Advanced on Palmyra https://palmyra.dev/docs/tutorial/backend/advanced/ Recent content in Advanced on Palmyra Hugo en-us Custom query filters https://palmyra.dev/docs/tutorial/backend/advanced/custom-filters/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/custom-filters/ <h1 id="custom-query-filters">Custom query filters<a class="anchor" href="#custom-query-filters">#</a></h1> <p>When your read endpoint needs to enforce <strong>implicit</strong> conditions — a tenant scope, a soft-delete flag, a visibility rule — don&rsquo;t require clients to pass them. Override <code>applyQueryFilter</code> on the handler and append the conditions server-side.</p> <h2 id="the-hook">The hook<a class="anchor" href="#the-hook">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> QueryFilter <span style="color:#a6e22e">applyQueryFilter</span>(QueryFilter filter, HandlerContext ctx) { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// conditions the caller cannot override</span> </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">sqlExpression</span>(<span style="color:#e6db74">&#34;status &lt;&gt; &#39;ARCHIVED&#39;&#34;</span>); </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">addCondition</span>(<span style="color:#66d9ef">new</span> SimpleCondition(<span style="color:#e6db74">&#34;tenantId&#34;</span>, userProvider.<span style="color:#a6e22e">getTenantId</span>())); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// default ordering if the caller didn&#39;t ask</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>filter.<span style="color:#a6e22e">hasOrderBy</span>()) { </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">addOrderDesc</span>(<span style="color:#e6db74">&#34;createdAt&#34;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// hard cap on page size</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (filter.<span style="color:#a6e22e">getLimit</span>() <span style="color:#f92672">==</span> 0 <span style="color:#f92672">||</span> filter.<span style="color:#a6e22e">getLimit</span>() <span style="color:#f92672">&gt;</span> 500) { </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">setLimit</span>(500); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> filter; </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="patterns-worth-reusing">Patterns worth reusing<a class="anchor" href="#patterns-worth-reusing">#</a></h2> <ul> <li><strong>Tenant scoping.</strong> Read the tenant from <code>AuthProvider</code> (or a custom <code>UserProvider</code>) and add it as a condition; never trust a tenant id from the request.</li> <li><strong>Soft delete.</strong> Use <code>sqlExpression(&quot;status &lt;&gt; 'ARCHIVED'&quot;)</code> on the default path; publish a sibling handler at <code>/admin/...</code> without the clause for operators who need to see archived rows.</li> <li><strong>Role-based projection.</strong> Call <code>filter.setFields(...)</code> from <code>applyQueryFilter</code> to strip columns a given role shouldn&rsquo;t see (PII, financial totals).</li> <li><strong>Default ordering.</strong> Only apply a default when the caller didn&rsquo;t supply one — <code>filter.hasOrderBy()</code> is the guard.</li> </ul> <h2 id="filtering-by-a-parent-table-attribute">Filtering by a parent-table attribute<a class="anchor" href="#filtering-by-a-parent-table-attribute">#</a></h2> <p><code>addCondition</code> accepts <strong>dotted attribute paths</strong>, so you can filter on a column that lives on a joined parent table. Palmyra auto-includes the JOIN — you never write it in Java.</p> Native SQL reports https://palmyra.dev/docs/tutorial/backend/advanced/native-queries/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/native-queries/ <h1 id="native-sql-reports">Native SQL reports<a class="anchor" href="#native-sql-reports">#</a></h1> <p>Annotation-driven queries compile great SELECTs for CRUD, but reporting is usually where hand-written SQL earns its keep — aggregates, window functions, complex joins. Publish those as first-class endpoints with <code>NativeQueryHandler</code>.</p> <h2 id="a-reporting-endpoint">A reporting endpoint<a class="anchor" href="#a-reporting-endpoint">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Component</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@CrudMapping</span>(<span style="color:#e6db74">&#34;/v1/reports/user-sales&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">UserSalesReportHandler</span> <span style="color:#66d9ef">implements</span> NativeQueryHandler { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Autowired</span> <span style="color:#66d9ef">private</span> AuthProvider auth; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">int</span> <span style="color:#a6e22e">aclCheck</span>(FilterCriteria criteria, HandlerContext ctx) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> userProvider.<span style="color:#a6e22e">hasRole</span>(<span style="color:#e6db74">&#34;REPORT_VIEW&#34;</span>) <span style="color:#f92672">?</span> 0 : <span style="color:#f92672">-</span>1; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">preProcess</span>(FilterCriteria criteria, HandlerContext ctx) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (criteria.<span style="color:#a6e22e">getSimpleCriteria</span>().<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#34;since&#34;</span>) <span style="color:#f92672">==</span> <span style="color:#66d9ef">null</span>) { </span></span><span style="display:flex;"><span> criteria.<span style="color:#a6e22e">addCriteria</span>(<span style="color:#e6db74">&#34;since&#34;</span>, Instant.<span style="color:#a6e22e">now</span>().<span style="color:#a6e22e">minus</span>(30, ChronoUnit.<span style="color:#a6e22e">DAYS</span>).<span style="color:#a6e22e">toString</span>()); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> NativeQuery <span style="color:#a6e22e">getQuery</span>(FilterCriteria criteria, HandlerContext ctx) { </span></span><span style="display:flex;"><span> String sql <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT u.id, u.name, SUM(o.amount) AS total </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> FROM users u JOIN orders o ON o.user_id = u.id </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> WHERE o.created_at &gt;= ? </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> GROUP BY u.id, u.name </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>; </span></span><span style="display:flex;"><span> NativeQuery q <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> NativeQuery(sql, criteria.