add refundBankAccount to hs_office_debitor

2022-10-05 17:22:33 +02:00
parent d98b8feaad
commit 6b6f8127bb
16 changed files with 231 additions and 95 deletions
--- a/src/main/resources/api-definition/hs-office/hs-office-debitor-schemas.yaml
+++ b/src/main/resources/api-definition/hs-office/hs-office-debitor-schemas.yaml
@ -25,6 +25,8 @@ components:
                   pattern: '^[A_Z][A-Z]$'
                vatBusiness:
                   type: boolean
+                refundBankAccount:
+                    $ref: './hs-office-bankaccount-schemas.yaml#/components/schemas/HsOfficeBankAccount'

        HsOfficeDebitorPatch:
            type: object
@ -43,6 +45,10 @@ components:
                vatBusiness:
                    type: boolean
                    nullable: true
+                refundBankAccountUuid:
+                    type: string
+                    format: uuid
+                    nullable: true

        HsOfficeDebitorInsert:
            type: object
@ -65,6 +71,9 @@ components:
                    pattern: '^[A_Z][A-Z]$'
                vatBusiness:
                    type: boolean
+                refundBankAccountUuid:
+                    type: string
+                    format: uuid
            required:
              - partnerUuid
              - billingContactUuid
--- a/src/main/resources/db/changelog/238-hs-office-relationship-test-data.sql
+++ b/src/main/resources/db/changelog/238-hs-office-relationship-test-data.sql
@ -22,7 +22,7 @@ declare
    contact         hs_office_contact;

 begin
-    idName := cleanIdentifier( anchorPersonTradeName|| '-' || holderPersonFamilyName);
+    idName := cleanIdentifier( anchorPersonTradeName || '-' || holderPersonFamilyName);
    currentTask := 'creating RBAC test relationship ' || idName;
    call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
    execute format('set local hsadminng.currentTask to %L', currentTask);
--- a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md
+++ b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.md
@ -0,0 +1,43 @@
+### hs_office_bankaccount RBAC Roles
+
+```mermaid
+flowchart TB
+
+%% ---------- generated start: ---------- 
+
+subgraph global
+    role:global.admin[global.admin]
+end
+
+subgraph context
+    user:current([current])
+end
+
+subgraph bankaccount
+
+    subgraph roles[ ]
+        role:bankaccount.owner[[bankaccount.owner]]
+        role:bankaccount.admin[[bankaccount.admin]]    
+        role:bankaccount.tenant[[bankaccount.tenant]]
+    end
+
+    subgraph perms[ ]
+        perm:bankaccount.delete{{bankaccount.delete}}
+        perm:bankaccount.view{{bankaccount.view}}
+    end   
+
+end
+
+%% ---------- generated end. ----------
+
+role:bankaccount.owner --> perm:bankaccount.delete
+
+role:global.admin --> role:bankaccount.owner
+user:current --> role:bankaccount.owner
+
+role:bankaccount.owner --> role:bankaccount.admin
+
+role:bankaccount.admin --> role:bankaccount.tenant
+role:bankaccount.tenant --> perm:bankaccount.view
+```
+
--- a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
+++ b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
@ -28,6 +28,7 @@ create or replace function createRbacRolesForHsOfficeBankAccount()
    strict as $$
 declare
    ownerRole uuid;
+    adminRole uuid;
 begin
    if TG_OP <> 'INSERT' then
        raise exception 'invalid usage of TRIGGER AFTER INSERT';
@ -43,15 +44,22 @@ begin
        grantedByRole(globalAdmin())
        );

+    -- the admin role for those related users who can view the data and related records
+    adminRole := createRole(
+            hsOfficeBankAccountAdmin(NEW),
+            -- Where bankaccounts can be created, assigned, re-assigned and deleted, they cannot be updated.
+            -- Thus SQL UPDATE and 'edit' permission are being implemented.
+            withoutPermissions(),
+            beneathRole(ownerRole)
+        );
+
    -- TODO.spec: assumption can not be updated
-    -- Where bankaccounts can be created, assigned, re-assigned and deleted, they cannot be updated.
-    -- Thus SQL UPDATE and 'edit' permission are being implemented.

