Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ALTER PROCEDURE [user].[role.edit] -- Edits characteristics of a role
- @role [user].roleTT READONLY, -- new values of role parameters
- @visibleForAdded core.arrayNumberList READONLY, -- updated business units, where the role is visible
- @visibleForRemoved core.arrayNumberList READONLY, -- updated business units, where the role is visible
- @grantedRoles core.arrayNumberList READONLY, -- the subroles that will be added
- @revokedRoles core.arrayNumberList READONLY, -- the subroles that will be removed from the role
- @permissions [user].rolePermissionsForObjectsTT READONLY, -- the permissions, granted to the role - FINAL state
- @policyId INT, -- the id of access policy assigned
- @document document.documentUnapprovedTT READONLY, --information about the document
- @attachment document.attachmentCustomTT READONLY, --information about the document attachment
- @actorDocument [document].[actorDocumentCustomTT] READONLY, --information about the document and document order
- @noResultSet bit = 0, -- a flag to show if result is expected
- @meta core.metaDataTT READONLY -- information for the user that makes the operation
- AS
- DECLARE @callParams XML
- DECLARE @result [user].roleUnapprovedTT
- DECLARE @userId BIGINT = (SELECT [auth.actorId] FROM @meta) -- the id of the user creating the role
- DECLARE @actorId BIGINT = (SELECT actorId FROM @role) -- the id of the role, that will be edited
- DECLARE @statusId VARCHAR(20) = (SELECT statusId FROM [user].[roleUnapproved] WHERE actorId = @actorId)
- DECLARE @visibleForAll core.arrayNumberList
- DECLARE @revokedRolesNew core.arrayNumberList
- BEGIN TRY
- -- checks if the user has a right to make the operation
- DECLARE @actionID VARCHAR(100) = OBJECT_SCHEMA_NAME(@@PROCID) + '.' + OBJECT_NAME(@@PROCID), @return INT = 0
- EXEC @return = [user].[permission.check] @actionId = @actionID, @objectId = NULL, @meta = @meta
- IF @statusId = 'new' OR @statusId = 'pending'
- BEGIN
- RAISERROR('user.cannotEditRole', 16, 1);
- END
- --checks if @visibleForAdded are visible for the current user, i.e. the user has rights to assign them
- exec [user].[visibility.check] @objectIds = @visibleForAdded, @meta = @meta
- --checks if @visibleForRemoved are visible for the current user, i.e. the user has rights to remove them
- exec [user].[visibility.check] @objectIds = @visibleForRemoved, @meta = @meta
- --get all updated visibleFor - needed for roles check
- INSERT INTO @visibleForAll (value)
- SELECT a.[object]
- FROM (SELECT [subject], predicate, [object], 0 AS isDeleted FROM core.actorHierarchy
- UNION ALL
- SELECT [subject], predicate, [object], isDeleted FROM core.actorHierarchyUnapproved WHERE isDeleted = 0
- ) a
- WHERE a.[subject] = @actorId AND a.predicate = 'visibleFor'
- IF EXISTS(SELECT v.[value] FROM @visibleForAll v JOIN @visibleForAdded va ON v.[value] = va.[value])
- RAISERROR('user.disabledOrDeletedOrganization', 16, 1)
- INSERT INTO @visibleForAll (value)
- SELECT v.value
- FROM @visibleForAdded v
- DELETE a
- FROM @visibleForAll a
- JOIN @visibleForRemoved r ON a.value = r.value
- --checks if among @visibleForAll there are disabled or deleted organizations
- IF EXISTS(SELECT *
- FROM @visibleForAll v
- LEFT JOIN customer.organization o ON v.value = o.actorId AND o.isEnabled = 1 AND o.isDeleted = 0
- WHERE o.actorId IS NULL)
- RAISERROR('user.disabledOrDeletedOrganization', 16, 1)
- IF NOT EXISTS (SELECT * FROM @visibleForAll)
- RAISERROR('user.missingBu', 16, 1)
- IF EXISTS (SELECT [subject], [object]
- FROM core.actorHierarchy
- WHERE ([subject] = @actorId AND [predicate] = 'managerOf')
- OR ([object] = @actorId AND [predicate] = 'managerOf'))
- AND (EXISTS (SELECT * FROM @visibleForAdded) OR EXISTS (SELECT * FROM @visibleForRemoved))
- RAISERROR('user.cannotEditBu', 16, 1)
