Sample
User (user_id:28358) with profile “Sales” (group_id:473) can’t see Employees:
Principal routine to check permissions
create function acs_permission__permission_p(int4,int4,varchar) returns bool as '
declare
permission_p__object_id alias for $1;
permission_p__party_id alias for $2;
permission_p__privilege alias for $3;
exists_p boolean;
begin
return exists (select 1
from
acs_permissions p,
party_approved_member_map m,
acs_object_context_index c,
acs_privilege_descendant_map h
where
p.object_id = c.ancestor_id
and h.descendant = permission_p__privilege
and c.object_id = permission_p__object_id
and m.member_id = permission_p__party_id
and p.privilege = h.privilege
and p.grantee_id = m.party_id);
end;' language 'plpgsql';
Check pre-condition:
a) Check existence of privilige “View users”
b) Check User Matrix: Sale should be allowed to see Employees
Digging in’
a) Check permission:
select im_object_permission_p(463, 28358, ‘view_users’);
returns ‘f’
b) Check if member is (approved) member of “Sales”
select * from group_approved_member_map where member_id = 28358 and group_id = 473;
group_id | member_id | rel_id | container_id | rel_type
----------+-----------+--------+--------------+----------------
473 | 28358 | 35900 | 473 | membership_rel
(1 row)
c) Check for corresponding entry in “party_approved_member_map”
select m.* from party_approved_member_map m where m.member_id = 28358;
party_id | member_id | tag
----------+-----------+-------
473 | 28358 | 35900
-2 | 28358 | 35900
438 | 28358 | 35900
28358 | 28358 | 0
-2 | 28358 | 28359
438 | 28358 | 28359
-1 | 28358 | 28359
463 | 28358 | 28361
-2 | 28358 | 28361
438 | 28358 | 28361
-1 | 28358 | 28361
-1 | 28358 | 35900
(12 rows)
d) Check acs_privilege_descendant_map
select m.* from acs_permissions p, party_approved_member_map m where m.member_id = 28358 and m.oid = 463; tbc.
0 Comments.