    -- the tenant role for those related users who can view the data
    perform createRole(
        hsOfficeBankAccountTenant(NEW),
        grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
-        beneathRole(ownerRole)
+        beneathRole(adminRole)
        );

    return NEW;
--- a/src/main/resources/db/changelog/270-hs-office-debitor.sql
+++ b/src/main/resources/db/changelog/270-hs-office-debitor.sql
@ -6,14 +6,14 @@

 create table hs_office_debitor
 (
-    uuid                uuid unique references RbacObject (uuid) initially deferred,
-    partnerUuid         uuid not null references hs_office_partner(uuid),
-    debitorNumber       numeric(5) not null,
-    billingContactUuid  uuid not null references hs_office_contact(uuid),
-    vatId               varchar(24), -- TODO.spec: here or in person?
-    vatCountryCode      varchar(2),
-    vatBusiness         boolean not null, -- TODO.spec: more of such?
-    bankAccountUuid     uuid references hs_office_bankaccount(uuid)
+    uuid                    uuid unique references RbacObject (uuid) initially deferred,
+    partnerUuid             uuid not null references hs_office_partner(uuid),
+    debitorNumber           numeric(5) not null,
+    billingContactUuid      uuid not null references hs_office_contact(uuid),
+    vatId                   varchar(24), -- TODO.spec: here or in person?
+    vatCountryCode          varchar(2),
+    vatBusiness             boolean not null, -- TODO.spec: more of such?
+    refundBankAccountUuid   uuid references hs_office_bankaccount(uuid)
    -- TODO.impl: SEPA-mandate
 );
 --//
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.md
@ -4,7 +4,6 @@
 flowchart TB;

 subgraph bankaccount;
-direction TB;

    %% oversimplified version for now
    %%   
@ -13,36 +12,36 @@ direction TB;
    %% e.g. package admins could see the debitors bank account,
    %% except if we do NOT use the debitor in the hosting super module.

-    %% role:bankaccount.owner        
-    role:bankaccount.owner --> perm:bankaccount.*;
+    role:bankaccount.tenant --> perm:bankaccount.view{{bankaccount.view}};
 end;

 subgraph debitor[" "];
 direction TB;

-    %% role:debitor.owner
-    role:debitor.owner --> perm:debitor.*;
-    role:debitor.owner --> role:bankaccount.owner;
+    role:debitor.owner[[debitor.owner]]
+    role:debitor.owner --> perm:debitor.*{{debitor.*}};

-    %% role:debitor.admin
-    role:debitor.admin --> perm:debitor.edit;
-    role:debitor.owner --> role:debitor.admin;
+    role:debitor.admin[[debitor.admin]]
+    %% super-roles
+        role:debitor.owner --> role:debitor.admin;
+        role:partner.admin --> role:debitor.admin;
+        role:person.admin --> role:debitor.admin;
+        role:contact.admin --> role:debitor.admin;
+    %% sub-roles
+        role:debitor.admin --> role:partner.tenant;
+        role:debitor.admin --> role:person.tenant;
+        role:debitor.admin --> role:contact.tenant;
+        role:debitor.admin --> role:bankaccount.tenant;

-    %% role:debitor.tenant
-        role:debitor.tenant --> perm:debitor.view;
+    role:debitor.tenant[[debitor.tenant]]
+        role:debitor.tenant --> perm:debitor.view{{debitor.view}};
    %% super-roles
        role:debitor.admin --> role:debitor.tenant;
-        role:partner.admin --> role:debitor.tenant;
-        role:person.admin --> role:debitor.tenant;
-        role:contact.admin --> role:debitor.tenant;
    %% sub-roles
-        role:debitor.tenant --> role:partner.tenant;
-        role:debitor.tenant --> role:person.tenant;
-        role:debitor.tenant --> role:contact.tenant;
+        
 end;

 subgraph global;
-direction TB;
    role:global.admin --> role:debitor.owner;
 end;
        
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
@ -35,6 +35,7 @@ declare
    newPerson             hs_office_person;
    oldContact            hs_office_contact;
    newContact            hs_office_contact;
+    newBankAccount        hs_office_bankaccount;
 begin

    hsOfficeDebitorTenant := hsOfficeDebitorTenant(NEW);
@ -42,7 +43,7 @@ begin
    select * from hs_office_partner as p where p.uuid = NEW.partnerUuid into newPartner;
    select * from hs_office_person as p where p.uuid = newPartner.personUuid into newPerson;
    select * from hs_office_contact as c where c.uuid = NEW.billingContactUuid into newContact;
-
+    select * from hs_office_bankaccount as b where b.uuid = NEW.refundBankAccountUuid into newBankAccount;
    if TG_OP = 'INSERT' then

        -- the owner role with full access for the global admins
@ -55,23 +56,25 @@ begin
        -- the admin role with full access for owner
        adminRole = createRole(
                hsOfficeDebitorAdmin(NEW),
-                grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
-                beneathRole(ownerRole)
+                withoutPermissions(),
+                beneathRoles(array [
+                    hsOfficeDebitorOwner(NEW),
+                    hsOfficePartnerAdmin(newPartner),
+                    hsOfficePersonAdmin(newPerson),
+                    hsOfficeContactAdmin(newContact),
+                    hsOfficeBankAccountAdmin(newBankAccount)]),
+                withSubRoles(array [
+                    hsOfficePartnerTenant(newPartner),
+                    hsOfficePersonTenant(newPerson),
+                    hsOfficeContactTenant(newContact),
+                    hsOfficeBankAccountTenant(newBankAccount)])
            );

        -- the tenant role for those related users who can view the data
        perform createRole(
                hsOfficeDebitorTenant,
                grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
-                beneathRoles(array[
-                    hsOfficeDebitorAdmin(NEW),
-                    hsOfficePartnerAdmin(newPartner),
-                    hsOfficePersonAdmin(newPerson),
-                    hsOfficeContactAdmin(newContact)]),
-                withSubRoles(array[
-                    hsOfficePartnerTenant(newPartner),
-                    hsOfficePersonTenant(newPerson),
-                    hsOfficeContactTenant(newContact)])
+                beneathRole(hsOfficeDebitorAdmin(NEW))
            );

    elsif TG_OP = 'UPDATE' then
@ -79,21 +82,23 @@ begin
        if OLD.partnerUuid <> NEW.partnerUuid then
            select * from hs_office_partner as p where p.uuid = OLD.partnerUuid into oldPartner;

-            call revokeRoleFromRole( hsOfficeDebitorTenant, hsOfficePartnerAdmin(oldPartner) );
-            call grantRoleToRole( hsOfficeDebitorTenant, hsOfficePartnerAdmin(newPartner) );
+            call revokeRoleFromRole(hsOfficeDebitorAdmin(OLD), hsOfficePartnerAdmin(oldPartner));
+            call grantRoleToRole(hsOfficeDebitorAdmin(NEW), hsOfficePartnerAdmin(newPartner));

-            call revokeRoleFromRole( hsOfficePartnerTenant(oldPartner), hsOfficeDebitorTenant );
-            call grantRoleToRole( hsOfficePartnerTenant(newPartner), hsOfficeDebitorTenant );
+            call revokeRoleFromRole(hsOfficePartnerTenant(oldPartner), hsOfficeDebitorAdmin(OLD));
+            call grantRoleToRole(hsOfficePartnerTenant(newPartner), hsOfficeDebitorAdmin(NEW));
+
+            -- TODO: What about the person of the partner? And what if the person of the partner changes?
        end if;

        if OLD.billingContactUuid <> NEW.billingContactUuid then
            select * from hs_office_contact as c where c.uuid = OLD.billingContactUuid into oldContact;