<span style="color:#a6e22e">getSimpleCriteria</span>().<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#34;since&#34;</span>)); </span></span><span style="display:flex;"><span> q.<span style="color:#a6e22e">setCountQuery</span>(<span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT COUNT(DISTINCT u.id) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> FROM users u JOIN orders o ON o.user_id = u.id </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> WHERE o.created_at &gt;= ? </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>); </span></span><span style="display:flex;"><span> q.<span style="color:#a6e22e">setFetchSize</span>(500); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> q; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> Tuple <span style="color:#a6e22e">onQueryResult</span>(Tuple tuple, Action action) { </span></span><span style="display:flex;"><span> BigDecimal total <span style="color:#f92672">=</span> (BigDecimal) tuple.<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#34;total&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (total <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span>) tuple.<span style="color:#a6e22e">set</span>(<span style="color:#e6db74">&#34;total&#34;</span>, total.<span style="color:#a6e22e">setScale</span>(2, RoundingMode.<span style="color:#a6e22e">HALF_UP</span>)); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> tuple; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="guidelines">Guidelines<a class="anchor" href="#guidelines">#</a></h2> <ul> <li><strong>Use positional <code>?</code> placeholders.</strong> Bind in order with the vararg constructor or <code>addParams</code>; Palmyra does not substitute named parameters.</li> <li><strong>Set <code>countQuery</code> when pagination matters.</strong> A naive <code>COUNT(*)</code> over a GROUP BY / DISTINCT query is usually wrong — supply the right count query explicitly.</li> <li><strong>Tune <code>fetchSize</code> for wide reports.</strong> The default is 100; bump it for reports that return hundreds of thousands of rows to reduce round trips.</li> <li><strong>Keep <code>onQueryResult</code> cheap.</strong> It runs per row inside the reactive stream — no database calls from here.</li> </ul> <h2 id="see-also">See also<a class="anchor" href="#see-also">#</a></h2> <ul> <li><a href="https://palmyra.dev/docs/api/backend/handlers/nativequery-handler/"><code>NativeQueryHandler</code></a> — full method table.</li> <li><a href="https://palmyra.dev/docs/api/backend/base-classes/native-query/"><code>NativeQuery</code></a> — every constructor / setter, including <code>limitFirst()</code> and <code>setOffset</code> / <code>setLimit</code> for pagination.</li> </ul> Bulk exports https://palmyra.dev/docs/tutorial/backend/advanced/bulk-exports/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/bulk-exports/ <h1 id="bulk-exports">Bulk exports<a class="anchor" href="#bulk-exports">#</a></h1> <p>When an export means &ldquo;everything that matches this filter&rdquo; — not the one page of 50 rows the user is looking at — run the export through a dedicated handler instead of building the file in the browser. <code>CsvHandler</code> and <code>ExcelHandler</code> stream reactively, so the response starts flowing before the full result is in memory.</p> <h2 id="csv-with-a-curated-column-set">CSV with a curated column set<a class="anchor" href="#csv-with-a-curated-column-set">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Component</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@CrudMapping</span>(value <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/v1/admin/user/export.csv&#34;</span>, type <span style="color:#f92672">=</span> User.<span style="color:#a6e22e">class</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">UserCsvHandler</span> <span style="color:#66d9ef">implements</span> CsvHandler, QueryHandler { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> List<span style="color:#f92672">&lt;</span>ColumnMeta<span style="color:#f92672">&gt;</span> <span style="color:#a6e22e">getHeaders</span>() { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> List.<span style="color:#a6e22e">of</span>( </span></span><span style="display:flex;"><span> ColumnMeta.<span style="color:#a6e22e">of</span>(<span style="color:#e6db74">&#34;loginName&#34;</span>, <span style="color:#e6db74">&#34;Email&#34;</span>), </span></span><span style="display:flex;"><span> ColumnMeta.<span style="color:#a6e22e">of</span>(<span style="color:#e6db74">&#34;firstName&#34;</span>, <span style="color:#e6db74">&#34;First Name&#34;</span>), </span></span><span style="display:flex;"><span> ColumnMeta.<span style="color:#a6e22e">of</span>(<span style="color:#e6db74">&#34;lastName&#34;</span>, <span style="color:#e6db74">&#34;Last Name&#34;</span>), </span></span><span style="display:flex;"><span> ColumnMeta.<span style="color:#a6e22e">of</span>(<span style="color:#e6db74">&#34;createdAt&#34;</span>, <span style="color:#e6db74">&#34;Created On&#34;</span>) </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> QueryFilter <span style="color:#a6e22e">applyQueryFilter</span>(QueryFilter filter, HandlerContext ctx) { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// honour whatever the request came with, but never export archived rows</span> </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">sqlExpression</span>(<span style="color:#e6db74">&#34;status &lt;&gt; &#39;ARCHIVED&#39;&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> filter; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="excel-with-a-read-side-acl">Excel with a read-side ACL<a class="anchor" href="#excel-with-a-read-side-acl">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Component</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@CrudMapping</span>(value <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/v1/admin/user/export.xlsx&#34;</span>, type <span style="color:#f92672">=</span> User.<span style="color:#a6e22e">class</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">UserExcelHandler</span> <span style="color:#66d9ef">implements</span> ExcelHandler, QueryHandler { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Autowired</span> <span style="color:#66d9ef">private</span> AuthProvider auth; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> <span style="color:#66d9ef">public</span> String <span style="color:#a6e22e">getReportName</span>() { <span style="color:#66d9ef">return</span> <span style="color:#e6db74">&#34;Users&#34;</span>; } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">int</span> <span style="color:#a6e22e">aclCheck</span>(FilterCriteria criteria, HandlerContext ctx) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> userProvider.