API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 24th, 2018
65
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.42 KB | None | 0 0
raw download clone embed print report
  1. ALTER PROCEDURE [user].[role.edit] -- Edits characteristics of a role
  2. @role [user].roleTT READONLY, -- new values of role parameters
  3. @visibleForAdded core.arrayNumberList READONLY, -- updated business units, where the role is visible
  4. @visibleForRemoved core.arrayNumberList READONLY, -- updated business units, where the role is visible
  5. @grantedRoles core.arrayNumberList READONLY, -- the subroles that will be added
  6. @revokedRoles core.arrayNumberList READONLY, -- the subroles that will be removed from the role
  7. @permissions [user].rolePermissionsForObjectsTT READONLY, -- the permissions, granted to the role - FINAL state
  8. @policyId INT, -- the id of access policy assigned
  9. @document document.documentUnapprovedTT READONLY, --information about the document
  10. @attachment document.attachmentCustomTT READONLY, --information about the document attachment
  11. @actorDocument [document].[actorDocumentCustomTT] READONLY, --information about the document and document order
  12. @noResultSet bit = 0, -- a flag to show if result is expected
  13. @meta core.metaDataTT READONLY -- information for the user that makes the operation
  14. AS
  15. DECLARE @callParams XML
  16. DECLARE @result [user].roleUnapprovedTT
  17. DECLARE @userId BIGINT = (SELECT [auth.actorId] FROM @meta) -- the id of the user creating the role
  18. DECLARE @actorId BIGINT = (SELECT actorId FROM @role) -- the id of the role, that will be edited
  19. DECLARE @statusId VARCHAR(20) = (SELECT statusId FROM [user].[roleUnapproved] WHERE actorId = @actorId)
  20. DECLARE @visibleForAll core.arrayNumberList
  21. DECLARE @revokedRolesNew core.arrayNumberList
  22.  
  23. BEGIN TRY
  24. -- checks if the user has a right to make the operation
  25. DECLARE @actionID VARCHAR(100) = OBJECT_SCHEMA_NAME(@@PROCID) + '.' + OBJECT_NAME(@@PROCID), @return INT = 0
  26. EXEC @return = [user].[permission.check] @actionId = @actionID, @objectId = NULL, @meta = @meta
  27.  
  28. IF @statusId = 'new' OR @statusId = 'pending'
  29. BEGIN
  30. RAISERROR('user.cannotEditRole', 16, 1);
  31. END
  32.  
  33. --checks if @visibleForAdded are visible for the current user, i.e. the user has rights to assign them
  34. exec [user].[visibility.check] @objectIds = @visibleForAdded, @meta = @meta
  35.  
  36. --checks if @visibleForRemoved are visible for the current user, i.e. the user has rights to remove them
  37. exec [user].[visibility.check] @objectIds = @visibleForRemoved, @meta = @meta
  38.  
  39. --get all updated visibleFor - needed for roles check
  40. INSERT INTO @visibleForAll (value)
  41. SELECT a.[object]
  42. FROM (SELECT [subject], predicate, [object], 0 AS isDeleted FROM core.actorHierarchy
  43. UNION ALL
  44. SELECT [subject], predicate, [object], isDeleted FROM core.actorHierarchyUnapproved WHERE isDeleted = 0
  45. ) a
  46. WHERE a.[subject] = @actorId AND a.predicate = 'visibleFor'
  47.  
  48. IF EXISTS(SELECT v.[value] FROM @visibleForAll v JOIN @visibleForAdded va ON v.[value] = va.[value])
  49. RAISERROR('user.disabledOrDeletedOrganization', 16, 1)
  50.  
  51. INSERT INTO @visibleForAll (value)
  52. SELECT v.value
  53. FROM @visibleForAdded v
  54.  
  55. DELETE a
  56. FROM @visibleForAll a
  57. JOIN @visibleForRemoved r ON a.value = r.value
  58.  
