implements revoking role from user at repository level

2022-08-16 17:51:51 +02:00
parent c8e835f880
commit 2cb9375d03
6 changed files with 189 additions and 40 deletions
--- a/src/main/resources/db/changelog/2022-07-28-007-rbac-user-grant.sql
+++ b/src/main/resources/db/changelog/2022-07-28-007-rbac-user-grant.sql
@ -79,6 +79,7 @@ begin
        raise exception '[403] Revoking role % is forbidden for %.', grantedRoleUuid, currentSubjects();
    end if;

+    --raise exception 'isGranted(%, %)', currentSubjectIds(), grantedByRoleUuid;
    if NOT isGranted(currentSubjectIds(), grantedByRoleUuid) then
        raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
    end if;
--- a/src/main/resources/db/changelog/2022-07-28-008-rbac-views.sql
+++ b/src/main/resources/db/changelog/2022-07-28-008-rbac-views.sql
@ -99,8 +99,8 @@ create or replace function deleteRbacGrant()
    returns trigger
    language plpgsql as $$
 begin
-    call revokeRoleFromUser(assumedRoleUuid(), old.grantedRoleUuid, old.userUuid);
-    return null;
+    call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid);
+    return old;
 end; $$;

 /*