<span style="color:#a6e22e">hasRole</span>(<span style="color:#e6db74">&#34;USER_EXPORT&#34;</span>) <span style="color:#f92672">?</span> 0 : <span style="color:#f92672">-</span>1; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> List<span style="color:#f92672">&lt;</span>ColumnMeta<span style="color:#f92672">&gt;</span> <span style="color:#a6e22e">getHeaders</span>() { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> UserCsvHandler.<span style="color:#a6e22e">STANDARD_HEADERS</span>; <span style="color:#75715e">// share the header list</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Override</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> QueryFilter <span style="color:#a6e22e">applyQueryFilter</span>(QueryFilter filter, HandlerContext ctx) { </span></span><span style="display:flex;"><span> filter.<span style="color:#a6e22e">addCondition</span>(<span style="color:#66d9ef">new</span> SimpleCondition(<span style="color:#e6db74">&#34;tenantId&#34;</span>, userProvider.<span style="color:#a6e22e">getTenantId</span>())); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> filter; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="frontend-hookup">Frontend hookup<a class="anchor" href="#frontend-hookup">#</a></h2> <p>Export endpoints are normal URLs — just point the browser at them:</p> Cross-entity business validation https://palmyra.dev/docs/tutorial/backend/advanced/cross-entity-validation/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/cross-entity-validation/ <h1 id="cross-entity-business-validation">Cross-entity business validation<a class="anchor" href="#cross-entity-business-validation">#</a></h1> <p>When a handler needs to enforce rules that span <strong>multiple tables</strong> — &ldquo;the invoice total must not exceed the contract award&rdquo; or &ldquo;the assigned contractor must belong to this project&rdquo; — <code>@PalmyraField</code> annotations aren&rsquo;t enough. The validation lives in the handler&rsquo;s lifecycle hooks, backed by JPA repositories (or any injected service).</p> <h2 id="the-pattern">The pattern<a class="anchor" href="#the-pattern">#</a></h2> <p>Override <code>preCreate</code> / <code>preUpdate</code> / <code>preDelete</code> and call your repositories from there. The tuple carries the incoming payload; the repositories carry the truth. Throw a domain exception to abort the operation.</p> Dynamic native queries with JSqlParser https://palmyra.dev/docs/tutorial/backend/advanced/dynamic-native-queries/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/dynamic-native-queries/ <h1 id="dynamic-native-queries-with-jsqlparser">Dynamic native queries with JSqlParser<a class="anchor" href="#dynamic-native-queries-with-jsqlparser">#</a></h1> <p>When a dashboard endpoint serves multiple chart widgets — each with its own combination of filters (department, stage, contractor, value range) — hard-coding a SQL variant per filter combination doesn&rsquo;t scale. Instead, start with a base query and <strong>inject WHERE clauses programmatically</strong> using <a href="https://github.com/JSQLParser/JSqlParser">JSqlParser</a>.</p> <h2 id="the-architecture">The architecture<a class="anchor" href="#the-architecture">#</a></h2> <pre tabindex="0"><code>Request → Controller → QueryModifier.inject(baseSQL, filters) → JDBC → JSON</code></pre><ol> <li><strong>Base queries</strong> live as constants — one per report type, containing the JOINs and GROUP BYs that never change.</li> <li>A <strong>QueryModifier</strong> parses the SQL at runtime, appends filter conditions to the WHERE clause, and returns the modified query string.</li> <li>The controller (or <code>NativeQueryHandler</code>) executes the modified query and returns the results.</li> </ol> <h2 id="querymodifier--safe-where-injection">QueryModifier — safe WHERE injection<a class="anchor" href="#querymodifier--safe-where-injection">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#f92672">import</span> net.sf.jsqlparser.parser.CCJSqlParserUtil; </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> net.sf.jsqlparser.statement.select.*; </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> net.sf.jsqlparser.expression.operators.conditional.AndExpression; </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> net.sf.jsqlparser.expression.StringValue; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">QueryModifier</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">/** </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * Parse the base SQL, append one or more AND conditions, return the modified SQL. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> */</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">static</span> String <span style="color:#a6e22e">inject</span>(String baseSql, Map<span style="color:#f92672">&lt;</span>String, Object<span style="color:#f92672">&gt;</span> filters) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span> { </span></span><span style="display:flex;"><span> Select select <span style="color:#f92672">=</span> (Select) CCJSqlParserUtil.<span style="color:#a6e22e">parse</span>(baseSql); </span></span><span style="display:flex;"><span> PlainSelect plain <span style="color:#f92672">=</span> select.<span style="color:#a6e22e">getPlainSelect</span>(); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">var</span> entry : filters.<span style="color:#a6e22e">entrySet</span>()) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (entry.<span style="color:#a6e22e">getValue</span>() <span style="color:#f92672">==</span> <span style="color:#66d9ef">null</span>) <span style="color:#66d9ef">continue</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> condition <span style="color:#f92672">=</span> CCJSqlParserUtil.<span style="color:#a6e22e">parseCondExpression</span>( </span></span><span style="display:flex;"><span> entry.<span style="color:#a6e22e">getKey</span>() <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34; = &#39;&#34;</span> <span style="color:#f92672">+</span> entry.<span style="color:#a6e22e">getValue</span>() <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;&#39;&#34;</span> </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (plain.