simon/adl
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Changes to MS SQL transform to support improved group security

Browse source
This commit is contained in:
sb 2009-01-30 10:57:26 +00:00
parent b34706e25a
commit 307696a14a
1 changed files with 48 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
transforms/adl2mssql.xslt
View file

@ -12,7 +12,7 @@
Convert ADL to MS-SQL Convert ADL to MS-SQL
$Author: sb $ $Author: sb $
$Revision: 1.14 $ $Revision: 1.15 $
--> -->
<xsl:output indent="no" encoding="UTF-8" method="text"/> <xsl:output indent="no" encoding="UTF-8" method="text"/>
@ -112,7 +112,7 @@
-- <xsl:value-of select="$product-version"/> -- <xsl:value-of select="$product-version"/>
-- --
-- Database for application <xsl:value-of select="@name"/> version <xsl:value-of select="@version"/> -- Database for application <xsl:value-of select="@name"/> version <xsl:value-of select="@version"/>
-- Generated for MS-SQL 2000+ using adl2mssql.xslt <xsl:value-of select="substring('$Revision: 1.14 $', 12)"/> -- Generated for MS-SQL 2000+ using adl2mssql.xslt <xsl:value-of select="substring('$Revision: 1.15 $', 12)"/>
-- THIS FILE IS AUTOMATICALLY GENERATED: DO NOT EDIT IT. -- THIS FILE IS AUTOMATICALLY GENERATED: DO NOT EDIT IT.
-- --
-- <xsl:value-of select="@revision"/> -- <xsl:value-of select="@revision"/>
@ -150,9 +150,31 @@
------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------
</xsl:template> </xsl:template>
<xsl:template match="adl:group"> <xsl:template match="adl:documentation">
execute sp_addrole @rolename = '<xsl:value-of select="@name"/>' /* <xsl:apply-templates/> */
</xsl:template>
<xsl:template match="adl:group">
-------------------------------------------------------------------------------------------------
-- security group <xsl:value-of select="@name"/>
-------------------------------------------------------------------------------------------------
<xsl:apply-templates select="adl:documentation"/>
execute sp_addrole @rolename = '<xsl:value-of select="@name"/>'
GO
-------------------------------------------------------------------------------------------------
-- dummy table accessible only to members of <xsl:value-of select="@name"/>, to allow
-- a hard check on group membership
-------------------------------------------------------------------------------------------------
CREATE TABLE "<xsl:value-of select="concat( 'AuthCheck', @name)"/>" (
"Check" INT NOT NULL,
PRIMARY KEY( "Check")
)
GO
REVOKE ALL ON "<xsl:value-of select="concat( 'AuthCheck', @name)"/>" FROM public
GO
GRANT SELECT ON "<xsl:value-of select="concat( 'AuthCheck', @name)"/>" TO "<xsl:value-of select="@name"/>"
GO GO
</xsl:template> </xsl:template>
@ -277,6 +299,7 @@
------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------
-- primary table <xsl:value-of select="$table"/> -- primary table <xsl:value-of select="$table"/>
------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------
<xsl:apply-templates select="adl:documentation"/>
CREATE TABLE "<xsl:value-of select="$table"/>" CREATE TABLE "<xsl:value-of select="$table"/>"
( (
<xsl:for-each select="descendant::adl:property[not( @type='link' or @type = 'list' or @concrete='false')]"> <xsl:for-each select="descendant::adl:property[not( @type='link' or @type = 'list' or @concrete='false')]">
@ -300,7 +323,6 @@
</xsl:for-each> </xsl:for-each>
<xsl:apply-templates select="adl:key"/> <xsl:apply-templates select="adl:key"/>
) )
GO GO
---- permissions ------------------------------------------------------------------------------ ---- permissions ------------------------------------------------------------------------------
@ -369,27 +391,27 @@
<xsl:choose> <xsl:choose>
<xsl:when test="@permission='read'"> <xsl:when test="@permission='read'">
GRANT SELECT ON "<xsl:value-of GRANT SELECT ON "<xsl:value-of
select="$table"/>" TO <xsl:value-of select="@group"/> select="$table"/>" TO "<xsl:value-of select="@group"/>"
</xsl:when> </xsl:when>
<xsl:when test="@permission='insert'"> <xsl:when test="@permission='insert'">
GRANT INSERT ON "<xsl:value-of GRANT INSERT ON "<xsl:value-of
select="$table"/>" TO <xsl:value-of select="@group"/> select="$table"/>" TO "<xsl:value-of select="@group"/>"
</xsl:when> </xsl:when>
