Feature/domain asset permission #1924
Conversation
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
|
I would change the target into a trunk, where we can update documentation as well @grimadas |
| @@ -68,6 +69,8 @@ namespace { | |||
| return {with_validation.str(), without_validation.str()}; | |||
| } | |||
|
|
|||
| auto hasCommandPermission() {} | |||
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
- Change id type - Add comments for test Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
| const auto bits = shared_model::interface::RolePermissionSet::size(); | ||
| std::string query = (boost::format(R"( | ||
| SELECT COALESCE(bit_or(rp.permission), '0'::bit(%1%)) | ||
| SELECT COALESCE(bit_or(permission), '0'::bit(%1%)) |
There was a problem hiding this comment.
Why remove rp here? It actually makes SQL easier to read
| has_domain_role_perm AS (%2%) | ||
| SELECT CASE | ||
| WHEN (SELECT * FROM has_global_role_perm) THEN true | ||
| WHEN ((split_part(%3%, '@', 2) = split_part(%4%, '@', 2)) |
There was a problem hiding this comment.
I think not this WHEN never used. You can change the type of id_with_target_domain to AssetIdType
| @@ -103,6 +103,23 @@ namespace iroha { | |||
| true))); | |||
| } | |||
|
|
|||
| void addOnePerm( | |||
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
shared_model/schema/primitive.proto
Outdated
|
|
||
| // Domain commands permissions | ||
| can_add_domain_asset_qty = 43; | ||
| can_subtract_domain_asset_qty = 44; |
There was a problem hiding this comment.
Please move those two lines to the line 36 (after can_subtract_asset_qty = 4).
No need to introduce an additional section for commands permissions.
It is fine to have unordered elements inside proto enum (e.g. can_get_blocks permission)
There was a problem hiding this comment.
Or move them to the end of the block with command permissions
| @@ -230,10 +231,10 @@ namespace { | |||
| } | |||
|
|
|||
| std::string checkAccountRolePermission( | |||
| shared_model::interface::permissions::Role permission, | |||
| shared_model::interface::permissions::Role role, | |||
There was a problem hiding this comment.
It is not a role, it is a permission. We have two kinds of permissions: role and grantable. This one is role permission.
Should be changed back. Also it can be named as role_permission.
| const shared_model::interface::types::AccountIdType &account_id) { | ||
| const auto perm_str = | ||
| shared_model::interface::RolePermissionSet({permission}).toBitstring(); | ||
| shared_model::interface::RolePermissionSet({role}).toBitstring(); |
There was a problem hiding this comment.
Please see the comment to the line 234.
| @@ -264,6 +265,30 @@ namespace { | |||
| return query; | |||
| } | |||
|
|
|||
| std::string checkAccountDomainRoleOrGlobalRolePermission( | |||
| shared_model::interface::permissions::Role global_role, | |||
| shared_model::interface::permissions::Role domain_role, | |||
There was a problem hiding this comment.
The two above are permissions too. See comment to postgres_command_executor.cpp:234 for details.
Please fix the name of function arguments.
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
grimadas
force-pushed
the
feature/domain-asset-permission
branch
from
a0206a2
to
16abcff
Compare
Signed-off-by: grimadas <bulat.nasrulin@gmail.com>
grimadas
changed the base branch from
trunk/command-domain-permission
to
dev
Description of the Change
This PR adds domain permissions for commands: AddAssetQty and SubtractAssetQty.
Benefits
Following changes allow restricting permissions for issuing asset for specific domains. For example, one can create assets only in their domain if has this permission.
Possible Drawbacks
None