<span style="color:#a6e22e">getWhere</span>() <span style="color:#f92672">==</span> <span style="color:#66d9ef">null</span>) { </span></span><span style="display:flex;"><span> plain.<span style="color:#a6e22e">setWhere</span>(condition); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> plain.<span style="color:#a6e22e">setWhere</span>(<span style="color:#66d9ef">new</span> AndExpression(plain.<span style="color:#a6e22e">getWhere</span>(), condition)); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> select.<span style="color:#a6e22e">toString</span>(); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">catch</span> (Exception e) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> RuntimeException(<span style="color:#e6db74">&#34;Failed to modify query&#34;</span>, e); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="base-queries-as-constants">Base queries as constants<a class="anchor" href="#base-queries-as-constants">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">DashboardQueries</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">static</span> <span style="color:#66d9ef">final</span> String PROJECTS_BY_DEPARTMENT <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT d.name AS department, COUNT(p.id) AS project_count, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SUM(p.awarded_value) AS total_value </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> FROM project p </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> JOIN department d ON d.id = p.department_id </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> GROUP BY d.name </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ORDER BY total_value DESC </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">static</span> <span style="color:#66d9ef">final</span> String MONTHLY_PROGRESS <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> WITH months AS ( </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT generate_series( </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> date_trunc(&#39;year&#39;, CURRENT_DATE), </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> CURRENT_DATE, &#39;1 month&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> )::date AS month </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT m.month, COUNT(p.id) AS started, SUM(p.budget) AS committed </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> FROM months m </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> LEFT JOIN project p ON date_trunc(&#39;month&#39;, p.start_date) = m.month </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> GROUP BY m.month </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ORDER BY m.month </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">static</span> <span style="color:#66d9ef">final</span> String TOP_VENDORS <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> SELECT v.name AS vendor, COUNT(c.id) AS contracts, SUM(c.value) AS total </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> FROM vendor v </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> JOIN contract c ON c.vendor_id = v.id </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> GROUP BY v.name </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ORDER BY total DESC </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> LIMIT 10 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span>; </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="controller-that-uses-it">Controller that uses it<a class="anchor" href="#controller-that-uses-it">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@RestController</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@RequestMapping</span>(<span style="color:#e6db74">&#34;/dashboard&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">DashboardChartController</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Autowired</span> <span style="color:#66d9ef">private</span> JdbcTemplate jdbc; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@GetMapping</span>(<span style="color:#e6db74">&#34;/projects-by-department&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> List<span style="color:#f92672">&lt;</span>Map<span style="color:#f92672">&lt;</span>String, Object<span style="color:#f92672">&gt;&gt;</span> <span style="color:#a6e22e">projectsByDepartment</span>( </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@RequestParam</span>(required <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) String stage, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@RequestParam</span>(required <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) Long departmentId, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@RequestParam</span>(required <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) Long contractorId) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Map<span style="color:#f92672">&lt;</span>String, Object<span style="color:#f92672">&gt;</span> filters <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> LinkedHashMap<span style="color:#f92672">&lt;&gt;</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (stage <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span>) filters.<span style="color:#a6e22e">put</span>(<span style="color:#e6db74">&#34;p.stage&#34;</span>, stage); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (departmentId <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span>) filters.<span style="color:#a6e22e">put</span>(<span style="color:#e6db74">&#34;p.department_id&#34;</span>, departmentId); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (contractorId <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span>) filters.<span style="color:#a6e22e">put</span>(<span style="color:#e6db74">&#34;c.contractor_id&#34;</span>, contractorId); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String sql <span style="color:#f92672">=</span> QueryModifier.<span style="color:#a6e22e">inject</span>(DashboardQueries.<span style="color:#a6e22e">PROJECTS_BY_DEPARTMENT</span>, filters); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jdbc.