hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 3 Activity
hs.hsadmin.ng/src/main/resources/db/changelog/113-test-customer-rbac.sql

127 lines
3.8 KiB
PL/PgSQL
Raw Blame History

--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-07T12:25:36.376742633.
-- ============================================================================
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('test_customer');
--//
-- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('testCustomer', 'test_customer');
--//
-- ============================================================================
--changeset test-customer-rbac-insert-trigger:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
*/
create or replace procedure buildRbacSystemForTestCustomer(
NEW test_customer
)
language plpgsql as $$
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
testCustomerOwner(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalAdmin()]
);
perform createRoleWithGrants(
testCustomerAdmin(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[testCustomerOwner(NEW)]
);
perform createRoleWithGrants(
testCustomerTenant(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testCustomerAdmin(NEW)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
AFTER INSERT TRIGGER to create the role+grant structure for a new test_customer row.
*/
create or replace function insertTriggerForTestCustomer_tf()
returns trigger
language plpgsql
strict as $$
begin
call buildRbacSystemForTestCustomer(NEW);
return NEW;
end; $$;
create trigger insertTriggerForTestCustomer_tg
after insert on test_customer
for each row
execute procedure insertTriggerForTestCustomer_tf();
--//
-- ============================================================================
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
Checks if the user or assumed roles are allowed to insert a row to test_customer.
*/
create or replace function test_customer_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
raise exception 'insert into test_customer not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
end; $$;
create trigger test_customer_insert_permission_check_tg
before insert on test_customer
for each row
-- As there is no explicit INSERT grant specified for this table,
-- only global admins are allowed to insert any rows.
when ( not isGlobalAdmin() )
execute procedure test_customer_insert_permission_missing_tf();
--//
-- ============================================================================
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityView('test_customer', $idName$
prefix
$idName$);
--//
-- ============================================================================
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_customer',
'reference',
$updates$
reference = new.reference,
prefix = new.prefix,
adminUserName = new.adminUserName
$updates$);
--//
View Git Blame Copy Permalink