- IF EXISTS (SELECT * FROM @grantedRoles WHERE value = @actorId)
- RAISERROR('user.roleSelfAssigned', 16, 1)
- IF EXISTS (
- SELECT * FROM [user].role ur
- WHERE LTRIM(RTRIM(LOWER(ur.name))) = LTRIM(RTRIM(LOWER((select name from @role))))
- AND ur.actorId <> (select top 1 actorId from @role)
- )
- OR
- EXISTS (
- SELECT * FROM [user].roleUnapproved uru
- WHERE LTRIM(RTRIM(LOWER(uru.name))) = LTRIM(RTRIM(LOWER((select name from @role))))
- AND uru.actorId <> (select top 1 actorId from @role)
- )
- RAISERROR('user.roleNameAlreadyTaken', 16, 1)
- --checks if among @grantedRoles there are assigned roles in the hierarchy graph
- IF EXISTS(SELECT g.actorId
- FROM @grantedRoles gr
- CROSS APPLY core.actorGraph(gr.value,'role','subject') g
- WHERE g.actorId = @actorId)
- RAISERROR('user.recursion', 16, 1)
- --adds to @revokedRoles roles that were visible only in removed BUs, i.e. are not unchecked, but are no longer visible
- INSERT INTO @revokedRolesNew (value)
- SELECT v.value
- FROM @revokedRoles v
- UNION ALL
- SELECT DISTINCT v.roleId
- FROM @visibleForRemoved vr --BUs that are removed now
- CROSS APPLY core.rolesVisibleFor(vr.value) v --roles that are visible for the removed BUs
- OUTER APPLY(
- SELECT *
- FROM @visibleForAll a
- CROSS APPLY core.rolesVisibleFor(a.value) vv
- WHERE v.roleId = vv.roleId
- ) aa --check whether the roles that are visible in the removed BUs are not visible in BUs in that the actor is still member of, if so, don't remove these roles
- JOIN
- (SELECT [subject], predicate, [object] FROM core.actorHierarchy
- UNION ALL
- SELECT [subject], predicate, [object] FROM core.actorHierarchyUnapproved
- )ah ON [object] = v.roleId AND predicate = 'role' AND [subject] = @actorId-- to remove only roles relevant to the role
- WHERE aa.roleId IS NULL
- --checks if among @permissions there are invalid permissions
- IF EXISTS(SELECT [subject]
- FROM @permissions p
- LEFT JOIN [user].[role] r ON r.actorId = p.[subject] AND isSystem = 1
- WHERE r.actorId IS NULL)
- RAISERROR('user.invalidPermission', 16, 1)
- BEGIN TRANSACTION
- -- re-edit rejected existing role and delete all unapproved data first
- IF @statusId = 'rejected' AND EXISTS(SELECT actorId FROM [user].[role] WHERE actorId = @actorId)
- BEGIN
- DELETE FROM [user].[roleUnapproved] WHERE actorId = @actorId
- DELETE FROM [core].[actorHierarchyUnapproved] WHERE [subject] = @actorId
- DELETE FROM [user].actorActionUnapproved WHERE actorId = @actorId
- DELETE FROM [policy].[actorPolicyUnapproved] WHERE actorId = @actorId
- END
- UPDATE t
- SET t.name = s.name,
- t.[description] = s.[description],
- t.fieldOfWorkId = s.fieldOfWorkId,
- t.isSystem = s.isSystem,
- t.updatedBy = @userId,
- t.updatedOn = SYSDATETIMEOFFSET(),
- t.statusId = 'pending'
- OUTPUT INSERTED.* INTO @result
- FROM [user].[roleUnapproved] t
- JOIN @role s ON t.actorId = s.actorId
- INSERT INTO [user].[roleUnapproved](actorId, name, [description], isEnabled, isDeleted, fieldOfWorkId, isSystem, isApproved, updatedBy, updatedOn, statusId)
- OUTPUT INSERTED.* INTO @result
- SELECT r.actorId, r.name, r.[description], r.isEnabled, r.isDeleted, r.fieldOfWorkId, r.isSystem, 0, @userId, SYSDATETIMEOFFSET(), 'pending'
- FROM @role r
- LEFT JOIN [user].[roleUnapproved] ru ON r.actorId = ru.actorId
- WHERE r.actorId = @actorId AND ru.actorId IS NULL
- INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
- SELECT @actorId, 'visibleFor', v.value, 0, @userId, SYSDATETIMEOFFSET()
- FROM @visibleForAdded v
- LEFT JOIN core.actorHierarchyUnapproved ah ON ah.[subject] = @actorId AND ah.predicate = 'visibleFor' AND v.value = [object]
- WHERE ah.[object] IS NULL
- INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
- SELECT @actorId, 'visibleFor', v.value, 1, @userId, SYSDATETIMEOFFSET()
- FROM @visibleForRemoved v
- LEFT JOIN core.actorHierarchyUnapproved ah ON ah.[subject] = @actorId AND ah.predicate = 'visibleFor' AND v.value = [object] -- re-edit of new