<span style="color:#a6e22e">queryForList</span>(sql); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@GetMapping</span>(<span style="color:#e6db74">&#34;/top-vendors&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> List<span style="color:#f92672">&lt;</span>Map<span style="color:#f92672">&lt;</span>String, Object<span style="color:#f92672">&gt;&gt;</span> <span style="color:#a6e22e">topVendors</span>( </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@RequestParam</span>(required <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) String stage) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Map<span style="color:#f92672">&lt;</span>String, Object<span style="color:#f92672">&gt;</span> filters <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> LinkedHashMap<span style="color:#f92672">&lt;&gt;</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (stage <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span>) filters.<span style="color:#a6e22e">put</span>(<span style="color:#e6db74">&#34;c.stage&#34;</span>, stage); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String sql <span style="color:#f92672">=</span> QueryModifier.<span style="color:#a6e22e">inject</span>(DashboardQueries.<span style="color:#a6e22e">TOP_VENDORS</span>, filters); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jdbc.<span style="color:#a6e22e">queryForList</span>(sql); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="using-jsqlparser-inside-a-nativequeryhandler">Using JSqlParser inside a NativeQueryHandler<a class="anchor" href="#using-jsqlparser-inside-a-nativequeryhandler">#</a></h2> <p>JSqlParser works just as well inside a Palmyra <code>NativeQueryHandler</code> — you get the framework&rsquo;s pagination, <code>onQueryResult</code>, and <code>aclCheck</code> for free while still composing the SQL dynamically.</p> Custom controllers with Palmyra ACL https://palmyra.dev/docs/tutorial/backend/advanced/custom-controllers/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/custom-controllers/ <h1 id="custom-controllers-with-palmyra-acl">Custom controllers with Palmyra ACL<a class="anchor" href="#custom-controllers-with-palmyra-acl">#</a></h1> <p>Palmyra handlers cover the CRUD surface. Non-CRUD actions — multi-record payments, approve/reject workflows, custom aggregation endpoints — belong in plain Spring <code>@RestController</code>s. The two patterns coexist: handlers own the data, controllers own the actions.</p> <h2 id="the-boundary">The boundary<a class="anchor" href="#the-boundary">#</a></h2> <table> <thead> <tr> <th>Use a handler when…</th> <th>Use a custom controller when…</th> </tr> </thead> <tbody> <tr> <td>The operation maps to a single entity&rsquo;s CRUD lifecycle</td> <td>The operation spans multiple entities in one call</td> </tr> <tr> <td>Pagination, sort, search, export are needed</td> <td>The request shape doesn&rsquo;t fit the standard query-param contract</td> </tr> <tr> <td><code>@CrudMapping</code> + handler interfaces cover the surface</td> <td>The endpoint needs a custom URL, custom request body, or a non-JSON response</td> </tr> </tbody> </table> <h2 id="securing-custom-controllers-with-palmyras-acl">Securing custom controllers with Palmyra&rsquo;s ACL<a class="anchor" href="#securing-custom-controllers-with-palmyras-acl">#</a></h2> <p><code>@PreAuthorize(&quot;hasPermission(...)&quot;)</code> flows through the same <a href="https://palmyra.dev/docs/api/backend/extensions/acl-management/palmyra-permission-evaluator/"><code>PalmyraPermissionEvaluator</code></a> that resolves <code>@Permission</code> on handlers. The ACL tables are the single source of truth for both surfaces.</p> Approval workflow with audit trail https://palmyra.dev/docs/tutorial/backend/advanced/approval-workflow/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/approval-workflow/ <h1 id="approval-workflow-with-audit-trail">Approval workflow with audit trail<a class="anchor" href="#approval-workflow-with-audit-trail">#</a></h1> <p>A multi-step approval flow: DRAFT → SUBMITTED → IN_PROGRESS → APPROVED (or REJECTED), with a field-level audit trail that records who changed what at each step.</p> <h2 id="data-model">Data model<a class="anchor" href="#data-model">#</a></h2> <p>Three tables power the flow:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- The entity being approved (e.g., an invoice) </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ALTER</span> <span style="color:#66d9ef">TABLE</span> invoice <span style="color:#66d9ef">ADD</span> <span style="color:#66d9ef">COLUMN</span> status VARCHAR(<span style="color:#ae81ff">16</span>) <span style="color:#66d9ef">NOT</span> <span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">DEFAULT</span> <span style="color:#e6db74">&#39;DRAFT&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Each step in the approval chain </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">CREATE</span> <span style="color:#66d9ef">TABLE</span> workflow_step ( </span></span><span style="display:flex;"><span> id BIGINT AUTO_INCREMENT <span style="color:#66d9ef">PRIMARY</span> <span style="color:#66d9ef">KEY</span>, </span></span><span style="display:flex;"><span> invoice_id BIGINT <span style="color:#66d9ef">NOT</span> <span style="color:#66d9ef">NULL</span>, </span></span><span style="display:flex;"><span> step_order INT <span style="color:#66d9ef">NOT</span> <span style="color:#66d9ef">NULL</span>, <span style="color:#75715e">-- 1, 2, 3, ... </span></span></span><span style="display:flex;"><span> group_name VARCHAR(<span style="color:#ae81ff">64</span>), <span style="color:#75715e">-- &#34;Finance&#34;, &#34;Director&#34;, &#34;Secretary&#34; </span></span></span><span style="display:flex;"><span> status VARCHAR(<span style="color:#ae81ff">16</span>) <span style="color:#66d9ef">NOT</span> <span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">DEFAULT</span> <span style="color:#e6db74">&#39;PENDING&#39;</span>, </span></span><span style="display:flex;"><span> acted_by VARCHAR(<span style="color:#ae81ff">128</span>), </span></span><span style="display:flex;"><span> acted_at <span style="color:#66d9ef">TIMESTAMP</span>, </span></span><span style="display:flex;"><span> remarks TEXT, </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">CONSTRAINT</span> fk_ws_invoice <span style="color:#66d9ef">FOREIGN</span> <span style="color:#66d9ef">KEY</span> (invoice_id) <span style="color:#66d9ef">REFERENCES</span> invoice(id) </span></span><span style="display:flex;"><span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Field-level change log per step </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">CREATE</span> <span style="color:#66d9ef">TABLE</span> workflow_context ( </span></span><span style="display:flex;"><span> id BIGINT AUTO_INCREMENT <span style="color:#66d9ef">PRIMARY</span> <span