Taiga459: make projects visible to debitor despite unassumed grant (#221)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: http://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/221 Reviewed-by: Stefan Begerad <stefan.begerad@hostsharing.net>
2026-05-12 10:02:10 +02:00
parent a1bac0f764
commit 62307a0764
5 changed files with 131 additions and 6 deletions
@@ -26,6 +26,7 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Permission.UPDAT
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Role.OWNER;
+import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Role.REFERRER;
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.SQL.fetchedBySql;
@@ -72,9 +73,13 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
                .createSubRole(ADMIN, (with) -> {
                    with.permission(UPDATE);
                })
-                .createSubRole(AGENT)
+                .createSubRole(AGENT) // just for manual grants
                .createSubRole(TENANT, (with) -> {
                    with.outgoingSubRole("debitorRel", TENANT);
+                })
+                .createSubRole(REFERRER, (with) -> {
+                    // make the project visible for debitors, but for anything below, the owner role needs to be assumed
+                    with.incomingSuperRole("debitorRel", AGENT);
                    with.permission(SELECT);
                })

@@ -31,6 +31,7 @@ subgraph project["`**project**`"]
        role:project:ADMIN[[project:ADMIN]]
        role:project:AGENT[[project:AGENT]]
        role:project:TENANT[[project:TENANT]]
+        role:project:REFERRER[[project:REFERRER]]
    end

    subgraph project:permissions[ ]
@@ -53,11 +54,13 @@ role:project:OWNER ==> role:project:ADMIN
 role:project:ADMIN ==> role:project:AGENT
 role:project:AGENT ==> role:project:TENANT
 role:project:TENANT ==> role:debitorRel:TENANT
+role:project:TENANT ==> role:project:REFERRER
+role:debitorRel:AGENT ==> role:project:REFERRER

 %% granting permissions to roles
 role:debitorRel:ADMIN ==> perm:project:INSERT
 role:rbac.global:ADMIN ==> perm:project:DELETE
 role:project:ADMIN ==> perm:project:UPDATE
-role:project:TENANT ==> perm:project:SELECT
+role:project:REFERRER ==> perm:project:SELECT

 ```
@@ -65,11 +65,18 @@ begin

    perform rbac.defineRoleWithGrants(
        hs_booking.project_TENANT(NEW),
-            permissions => array['SELECT'],
            incomingSuperRoles => array[hs_booking.project_AGENT(NEW)],
            outgoingSubRoles => array[hs_office.relation_TENANT(newDebitorRel)]
    );

+    perform rbac.defineRoleWithGrants(
+        hs_booking.project_REFERRER(NEW),
+            permissions => array['SELECT'],
+            incomingSuperRoles => array[
+            	hs_booking.project_TENANT(NEW),
+            	hs_office.relation_AGENT(newDebitorRel)]
+    );
+
    call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.global_ADMIN());

    call rbac.leaveTriggerForObjectUuid(NEW.uuid);
@@ -194,15 +201,15 @@ call rbac.generateRbacIdentityViewFromQuery('hs_booking.project',
 -- ============================================================================
 --changeset RbacRestrictedViewGenerator:hs-booking-project-rbac-RESTRICTED-VIEW runOnChange:true validCheckSum:ANY endDelimiter:--//
 -- ----------------------------------------------------------------------------
-- trigger change of change in generateRbacRestrictedView regarding #453 optimization for global:ADMIN
 call rbac.generateRbacRestrictedView('hs_booking.project',
    $orderBy$
        caption
-    $orderBy$,
+$orderBy$,
    $updates$
        version = new.version,
        caption = new.caption
-    $updates$);
+$updates$
+);
 --//