-
Notifications
You must be signed in to change notification settings - Fork 297
Conversation
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
I would change the target into a trunk, where we can update documentation as well @grimadas |
@@ -68,6 +69,8 @@ namespace { | |||
return {with_validation.str(), without_validation.str()}; | |||
} | |||
|
|||
auto hasCommandPermission() {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What it is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, removed
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
- Change id type - Add comments for test Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
const auto bits = shared_model::interface::RolePermissionSet::size(); | ||
std::string query = (boost::format(R"( | ||
SELECT COALESCE(bit_or(rp.permission), '0'::bit(%1%)) | ||
SELECT COALESCE(bit_or(permission), '0'::bit(%1%)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why remove rp
here? It actually makes SQL easier to read
has_domain_role_perm AS (%2%) | ||
SELECT CASE | ||
WHEN (SELECT * FROM has_global_role_perm) THEN true | ||
WHEN ((split_part(%3%, '@', 2) = split_part(%4%, '@', 2)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think not this WHEN never used. You can change the type of id_with_target_domain to AssetIdType
@@ -103,6 +103,23 @@ namespace iroha { | |||
true))); | |||
} | |||
|
|||
void addOnePerm( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave a comment please
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add documentation
(modify docs/source/permissions/matrix.csv
, add two python examples for BTF, make permissions
in docs/source
)
shared_model/schema/primitive.proto
Outdated
|
||
// Domain commands permissions | ||
can_add_domain_asset_qty = 43; | ||
can_subtract_domain_asset_qty = 44; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move those two lines to the line 36 (after can_subtract_asset_qty = 4
).
No need to introduce an additional section for commands permissions.
It is fine to have unordered elements inside proto enum (e.g. can_get_blocks
permission)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or move them to the end of the block with command permissions
@@ -230,10 +231,10 @@ namespace { | |||
} | |||
|
|||
std::string checkAccountRolePermission( | |||
shared_model::interface::permissions::Role permission, | |||
shared_model::interface::permissions::Role role, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not a role, it is a permission. We have two kinds of permissions: role and grantable. This one is role permission.
Should be changed back. Also it can be named as role_permission
.
const shared_model::interface::types::AccountIdType &account_id) { | ||
const auto perm_str = | ||
shared_model::interface::RolePermissionSet({permission}).toBitstring(); | ||
shared_model::interface::RolePermissionSet({role}).toBitstring(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see the comment to the line 234.
@@ -264,6 +265,30 @@ namespace { | |||
return query; | |||
} | |||
|
|||
std::string checkAccountDomainRoleOrGlobalRolePermission( | |||
shared_model::interface::permissions::Role global_role, | |||
shared_model::interface::permissions::Role domain_role, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The two above are permissions too. See comment to postgres_command_executor.cpp:234
for details.
Please fix the name of function arguments.
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
a0206a2
to
16abcff
Compare
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Description of the Change
This PR adds domain permissions for commands: AddAssetQty and SubtractAssetQty.
Benefits
Following changes allow restricting permissions for issuing asset for specific domains. For example, one can create assets only in their domain if has this permission.
Possible Drawbacks
None