style="color:#66d9ef">KEY</span>, </span></span><span style="display:flex;"><span> step_id BIGINT <span style="color:#66d9ef">NOT</span> <span style="color:#66d9ef">NULL</span>, </span></span><span style="display:flex;"><span> field_name VARCHAR(<span style="color:#ae81ff">64</span>), </span></span><span style="display:flex;"><span> old_value VARCHAR(<span style="color:#ae81ff">512</span>), </span></span><span style="display:flex;"><span> new_value VARCHAR(<span style="color:#ae81ff">512</span>), </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">CONSTRAINT</span> fk_wc_step <span style="color:#66d9ef">FOREIGN</span> <span style="color:#66d9ef">KEY</span> (step_id) <span style="color:#66d9ef">REFERENCES</span> workflow_step(id) </span></span><span style="display:flex;"><span>);</span></span></code></pre></div><h2 id="workflow-service">Workflow service<a class="anchor" href="#workflow-service">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Service</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@RequiredArgsConstructor</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">InvoiceWorkflowService</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">final</span> WorkflowStepRepo stepRepo; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">final</span> WorkflowContextRepo contextRepo; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">final</span> InvoiceRepo invoiceRepo; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Transactional</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">submit</span>(Long invoiceId, String submittedBy) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> invoice <span style="color:#f92672">=</span> invoiceRepo.<span style="color:#a6e22e">findById</span>(invoiceId).<span style="color:#a6e22e">orElseThrow</span>(); </span></span><span style="display:flex;"><span> assertStatus(invoice, <span style="color:#e6db74">&#34;DRAFT&#34;</span>, <span style="color:#e6db74">&#34;REJECTED&#34;</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> invoice.<span style="color:#a6e22e">setStatus</span>(<span style="color:#e6db74">&#34;SUBMITTED&#34;</span>); </span></span><span style="display:flex;"><span> invoiceRepo.<span style="color:#a6e22e">save</span>(invoice); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stepRepo.<span style="color:#a6e22e">save</span>(WorkflowStepEntity.<span style="color:#a6e22e">builder</span>() </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">invoiceId</span>(invoiceId) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">stepOrder</span>(nextStep(invoiceId)) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">groupName</span>(<span style="color:#e6db74">&#34;Submitter&#34;</span>) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">status</span>(<span style="color:#e6db74">&#34;COMPLETED&#34;</span>) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedBy</span>(submittedBy) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedAt</span>(Instant.<span style="color:#a6e22e">now</span>()) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">build</span>()); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Transactional</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">approve</span>(Long invoiceId, String approvedBy, Map<span style="color:#f92672">&lt;</span>String, String<span style="color:#f92672">&gt;</span> amendments) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> invoice <span style="color:#f92672">=</span> invoiceRepo.<span style="color:#a6e22e">findById</span>(invoiceId).<span style="color:#a6e22e">orElseThrow</span>(); </span></span><span style="display:flex;"><span> assertStatus(invoice, <span style="color:#e6db74">&#34;SUBMITTED&#34;</span>, <span style="color:#e6db74">&#34;IN_PROGRESS&#34;</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">int</span> order <span style="color:#f92672">=</span> nextStep(invoiceId); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> step <span style="color:#f92672">=</span> stepRepo.<span style="color:#a6e22e">save</span>(WorkflowStepEntity.<span style="color:#a6e22e">builder</span>() </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">invoiceId</span>(invoiceId) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">stepOrder</span>(order) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">groupName</span>(resolveGroup(approvedBy)) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">status</span>(<span style="color:#e6db74">&#34;APPROVED&#34;</span>) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedBy</span>(approvedBy) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedAt</span>(Instant.<span style="color:#a6e22e">now</span>()) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">build</span>()); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Audit every field the approver amended</span> </span></span><span style="display:flex;"><span> amendments.<span style="color:#a6e22e">forEach</span>((field, newValue) <span style="color:#f92672">-&gt;</span> { </span></span><span style="display:flex;"><span> String oldValue <span style="color:#f92672">=</span> getFieldValue(invoice, field); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>Objects.<span style="color:#a6e22e">equals</span>(oldValue, newValue)) { </span></span><span style="display:flex;"><span> contextRepo.<span style="color:#a6e22e">save</span>(WorkflowContextEntity.<span style="color:#a6e22e">builder</span>() </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">stepId</span>(step.<span style="color:#a6e22e">getId</span>()) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">fieldName</span>(field) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">oldValue</span>(oldValue) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">newValue</span>(newValue) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">build</span>()); </span></span><span style="display:flex;"><span> setFieldValue(invoice, field, newValue); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> invoice.<span style="color:#a6e22e">setStatus</span>(isLastApprover(order) <span style="color:#f92672">?</span> <span style="color:#e6db74">&#34;APPROVED&#34;</span> : <span style="color:#e6db74">&#34;IN_PROGRESS&#34;</span>); </span></span><span style="display:flex;"><span> invoiceRepo.<span style="color:#a6e22e">save</span>(invoice); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Transactional</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">reject</span>(Long invoiceId, String rejectedBy, String remarks) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> invoice <span style="color:#f92672">=</span> invoiceRepo.