  59. --checks if among @visibleForAll there are disabled or deleted organizations
  60. IF EXISTS(SELECT *
  61. FROM @visibleForAll v
  62. LEFT JOIN customer.organization o ON v.value = o.actorId AND o.isEnabled = 1 AND o.isDeleted = 0
  63. WHERE o.actorId IS NULL)
  64. RAISERROR('user.disabledOrDeletedOrganization', 16, 1)
  65.  
  66. IF NOT EXISTS (SELECT * FROM @visibleForAll)
  67. RAISERROR('user.missingBu', 16, 1)
  68.  
  69. IF EXISTS (SELECT [subject], [object]
  70. FROM core.actorHierarchy
  71. WHERE ([subject] = @actorId AND [predicate] = 'managerOf')
  72. OR ([object] = @actorId AND [predicate] = 'managerOf'))
  73. AND (EXISTS (SELECT * FROM @visibleForAdded) OR EXISTS (SELECT * FROM @visibleForRemoved))
  74. RAISERROR('user.cannotEditBu', 16, 1)
  75.  
  76. IF EXISTS (SELECT * FROM @grantedRoles WHERE value = @actorId)
  77. RAISERROR('user.roleSelfAssigned', 16, 1)
  78.  
  79. IF EXISTS (
  80. SELECT * FROM [user].role ur
  81. WHERE LTRIM(RTRIM(LOWER(ur.name))) = LTRIM(RTRIM(LOWER((select name from @role))))
  82. AND ur.actorId <> (select top 1 actorId from @role)
  83. )
  84. OR
  85. EXISTS (
  86. SELECT * FROM [user].roleUnapproved uru
  87. WHERE LTRIM(RTRIM(LOWER(uru.name))) = LTRIM(RTRIM(LOWER((select name from @role))))
  88. AND uru.actorId <> (select top 1 actorId from @role)
  89. )
  90. RAISERROR('user.roleNameAlreadyTaken', 16, 1)
  91.  
  92. --checks if among @grantedRoles there are assigned roles in the hierarchy graph
  93. IF EXISTS(SELECT g.actorId
  94. FROM @grantedRoles gr
  95. CROSS APPLY core.actorGraph(gr.value,'role','subject') g
  96. WHERE g.actorId = @actorId)
  97. RAISERROR('user.recursion', 16, 1)
  98.  
  99. --adds to @revokedRoles roles that were visible only in removed BUs, i.e. are not unchecked, but are no longer visible
  100. INSERT INTO @revokedRolesNew (value)
  101. SELECT v.value
  102. FROM @revokedRoles v
  103. UNION ALL
  104. SELECT DISTINCT v.roleId
  105. FROM @visibleForRemoved vr --BUs that are removed now
  106. CROSS APPLY core.rolesVisibleFor(vr.value) v --roles that are visible for the removed BUs
  107. OUTER APPLY(
  108. SELECT *
  109. FROM @visibleForAll a
  110. CROSS APPLY core.rolesVisibleFor(a.value) vv
  111. WHERE v.roleId = vv.roleId
  112. ) aa --check whether the roles that are visible in the removed BUs are not visible in BUs in that the actor is still member of, if so, don't remove these roles
  113. JOIN
  114. (SELECT [subject], predicate, [object] FROM core.actorHierarchy
  115. UNION ALL
  116. SELECT [subject], predicate, [object] FROM core.actorHierarchyUnapproved
  117. )ah ON [object] = v.roleId AND predicate = 'role' AND [subject] = @actorId-- to remove only roles relevant to the role
  118. WHERE aa.roleId IS NULL
  119.  
  120. --checks if among @permissions there are invalid permissions
  121. IF EXISTS(SELECT [subject]
  122. FROM @permissions p
  123. LEFT JOIN [user].[role] r ON r.actorId = p.[subject] AND isSystem = 1
  124. WHERE r.actorId IS NULL)
  125. RAISERROR('user.invalidPermission', 16, 1)
  126.  
