/**
* UnityBase Row Level Security routines. For use in rls mixin.
* @author MPV
* Comment by Felix: Внимание! Для Оракла НЕЛЬЗЯ начинать алиас таблицы с символа подчеркивания '_'
*/
/*global Session: false, TubDataStore */
/**
* @namespace
*/
var RLS = UB.ns('RLS');
global['$'] = RLS;
var
roleCache; // it's safe to cache roles here because uba_role table is readonly in production
RLS.initCache = function(){
var
rInst;
if (!roleCache){
roleCache = {};
rInst = new TubDataStore('uba_role');
// here is direct SQL because permission to uba_role dose not exist for non-supervisor user's
rInst.runSQL('select ID, name FROM uba_role', {});
while (!rInst.eof){
roleCache[rInst.get(1)] = rInst.get(0); // roleCashce['admin'] = 1 e.t.c.
rInst.next();
}
}
};
RLS.currentOwner = function(){
return '( [mi_owner] = :(' + Session.userID + '): )';
};
/**
* todo - OPTIMIZE using role cache
* @param user
* @param groupname
* @return {String}
*/
RLS.userInGroup = function(user, groupname){
return "exists (select 1 from UBA_USERROLE ur inner join UBA_ROLE r ON ur.RoleID = r.ID WHERE r.name = :('" + groupname + "'): AND ur.UserID = :(" + user + "): )";
};
/**
* is current ( Session.userID) user have role with name groupname
* @param groupname group name from uba_role
* @return {*}
*/
RLS.currentUserInGroup = function(sender,groupname){
var
groupID;
RLS.initCache();
groupID = roleCache[groupname];
if(groupID && new RegExp('\\b' + groupID + '\\b').test(Session.userRoles)) {
return '(1=1)'
}else{
return '(0=1)'
}
/* if ( RLS.isOracle(sender.entity) ){
return '( BITAND(' + Session.userRoles + ',' + (roleCache[groupname] || 0) + ')!=0 )';
}
else {
return '( (' + Session.userRoles + ' & ' + (roleCache[groupname] || 0) + ')!=0 )';
}
*/
};
/* Session.userRoles is comma separated string of group ID's
RLS.currentUserInGroupByFieldName = function(sender, fieldName){
return '( (' + Session.userRoles + ' & ' + (fieldName || 0) + ')!=0 )';
};*/
/**
* Check user in adm subtable
* no user group check performed!
*/
RLS.userInAdmSubtable = function(sender, user){
return 'exists (select 1 from ' + sender.entity.name + '_adm admsubtable where admsubtable.instanceID = [ID] and admsubtable.admSubjID = :(' + user + '): )';
};
/**
* Check staff unit in adm subtable by admOrgUnitID field
*/
RLS.currentStaffUnitInDocAdmSubtable = function(sender, admSubTableName){
var roles = Session.uData.roles;
if (/\badmins\b/.test(roles)){
return '1=1';
}
else if (/\ballSeeing\b/.test(roles)){
return '1=1';
}
else if (Session.uData.orgUnitIDs === ''){
return '1=0';
}
else {
var orgUnitIDs = Session.uData.orgUnitIDs ? Session.uData.orgUnitIDs : -1;
var result = 'exists (select 1 from ' + admSubTableName + ' admsubtable where admsubtable.instanceID = [ID] and (admsubtable.admOrgUnitID IN (' + orgUnitIDs + ') OR ' +
'admsubtable.admSubjID IN ('+Session.userRoles+','+Session.userID+')))';
return result
}
//return '1=1';
};
/**
* Check sender staff unit
*/
RLS.currentSender = function (sender, user){
if (Session.uData.orgUnitIDs === ''){
return '1=0';
}
else {
return '[sendEmployee.staffUnitID] = ' + Session.uData.staffUnitID;
}
};
/**
* Check receiver staff unit
*/
RLS.currentReceiver = function (sender, user){
if (Session.uData.orgUnitIDs === ''){
return '1=0';
}
else {
return 'exists (select 1 from fld_receiver rec where rec.docID = [ID] and rec.receiveOrganization = ' + Session.uData.orgUnitIDs.split(',')[0] + ')';
}
};
RLS.isOracle = function(entity){
var dialect = entity.connectionConfig.dialect;
return ((dialect === TubSQLDialect.Oracle) || (dialect === TubSQLDialect.Oracle9) ||
(dialect === TubSQLDialect.Oracle10) || (dialect === TubSQLDialect.Oracle11));
};
/** Check user or any of user groups in adm subtable
/* xmax using ORACLE
* _todo check oracle syntax!!
*/
RLS.userOrUserGroupInAdmSubtable = function(sender, user){
var result = 'exists (select 1 from ' + sender.entity.name + '_adm admsubtable where admsubtable.instanceID = [ID] and admsubtable.admSubjID in (select ur.RoleID from uba_userrole ur where ur.UserID = :(' + user + '): union select ' + user;
if ( RLS.isOracle(sender.entity) ){
return result + ' from dual ))';
}
else {
return result + '))';
}
//exists (select 1 from ubm_navshortcut_adm admsubtable where admsubtable.instanceID = navsh.ID and admsubtable.admSubjID in (select RoleID from uba_userrole where UserID = 1000000161401 union select 1000000161401)))
};
RLS.currentUserInAdmSubtable = function(sender){
return this.userInAdmSubtable(sender, Session.userID);
};
RLS.currentUserOrUserGroupInAdmSubtable = function(sender){
return this.userOrUserGroupInAdmSubtable(sender, Session.userID);
};
RLS.depForUser = function(sender, user){
var isOra = RLS.isOracle(sender.entity);
return '(select ounit.parentID ' +
'from org_user ouser, org_employee oe, org_employeeonstaff oeos, ' +
' org_staffunit osu, org_unit ounit ' +
'where oe.id = ouser.employeeID ' +
'and oeos.employeeID = oe.id ' +
(isOra ?
'and sysdate between oeos.mi_dateFrom and oeos.mi_dateTo ' :
'and getdate() between oeos.mi_dateFrom and oeos.mi_dateTo ') +
'and osu.id = oeos.staffUnitID ' +
'and ounit.id = osu.ID ' +
'and ouser.userID = ' + user + ')';
};
RLS.staffUnitForUser = function(sender, user){
return '(select oeos.staffUnitID ' +
'from org_user ouser, org_employee oe, org_employeeonstaff oeos ' +
'where ouser.userID = ' + user + ' ' +
'and oe.id = ouser.employeeID ' +
'and oeos.employeeID = oe.id ' +
(isOra ?
'and sysdate between oeos.mi_dateFrom and oeos.mi_dateTo)' :
'and getdate() between oeos.mi_dateFrom and oeos.mi_dateTo)')
;
};
RLS.userInIncdocRecipient = function(sender, user){
return this.staffUnitForUser(sender, Session.userID) + ' in (select b.destID from doc_incdoc_org_stunit b where b.sourceID = [ID])';
};