<span style="color:#a6e22e">findById</span>(invoiceId).<span style="color:#a6e22e">orElseThrow</span>(); </span></span><span style="display:flex;"><span> assertStatus(invoice, <span style="color:#e6db74">&#34;SUBMITTED&#34;</span>, <span style="color:#e6db74">&#34;IN_PROGRESS&#34;</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> invoice.<span style="color:#a6e22e">setStatus</span>(<span style="color:#e6db74">&#34;REJECTED&#34;</span>); </span></span><span style="display:flex;"><span> invoiceRepo.<span style="color:#a6e22e">save</span>(invoice); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> stepRepo.<span style="color:#a6e22e">save</span>(WorkflowStepEntity.<span style="color:#a6e22e">builder</span>() </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">invoiceId</span>(invoiceId) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">stepOrder</span>(nextStep(invoiceId)) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">groupName</span>(resolveGroup(rejectedBy)) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">status</span>(<span style="color:#e6db74">&#34;REJECTED&#34;</span>) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedBy</span>(rejectedBy) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">actedAt</span>(Instant.<span style="color:#a6e22e">now</span>()) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">remarks</span>(remarks) </span></span><span style="display:flex;"><span> .<span style="color:#a6e22e">build</span>()); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">assertStatus</span>(InvoiceEntity invoice, String... allowed) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>Set.<span style="color:#a6e22e">of</span>(allowed).<span style="color:#a6e22e">contains</span>(invoice.<span style="color:#a6e22e">getStatus</span>())) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> BusinessException(<span style="color:#e6db74">&#34;Invoice is in status &#34;</span> <span style="color:#f92672">+</span> invoice.<span style="color:#a6e22e">getStatus</span>() </span></span><span style="display:flex;"><span> <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;; expected one of &#34;</span> <span style="color:#f92672">+</span> Arrays.<span style="color:#a6e22e">toString</span>(allowed)); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">int</span> <span style="color:#a6e22e">nextStep</span>(Long invoiceId) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> stepRepo.<span style="color:#a6e22e">countByInvoiceId</span>(invoiceId) <span style="color:#f92672">+</span> 1; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="wiring-to-a-palmyra-handler">Wiring to a Palmyra handler<a class="anchor" href="#wiring-to-a-palmyra-handler">#</a></h2> <p>The handler gates the status transitions; the workflow service owns the logic.</p> Row-level data scoping https://palmyra.dev/docs/tutorial/backend/advanced/row-level-security/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/row-level-security/ <h1 id="row-level-data-scoping">Row-level data scoping<a class="anchor" href="#row-level-data-scoping">#</a></h1> <p>Palmyra&rsquo;s <code>@Permission</code> and the ACL extension control <strong>what operations</strong> a user can perform — feature-level security. <strong>Which rows</strong> the user can see or edit is a different concern — data-level security. This page shows how to implement row-level scoping through <code>applyQueryFilter</code> and a shared access-manager class.</p> <h2 id="the-scenario">The scenario<a class="anchor" href="#the-scenario">#</a></h2> <p>Users belong to departments. A regular user should see only records in their own department. Specific senior roles (director, secretary) see everything. The scoping applies to every list endpoint, every export, and every dashboard query.</p> Child entity handlers with nested URLs https://palmyra.dev/docs/tutorial/backend/advanced/nested-resource-handlers/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/nested-resource-handlers/ <h1 id="child-entity-handlers-with-nested-urls">Child entity handlers with nested URLs<a class="anchor" href="#child-entity-handlers-with-nested-urls">#</a></h1> <p>When an entity only makes sense in the context of a parent — line items under a purchase, comments under a ticket, attachments under a document — scope the URL under the parent and use the path variable to filter queries and inject the FK on writes.</p> <h2 id="the-pattern">The pattern<a class="anchor" href="#the-pattern">#</a></h2> <p>A purchase has many line items. The line-item handler mounts under <code>/purchase/{purchaseId}/purchaseLineItem</code>, reads <code>purchaseId</code> from the URL on every request, and:</p> Email notifications with outbox pattern https://palmyra.dev/docs/tutorial/backend/advanced/email-outbox/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/email-outbox/ <h1 id="email-notifications-with-outbox-pattern">Email notifications with outbox pattern<a class="anchor" href="#email-notifications-with-outbox-pattern">#</a></h1> <p>Never send email inline from a handler hook — it blocks the HTTP response, fails silently on SMTP errors, and can&rsquo;t retry. Instead, write a log row with status <code>PENDING</code> and let a <code>@Scheduled</code> background job process the queue.</p> <p>This page covers the full pattern: the log entity, writing from handler hooks, the email service, the scheduled processor, and other useful scheduled jobs that follow the same shape.</p> Automatic JPA audit fields https://palmyra.dev/docs/tutorial/backend/advanced/jpa-audit-listener/ Mon, 01 Jan 0001 00:00:00 +0000 https://palmyra.dev/docs/tutorial/backend/advanced/jpa-audit-listener/ <h1 id="automatic-jpa-audit-fields-with-entitylisteners">Automatic JPA audit fields with EntityListeners<a class="anchor" href="#automatic-jpa-audit-fields-with-entitylisteners">#</a></h1> <p>When every table needs <code>created_by</code>, <code>created_on</code>, <code>last_upd_by</code>, <code>last_upd_on</code> — and you want them populated from Spring Security without repeating the logic per entity — use a JPA <code>@EntityListeners</code> approach alongside your Palmyra handlers.