  127. BEGIN TRANSACTION
  128. -- re-edit rejected existing role and delete all unapproved data first
  129. IF @statusId = 'rejected' AND EXISTS(SELECT actorId FROM [user].[role] WHERE actorId = @actorId)
  130. BEGIN
  131. DELETE FROM [user].[roleUnapproved] WHERE actorId = @actorId
  132. DELETE FROM [core].[actorHierarchyUnapproved] WHERE [subject] = @actorId
  133. DELETE FROM [user].actorActionUnapproved WHERE actorId = @actorId
  134. DELETE FROM [policy].[actorPolicyUnapproved] WHERE actorId = @actorId
  135. END
  136.  
  137. UPDATE t
  138. SET t.name = s.name,
  139. t.[description] = s.[description],
  140. t.fieldOfWorkId = s.fieldOfWorkId,
  141. t.isSystem = s.isSystem,
  142. t.updatedBy = @userId,
  143. t.updatedOn = SYSDATETIMEOFFSET(),
  144. t.statusId = 'pending'
  145. OUTPUT INSERTED.* INTO @result
  146. FROM [user].[roleUnapproved] t
  147. JOIN @role s ON t.actorId = s.actorId
  148.  
  149. INSERT INTO [user].[roleUnapproved](actorId, name, [description], isEnabled, isDeleted, fieldOfWorkId, isSystem, isApproved, updatedBy, updatedOn, statusId)
  150. OUTPUT INSERTED.* INTO @result
  151. SELECT r.actorId, r.name, r.[description], r.isEnabled, r.isDeleted, r.fieldOfWorkId, r.isSystem, 0, @userId, SYSDATETIMEOFFSET(), 'pending'
  152. FROM @role r
  153. LEFT JOIN [user].[roleUnapproved] ru ON r.actorId = ru.actorId
  154. WHERE r.actorId = @actorId AND ru.actorId IS NULL
  155.  
  156. INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
  157. SELECT @actorId, 'visibleFor', v.value, 0, @userId, SYSDATETIMEOFFSET()
  158. FROM @visibleForAdded v
  159. LEFT JOIN core.actorHierarchyUnapproved ah ON ah.[subject] = @actorId AND ah.predicate = 'visibleFor' AND v.value = [object]
  160. WHERE ah.[object] IS NULL
  161.  
  162. INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
  163. SELECT @actorId, 'visibleFor', v.value, 1, @userId, SYSDATETIMEOFFSET()
  164. FROM @visibleForRemoved v
  165. LEFT JOIN core.actorHierarchyUnapproved ah ON ah.[subject] = @actorId AND ah.predicate = 'visibleFor' AND v.value = [object] -- re-edit of new
  166. WHERE ah.[object] IS NULL
  167.  
  168. -- re-edit of new
  169. UPDATE ah
  170. SET isDeleted = CASE WHEN va.value IS NOT NULL THEN 0 WHEN vr.value IS NOT NULL THEN 1 ELSE isDeleted END
  171. FROM core.actorHierarchyUnapproved ah
  172. LEFT JOIN @visibleForAdded va ON va.value = [object]
  173. LEFT JOIN @visibleForRemoved vr ON vr.value = [object]
  174. WHERE [subject] = @actorId AND ah.predicate = 'visibleFor'
  175. AND ( (isDeleted = 1 AND va.[value] IS NOT NULL ) OR (isDeleted = 0 AND vr.[value] IS NOT NULL))
  176.  
  177. EXEC [user].[role.grantUnapproved]
  178. @actorId = @actorId,
  179. @granted = @grantedRoles,
  180. @revoked = @revokedRolesNew,
  181. @defaultRoleId = NULL,
  182. @meta = @meta
  183.  
  184. -- @permissions are FINAL state
  185. -- re-edit of new
  186. UPDATE ah
  187. SET isDeleted = CASE WHEN p.[subject] IS NOT NULL THEN 0 ELSE 1 END
  188. FROM core.actorHierarchyUnapproved ah
  189. LEFT JOIN @permissions p ON p.[subject] = ah.[object]
  190. JOIN [user].[role] r ON ah.[object] = r.actorId AND isSystem = 1
  191. WHERE ah.[subject] = @actorId AND ah.[predicate] = 'role'
  192. AND ( (ah.isDeleted = 1 AND p.[subject] IS NOT NULL ) OR (ah.isDeleted = 0 AND p.[subject] IS NULL))
  193.  
