conditional insert permission grant (so far just exactly 1 unique for each table) (#48)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/48 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net>
2024-04-23 10:42:24 +02:00
parent 4eda99b95a
commit 9806bcd78f
20 changed files with 111 additions and 89 deletions
--- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md
@@ -149,16 +149,6 @@ role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
-role:global:ADMIN -.-> role:debitorRel:OWNER
-role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
-role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
-role:debitorRel:AGENT -.-> role:debitorRel:TENANT
-role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
-role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
-role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
-role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
-role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
-role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:global:ADMIN -.-> role:refundBankAccount:OWNER
 role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
 role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
--- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md
@@ -108,16 +108,6 @@ role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
 role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
-role:global:ADMIN -.-> role:debitorRel:OWNER
-role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
-role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
-role:debitorRel:AGENT -.-> role:debitorRel:TENANT
-role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
-role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
-role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
-role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
-role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
-role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:global:ADMIN -.-> role:bankAccount:OWNER
 role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
 role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
--- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
@@ -115,6 +115,7 @@ do language plpgsql $$
        call defineContext('create INSERT INTO hs_office_sepamandate permissions for the related hs_office_relation rows');

        FOR row IN SELECT * FROM hs_office_relation
+			WHERE type = 'DEBITOR'
            LOOP
                call grantPermissionToRole(
                    createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
@@ -131,9 +132,11 @@ create or replace function hs_office_sepamandate_hs_office_relation_insert_tf()
    language plpgsql
    strict as $$
 begin
-    call grantPermissionToRole(
+    if NEW.type = 'DEBITOR' then
+		call grantPermissionToRole(
            createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
            hsOfficeRelationADMIN(NEW));
+	end if;
    return NEW;
 end; $$;