</p> <h2 id="reusable-audit-base">Reusable audit base<a class="anchor" href="#reusable-audit-base">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#75715e">// Embeddable timestamps</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@Embeddable</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@Getter</span> <span style="color:#a6e22e">@Setter</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">Timestamps</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;created_on&#34;</span>, updatable <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) <span style="color:#66d9ef">private</span> Instant createdOn; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;created_by&#34;</span>, updatable <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>, length <span style="color:#f92672">=</span> 128) <span style="color:#66d9ef">private</span> String createdBy; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;last_upd_on&#34;</span>) <span style="color:#66d9ef">private</span> Instant lastUpdOn; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;last_upd_by&#34;</span>, length <span style="color:#f92672">=</span> 128) <span style="color:#66d9ef">private</span> String lastUpdBy; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// Marker interface</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">interface</span> <span style="color:#a6e22e">Auditable</span> { </span></span><span style="display:flex;"><span> Timestamps <span style="color:#a6e22e">getTimestamps</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">setTimestamps</span>(Timestamps ts); </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="the-listener">The listener<a class="anchor" href="#the-listener">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">AuditListener</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@PrePersist</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">prePersist</span>(Object entity) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (entity <span style="color:#66d9ef">instanceof</span> Auditable a) { </span></span><span style="display:flex;"><span> Timestamps ts <span style="color:#f92672">=</span> a.<span style="color:#a6e22e">getTimestamps</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (ts <span style="color:#f92672">==</span> <span style="color:#66d9ef">null</span>) { ts <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> Timestamps(); a.<span style="color:#a6e22e">setTimestamps</span>(ts); } </span></span><span style="display:flex;"><span> String user <span style="color:#f92672">=</span> currentUser(); </span></span><span style="display:flex;"><span> Instant now <span style="color:#f92672">=</span> Instant.<span style="color:#a6e22e">now</span>(); </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setCreatedOn</span>(now); </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setCreatedBy</span>(user); </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setLastUpdOn</span>(now); </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setLastUpdBy</span>(user); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@PreUpdate</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">public</span> <span style="color:#66d9ef">void</span> <span style="color:#a6e22e">preUpdate</span>(Object entity) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (entity <span style="color:#66d9ef">instanceof</span> Auditable a) { </span></span><span style="display:flex;"><span> Timestamps ts <span style="color:#f92672">=</span> a.<span style="color:#a6e22e">getTimestamps</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (ts <span style="color:#f92672">==</span> <span style="color:#66d9ef">null</span>) { ts <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> Timestamps(); a.<span style="color:#a6e22e">setTimestamps</span>(ts); } </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setLastUpdOn</span>(Instant.<span style="color:#a6e22e">now</span>()); </span></span><span style="display:flex;"><span> ts.<span style="color:#a6e22e">setLastUpdBy</span>(currentUser()); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> String <span style="color:#a6e22e">currentUser</span>() { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">var</span> auth <span style="color:#f92672">=</span> SecurityContextHolder.<span style="color:#a6e22e">getContext</span>().<span style="color:#a6e22e">getAuthentication</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (auth <span style="color:#f92672">!=</span> <span style="color:#66d9ef">null</span> <span style="color:#f92672">&amp;&amp;</span> auth.<span style="color:#a6e22e">isAuthenticated</span>()) <span style="color:#f92672">?</span> auth.<span style="color:#a6e22e">getName</span>() : <span style="color:#e6db74">&#34;system&#34;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><h2 id="applying-to-an-entity">Applying to an entity<a class="anchor" href="#applying-to-an-entity">#</a></h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#a6e22e">@Entity</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@Table</span>(name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;project&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@EntityListeners</span>(AuditListener.<span style="color:#a6e22e">class</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@Getter</span> <span style="color:#a6e22e">@Setter</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">public</span> <span style="color:#66d9ef">class</span> <span style="color:#a6e22e">ProjectEntity</span> <span style="color:#66d9ef">implements</span> Auditable { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Id</span> <span style="color:#a6e22e">@GeneratedValue</span>(strategy <span style="color:#f92672">=</span> GenerationType.<span style="color:#a6e22e">IDENTITY</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> Long id; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(nullable <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) <span style="color:#66d9ef">private</span> String name; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Column</span>(nullable <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>) <span style="color:#66d9ef">private</span> String status; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">@Embedded</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">private</span> Timestamps timestamps <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> Timestamps(); </span></span><span style="display:flex;"><span>}</span></span></code></pre></div><p>Every <code>entityManager.persist(project)</code> and <code>entityManager.merge(project)</code> now stamps the four audit columns — no handler code needed for JPA-managed saves.</p>