hs_office.sepamandate'); --// -- ============================================================================ --changeset RbacRoleDescriptorsGenerator:hs-office-sepamandate-rbac-ROLE-DESCRIPTORS endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacRoleDescriptors('hs_office.sepamandate'); --// -- ============================================================================ --changeset RolesGrantsAndPermissionsGenerator:hs-office-sepamandate-rbac-insert-trigger endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles, grants and permission for the AFTER INSERT TRIGGER. */ create or replace procedure hs_office.sepamandate_build_rbac_system( NEW hs_office.sepamandate ) language plpgsql as $$ declare newBankAccount hs_office.bankaccount; newDebitorRel hs_office.relation; begin call rbac.enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM hs_office.bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount; assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s', NEW.bankAccountUuid); SELECT debitorRel.* FROM hs_office.relation debitorRel JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid WHERE debitor.uuid = NEW.debitorUuid INTO newDebitorRel; assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid); perform rbac.defineRoleWithGrants( hs_office.sepamandate_OWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[rbac.globalADMIN()], subjectUuids => array[rbac.currentSubjectUuid()] ); perform rbac.defineRoleWithGrants( hs_office.sepamandate_ADMIN(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[hs_office.sepamandate_OWNER(NEW)] ); perform rbac.defineRoleWithGrants( hs_office.sepamandate_AGENT(NEW), incomingSuperRoles => array[hs_office.sepamandate_ADMIN(NEW)], outgoingSubRoles => array[ hs_office.bankaccount_REFERRER(newBankAccount), hs_office.relation_AGENT(newDebitorRel)] ); perform rbac.defineRoleWithGrants( hs_office.sepamandate_REFERRER(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ hs_office.bankaccount_ADMIN(newBankAccount), hs_office.relation_AGENT(newDebitorRel), hs_office.sepamandate_AGENT(NEW)], outgoingSubRoles => array[hs_office.relation_TENANT(newDebitorRel)] ); call rbac.leaveTriggerForObjectUuid(NEW.uuid); end; $$; /* AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office.sepamandate row. */ create or replace function hs_office.sepamandate_build_rbac_system_after_insert_tf() returns trigger language plpgsql strict as $$ begin call hs_office.sepamandate_build_rbac_system(NEW); return NEW; end; $$; create trigger build_rbac_system_after_insert_tg after insert on hs_office.sepamandate for each row execute procedure hs_office.sepamandate_build_rbac_system_after_insert_tf(); --// -- ============================================================================ --changeset InsertTriggerGenerator:hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--// -- ---------------------------------------------------------------------------- -- granting INSERT permission to hs_office.relation ---------------------------- /* Grants INSERT INTO hs_office.sepamandate permissions to specified role of pre-existing hs_office.relation rows. */ do language plpgsql $$ declare row hs_office.relation; begin call base.defineContext('create INSERT INTO hs_office.sepamandate permissions for pre-exising hs_office.relation rows'); FOR row IN SELECT * FROM hs_office.relation WHERE type = 'DEBITOR' LOOP call rbac.grantPermissionToRole( rbac.createPermission(row.uuid, 'INSERT', 'hs_office.sepamandate'), hs_office.relation_ADMIN(row)); END LOOP; end; $$; /** Grants hs_office.sepamandate INSERT permission to specified role of new relation rows. */ create or replace function hs_office.new_sepamandate_grants_insert_to_relation_tf() returns trigger language plpgsql strict as $$ begin if NEW.type = 'DEBITOR' then call rbac.grantPermissionToRole( rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office.sepamandate'), hs_office.relation_ADMIN(NEW)); end if; return NEW; end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_sepamandate_grants_after_insert_tg after insert on hs_office.relation for each row execute procedure hs_office.new_sepamandate_grants_insert_to_relation_tf(); -- ============================================================================ --changeset InsertTriggerGenerator:hs-office-sepamandate-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--// -- ---------------------------------------------------------------------------- /** Checks if the user respectively the assumed roles are allowed to insert a row to hs_office.sepamandate. */ create or replace function hs_office.sepamandate_insert_permission_check_tf() returns trigger language plpgsql as $$ declare superObjectUuid uuid; begin -- check INSERT permission via indirect foreign key: NEW.debitorUuid superObjectUuid := (SELECT debitorRel.uuid FROM hs_office.relation debitorRel JOIN hs_office.debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid WHERE debitor.uuid = NEW.debitorUuid ); assert superObjectUuid is not null, 'object uuid fetched depending on hs_office.sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL'; if rbac.hasInsertPermission(superObjectUuid, 'hs_office.sepamandate') then return NEW; end if; raise exception '[403] insert into hs_office.sepamandate values(%) not allowed for current subjects % (%)', NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids(); end; $$; create trigger sepamandate_insert_permission_check_tg before insert on hs_office.sepamandate for each row execute procedure hs_office.sepamandate_insert_permission_check_tf(); --// -- ============================================================================ --changeset RbacIdentityViewGenerator:hs-office-sepamandate-rbac-IDENTITY-VIEW endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacIdentityViewFromQuery('hs_office.sepamandate', $idName$ select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName from hs_office.sepamandate sm join hs_office.bankaccount ba on ba.uuid = sm.bankAccountUuid $idName$); --// -- ============================================================================ --changeset RbacRestrictedViewGenerator:hs-office-sepamandate-rbac-RESTRICTED-VIEW endDelimiter:--// -- ---------------------------------------------------------------------------- call rbac.generateRbacRestrictedView('hs_office.sepamandate', $orderBy$ validity $orderBy$, $updates$ reference = new.reference, agreement = new.agreement, validity = new.validity $updates$); --//