-            call revokeRoleFromRole( hsOfficeDebitorTenant, hsOfficeContactAdmin(oldContact) );
-            call grantRoleToRole( hsOfficeDebitorTenant, hsOfficeContactAdmin(newContact) );
+            call revokeRoleFromRole(hsOfficeDebitorAdmin(OLD), hsOfficeContactAdmin(oldContact));
+            call grantRoleToRole(hsOfficeDebitorAdmin(NEW), hsOfficeContactAdmin(newContact));

-            call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeDebitorTenant );
-            call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeDebitorTenant );
+            call revokeRoleFromRole(hsOfficeContactTenant(oldContact), hsOfficeDebitorAdmin(OLD));
+            call grantRoleToRole(hsOfficeContactTenant(newContact), hsOfficeDebitorAdmin(NEW));
        end if;
    else
        raise exception 'invalid usage of TRIGGER';
@ -136,8 +141,8 @@ call generateRbacIdentityView('hs_office_debitor', $idName$
 --changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
 call generateRbacRestrictedView('hs_office_debitor',
-    'target.debitorNumber',
-    $updates$
+                                'target.debitorNumber',
+                                $updates$
        billingContactUuid = new.billingContactUuid,
        vatId = new.vatId,
        vatCountryCode = new.vatCountryCode,
@ -153,9 +158,9 @@ call generateRbacRestrictedView('hs_office_debitor',
 */
 do language plpgsql $$
    declare
-        addDebitorPermissions  uuid[];
-        globalObjectUuid       uuid;
-        globalAdminRoleUuid    uuid ;
+        addDebitorPermissions uuid[];
+        globalObjectUuid      uuid;
+        globalAdminRoleUuid   uuid ;
    begin
        call defineContext('granting global new-debitor permission to global admin role', null, null, null);

--- a/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql
+++ b/src/main/resources/db/changelog/278-hs-office-debitor-test-data.sql
@ -11,11 +11,12 @@
 create or replace procedure createHsOfficeDebitorTestData( partnerTradeName varchar, billingContactLabel varchar )
    language plpgsql as $$
 declare
-    currentTask         varchar;
-    idName              varchar;
-    relatedPartner      hs_office_partner;
-    relatedContact      hs_office_contact;
-    newDebitorNumber    numeric(6);
+    currentTask             varchar;
+    idName                  varchar;
+    relatedPartner          hs_office_partner;
+    relatedContact          hs_office_contact;
+    relatedBankAccountUuid  uuid;
+    newDebitorNumber        numeric(6);
 begin
    idName := cleanIdentifier( partnerTradeName|| '-' || billingContactLabel);
    currentTask := 'creating RBAC test debitor ' || idName;
@ -26,14 +27,15 @@ begin
               join hs_office_person person on person.uuid = partner.personUuid
               where person.tradeName = partnerTradeName into relatedPartner;
    select c.* from hs_office_contact c where c.label = billingContactLabel into relatedContact;
+    select b.uuid from hs_office_bankaccount b where b.holder = partnerTradeName into relatedBankAccountUuid;
    select coalesce(max(debitorNumber)+1, 10001) from hs_office_debitor into newDebitorNumber;

    raise notice 'creating test debitor: % (#%)', idName, newDebitorNumber;
    raise notice '- using partner (%): %', relatedPartner.uuid, relatedPartner;
    raise notice '- using billingContact (%): %', relatedContact.uuid, relatedContact;
    insert
-        into hs_office_debitor (uuid, partneruuid, debitornumber, billingcontactuuid, vatbusiness)
-        values (uuid_generate_v4(), relatedPartner.uuid, newDebitorNumber, relatedContact.uuid, true);
+        into hs_office_debitor (uuid, partneruuid, debitornumber, billingcontactuuid, vatbusiness, refundbankaccountuuid)
+        values (uuid_generate_v4(), relatedPartner.uuid, newDebitorNumber, relatedContact.uuid, true, relatedBankAccountUuid);
 end; $$;
 --//