<xsl:when test="@permission='noedit'"> <xsl:when test="@permission='noedit'">
GRANT SELECT, INSERT ON "<xsl:value-of GRANT SELECT, INSERT ON "<xsl:value-of
select="$table"/>" TO <xsl:value-of select="@group"/> select="$table"/>" TO "<xsl:value-of select="@group"/>"
</xsl:when> </xsl:when>
<xsl:when test="@permission='edit'"> <xsl:when test="@permission='edit'">
GRANT SELECT, INSERT, UPDATE ON "<xsl:value-of GRANT SELECT, INSERT, UPDATE ON "<xsl:value-of
select="$table"/>" TO <xsl:value-of select="@group"/> select="$table"/>" TO "<xsl:value-of select="@group"/>"
</xsl:when> </xsl:when>
<xsl:when test="@permission='all'"> <xsl:when test="@permission='all'">
GRANT SELECT, INSERT, UPDATE, DELETE ON "<xsl:value-of GRANT SELECT, INSERT, UPDATE, DELETE ON "<xsl:value-of
select="$table"/>" TO <xsl:value-of select="@group"/> select="$table"/>" TO "<xsl:value-of select="@group"/>"
</xsl:when> </xsl:when>
<xsl:otherwise> <xsl:otherwise>
REVOKE ALL ON "<xsl:value-of REVOKE ALL ON "<xsl:value-of
select="$table"/>" FROM <xsl:value-of select="@group"/> select="$table"/>" FROM "<xsl:value-of select="@group"/>"
</xsl:otherwise> </xsl:otherwise>
</xsl:choose> </xsl:choose>
<xsl:text> <xsl:text>
@ -504,27 +526,27 @@
---- permissions ------------------------------------------------------------------------------ ---- permissions ------------------------------------------------------------------------------
<!-- only two levels of permission really matter for a link table. If you can read both of the <!-- only two levels of permission really matter for a link table. If you can read both of the
parent tables, then you can read the link table. If you can edit either of the parent tables, parent tables, then you can read the link table. If you can edit either of the parent tables,
then you need full CRUD permissions on the link table. --> then you need full CRUD permissions on the link table. Otherwise, you get nothing. -->
<xsl:for-each select="//adl:group"> <xsl:for-each select="//adl:group">
<xsl:variable name="groupname" select="@name"/> <xsl:variable name="groupname" select="@name"/>
<xsl:choose> <xsl:choose>
<xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='all']"> <xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='all']">
GRANT SELECT,INSERT,UPDATE,DELETE ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/> GRANT SELECT,INSERT,UPDATE,DELETE ON "<xsl:value-of select="$linktablename"/>" TO "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='edit']"> <xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='edit']">
GRANT SELECT,INSERT,UPDATE,DELETE ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/> GRANT SELECT,INSERT,UPDATE,DELETE ON "<xsl:value-of select="$linktablename"/>" TO "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='all']"> <xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='all']">
GRANT SELECT,INSERT,UPDATE,DELETE ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/> GRANT SELECT,INSERT,UPDATE,DELETE ON "<xsl:value-of select="$linktablename"/>" TO "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='edit']"> <xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='edit']">
GRANT SELECT,INSERT,UPDATE,DELETE ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/> GRANT SELECT,INSERT,UPDATE,DELETE ON "<xsl:value-of select="$linktablename"/>" TO "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='none']"> <xsl:when test="//adl:entity[@name=$nearside]/adl:permission[@group=$groupname and @permission='none']">
REVOKE ALL ON <xsl:value-of select="$linktablename"/> FROM <xsl:value-of select="$groupname"/> REVOKE ALL ON "<xsl:value-of select="$linktablename"/>" FROM "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='none']"> <xsl:when test="//adl:entity[@name=$farside]/adl:permission[@group=$groupname and @permission='none']">
REVOKE ALL ON <xsl:value-of select="$linktablename"/> FROM <xsl:value-of select="$groupname"/> REVOKE ALL ON "<xsl:value-of select="$linktablename"/>" FROM "<xsl:value-of select="$groupname"/>"
</xsl:when> </xsl:when>
<xsl:otherwise> <xsl:otherwise>
GRANT SELECT ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/> GRANT SELECT ON <xsl:value-of select="$linktablename"/> TO <xsl:value-of select="$groupname"/>