  194. INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
  195. SELECT DISTINCT @actorId, 'role', p.[subject], 0, @userId, SYSDATETIMEOFFSET()
  196. FROM @permissions p
  197. LEFT JOIN core.actorHierarchy ah ON ah.[subject] = @actorId AND ah.predicate = 'role' AND p.[subject] = ah.[object]
  198. LEFT JOIN core.actorHierarchyUnapproved ahu ON ahu.[subject] = @actorId AND ahu.predicate = 'role' AND p.[subject] = ahu.[object] -- re-edit of new
  199. WHERE ah.[object] IS NULL AND ahu.[object] IS NULL
  200.  
  201. INSERT INTO [core].[actorHierarchyUnapproved] ([subject], predicate, [object], isDeleted, updatedBy, updatedOn)
  202. SELECT DISTINCT @actorId, 'role', ah.[object], 1, @userId, SYSDATETIMEOFFSET()
  203. FROM @permissions p
  204. RIGHT JOIN core.actorHierarchy ah ON p.[subject] = ah.[object]
  205. LEFT JOIN core.actorHierarchyUnapproved ahu ON ahu.[subject] = @actorId AND ahu.predicate = 'role' AND p.[subject] = ahu.[object] -- re-edit of new
  206. JOIN [user].[role] r ON ah.[object] = r.actorId AND isSystem = 1
  207. WHERE p.[subject] IS NULL AND ah.[subject] = @actorId AND ah.predicate = 'role' AND ahu.[object] IS NULL
  208.  
  209. ---- add custom permissions for objects - FINAL state
  210. -- reedit
  211. DELETE aau
  212. FROM [user].actorActionUnapproved aau
  213. LEFT JOIN ( SELECT *
  214. FROM @permissions p
  215. JOIN [user].[roleActionForObjects] o ON p.[subject] = o.actorId
  216. )x ON x.actionId = aau.actionId AND x.[object] = aau.objectId -- AND x.[object] = aa.fromRole
  217. WHERE x.[subject] IS NULL AND aau.actorId = @actorId
  218.  
  219. INSERT INTO [user].actorActionUnapproved(actorId, actionId, objectId, [level], updatedBy, updatedOn)
  220. SELECT DISTINCT @actorId, o.actionId, p.[object], 1, @userId, SYSDATETIMEOFFSET()
  221. FROM @permissions p
  222. JOIN [user].[roleActionForObjects] o ON p.[subject] = o.actorId
  223. LEFT JOIN [user].actorActionUnapproved aau ON aau.actionId = o.actionId AND aau.objectId = p.[object] AND aau.actorId = @actorId
  224. WHERE aau.actorId IS NULL AND p.[object] IS NOT NULL
  225.  
  226. IF @policyId IS NOT NULL
  227. BEGIN
  228. UPDATE [policy].[actorPolicyUnapproved]
  229. SET policyId = @policyId,
  230. updatedBy = @userId,
  231. updatedOn = SYSDATETIMEOFFSET()
  232. WHERE actorId = @actorId
  233.  
  234. IF @@ROWCOUNT = 0
  235. INSERT INTO [policy].[actorPolicyUnapproved](actorId, policyId, isDeleted, updatedBy, updatedOn)
  236. VALUES (@actorId, @policyId, 0, @userId, SYSDATETIMEOFFSET())
  237. END
  238.  
  239.  
  240. EXEC document.[document.editUnapproved] @document = @document,
  241. @attachment = @attachment,
  242. @actorDocument = @actorDocument,
  243. @meta = @meta
  244.  
  245. COMMIT TRANSACTION
  246.  
  247. IF (ISNULL(@noResultSet, 0) = 0)
  248. BEGIN
  249. SELECT 'role' AS resultSetName
  250. SELECT * FROM @result
  251. END
  252. END TRY
  253. BEGIN CATCH
  254. IF @@TRANCOUNT > 0
  255. ROLLBACK TRANSACTION
  256. EXEC core.error
  257. RETURN 55555
  258. END CATCH
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!