Michael Hoennig
285e6fbeb5
Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: #104 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
167 lines
6.4 KiB
PL/PgSQL
167 lines
6.4 KiB
PL/PgSQL
--liquibase formatted sql
|
|
-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset RbacObjectGenerator:hs-office-coopassetstransaction-rbac-OBJECT endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction');
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset RbacRoleDescriptorsGenerator:hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset RolesGrantsAndPermissionsGenerator:hs-office-coopassetstransaction-rbac-insert-trigger endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
/*
|
|
Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
|
|
*/
|
|
|
|
create or replace procedure buildRbacSystemForHsOfficeCoopAssetsTransaction(
|
|
NEW hs_office_coopassetstransaction
|
|
)
|
|
language plpgsql as $$
|
|
|
|
declare
|
|
newMembership hs_office_membership;
|
|
|
|
begin
|
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
|
|
|
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
|
|
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
|
|
|
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
|
|
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
|
|
|
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
|
end; $$;
|
|
|
|
/*
|
|
AFTER INSERT TRIGGER to create the role+grant structure for a new hs_office_coopassetstransaction row.
|
|
*/
|
|
|
|
create or replace function insertTriggerForHsOfficeCoopAssetsTransaction_tf()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
begin
|
|
call buildRbacSystemForHsOfficeCoopAssetsTransaction(NEW);
|
|
return NEW;
|
|
end; $$;
|
|
|
|
create trigger insertTriggerForHsOfficeCoopAssetsTransaction_tg
|
|
after insert on hs_office_coopassetstransaction
|
|
for each row
|
|
execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset InsertTriggerGenerator:hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
-- granting INSERT permission to hs_office_membership ----------------------------
|
|
|
|
/*
|
|
Grants INSERT INTO hs_office_coopassetstransaction permissions to specified role of pre-existing hs_office_membership rows.
|
|
*/
|
|
do language plpgsql $$
|
|
declare
|
|
row hs_office_membership;
|
|
begin
|
|
call base.defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows');
|
|
|
|
FOR row IN SELECT * FROM hs_office_membership
|
|
-- unconditional for all rows in that table
|
|
LOOP
|
|
call rbac.grantPermissionToRole(
|
|
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
|
hsOfficeMembershipADMIN(row));
|
|
END LOOP;
|
|
end;
|
|
$$;
|
|
|
|
/**
|
|
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
|
|
*/
|
|
create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
begin
|
|
-- unconditional for all rows in that table
|
|
call rbac.grantPermissionToRole(
|
|
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
|
|
hsOfficeMembershipADMIN(NEW));
|
|
-- end.
|
|
return NEW;
|
|
end; $$;
|
|
|
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
|
|
after insert on hs_office_membership
|
|
for each row
|
|
execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset InsertTriggerGenerator:hs-office-coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
/**
|
|
Checks if the user respectively the assumed roles are allowed to insert a row to hs_office_coopassetstransaction.
|
|
*/
|
|
create or replace function hs_office_coopassetstransaction_insert_permission_check_tf()
|
|
returns trigger
|
|
language plpgsql as $$
|
|
declare
|
|
superObjectUuid uuid;
|
|
begin
|
|
-- check INSERT permission via direct foreign key: NEW.membershipUuid
|
|
if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
|
|
return NEW;
|
|
end if;
|
|
|
|
raise exception '[403] insert into hs_office_coopassetstransaction values(%) not allowed for current subjects % (%)',
|
|
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
|
end; $$;
|
|
|
|
create trigger hs_office_coopassetstransaction_insert_permission_check_tg
|
|
before insert on hs_office_coopassetstransaction
|
|
for each row
|
|
execute procedure hs_office_coopassetstransaction_insert_permission_check_tf();
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset RbacIdentityViewGenerator:hs-office-coopassetstransaction-rbac-IDENTITY-VIEW endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
call rbac.generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
|
|
$idName$
|
|
reference
|
|
$idName$);
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset RbacRestrictedViewGenerator:hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRbacRestrictedView('hs_office_coopassetstransaction',
|
|
$orderBy$
|
|
reference
|
|
$orderBy$,
|
|
$updates$
|
|
comment = new.comment
|
|
$updates$);
|
|
--//
|
|
|