- WHERE ah.[object] IS NULL
- -- re-edit of new
- UPDATE ah
- SET isDeleted = CASE WHEN va.value IS NOT NULL THEN 0 WHEN vr.value IS NOT NULL THEN 1 ELSE isDeleted END
- FROM core.actorHierarchyUnapproved ah
- LEFT JOIN @visibleForAdded va ON va.value = [object]
- LEFT JOIN @visibleForRemoved vr ON vr.value = [object]
- WHERE [subject] = @actorId AND ah.predicate = 'visibleFor'
- AND ( (isDeleted = 1 AND va.[value] IS NOT NULL ) OR (isDeleted = 0 AND vr.[value] IS NOT NULL))
- EXEC [user].[role.grantUnapproved]
- @actorId = @actorId,
- @granted = @grantedRoles,
- @revoked = @revokedRolesNew,
- @defaultRoleId = NULL,
- @meta = @meta
- -- @permissions are FINAL state
- -- re-edit of new
- UPDATE ah
- SET isDeleted = CASE WHEN p.[subject] IS NOT NULL THEN 0 ELSE 1 END
- FROM core.actorHierarchyUnapproved ah
- LEFT JOIN @permissions p ON p.[subject] = ah.[object]
- JOIN [user].[role] r ON ah.[object] = r.actorId AND isSystem = 1
- WHERE ah.[subject] = @actorId AND ah.[predicate] = 'role'
- AND ( (ah.isDeleted = 1 AND p.[subject] IS NOT NULL ) OR (ah.isDeleted = 0 AND p.[subject] IS NULL))
- INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
- SELECT DISTINCT @actorId, 'role', p.[subject], 0, @userId, SYSDATETIMEOFFSET()
- FROM @permissions p
- LEFT JOIN core.actorHierarchy ah ON ah.[subject] = @actorId AND ah.predicate = 'role' AND p.[subject] = ah.[object]
- LEFT JOIN core.actorHierarchyUnapproved ahu ON ahu.[subject] = @actorId AND ahu.predicate = 'role' AND p.[subject] = ahu.[object] -- re-edit of new
- WHERE ah.[object] IS NULL AND ahu.[object] IS NULL
- INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
- SELECT DISTINCT @actorId, 'role', ah.[object], 1, @userId, SYSDATETIMEOFFSET()
- FROM @permissions p
- RIGHT JOIN core.actorHierarchy ah ON p.[subject] = ah.[object]
- LEFT JOIN core.actorHierarchyUnapproved ahu ON ahu.[subject] = @actorId AND ahu.predicate = 'role' AND p.[subject] = ahu.[object] -- re-edit of new
- JOIN [user].[role] r ON ah.[object] = r.actorId AND isSystem = 1
- WHERE p.[subject] IS NULL AND ah.[subject] = @actorId AND ah.predicate = 'role' AND ahu.[object] IS NULL
- ---- add custom permissions for objects - FINAL state
- -- reedit
- DELETE aau
- FROM [user].actorActionUnapproved aau
- LEFT JOIN ( SELECT *
- FROM @permissions p
- JOIN [user].[roleActionForObjects] o ON p.[subject] = o.actorId
- )x ON x.actionId = aau.actionId AND x.[object] = aau.objectId -- AND x.[object] = aa.fromRole
- WHERE x.[subject] IS NULL AND aau.actorId = @actorId
- INSERT INTO [user].actorActionUnapproved(actorId, actionId, objectId, [level], updatedBy, updatedOn)
- SELECT DISTINCT @actorId, o.actionId, p.[object], 1, @userId, SYSDATETIMEOFFSET()
- FROM @permissions p
- JOIN [user].[roleActionForObjects] o ON p.[subject] = o.actorId
- LEFT JOIN [user].actorActionUnapproved aau ON aau.actionId = o.actionId AND aau.objectId = p.[object] AND aau.actorId = @actorId
- WHERE aau.actorId IS NULL AND p.[object] IS NOT NULL
- IF @policyId IS NOT NULL
- BEGIN
- UPDATE [policy].[actorPolicyUnapproved]
- SET policyId = @policyId,
- updatedBy = @userId,
- updatedOn = SYSDATETIMEOFFSET()
- WHERE actorId = @actorId
- IF @@ROWCOUNT = 0
- INSERT INTO [policy].[actorPolicyUnapproved](actorId, policyId, isDeleted, updatedBy, updatedOn)
- VALUES (@actorId, @policyId, 0, @userId, SYSDATETIMEOFFSET())
- END
- EXEC document.[document.editUnapproved] @document = @document,
- @attachment = @attachment,
- @actorDocument = @actorDocument,
- @meta = @meta
- COMMIT TRANSACTION
- IF (ISNULL(@noResultSet, 0) = 0)
- BEGIN
- SELECT 'role' AS resultSetName
- SELECT * FROM @result
- END
- END TRY
- BEGIN CATCH
- IF @@TRANCOUNT > 0
- ROLLBACK TRANSACTION
- EXEC core.error
- RETURN 55555
- END CATCH
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement