diff --git a/app/controllers/app.js b/app/controllers/app.js index b6840431..f44d3ba8 100755 --- a/app/controllers/app.js +++ b/app/controllers/app.js @@ -65,7 +65,7 @@ function handleQuery(req, res){ try { if (!_.isString(sql)) throw new Error("You must indicate a sql query"); - var pg, explain_result; + var pg; // 1. Get database from redis via the username stored in the host header subdomain // 2. Run the request through OAuth to get R/W user id if signed @@ -79,6 +79,7 @@ function handleQuery(req, res){ function setDBGetUser(err, data) { if (err) throw err; database = (data == "" || _.isNull(data)) ? database : data; + if(api_key) { ApiKeyAuth.verifyRequest(req, this); } else { diff --git a/test/acceptance/app.auth.test.js b/test/acceptance/app.auth.test.js index 69516e82..45bb1a80 100644 --- a/test/acceptance/app.auth.test.js +++ b/test/acceptance/app.auth.test.js @@ -8,9 +8,9 @@ var app = require(global.settings.app_root + '/app/controllers/app') tests['valid api key should allow insert in protected tables'] = function(){ assert.response(app, { // view prepare_db.sh to see where to set api_key - url: "/api/v1/sql?api_key=1234&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('test')&database=cartodb_dev_user_1_db", + url: "/api/v1/sql?api_key=1234&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('test')", - headers: {host: 'vizzuality.cartodb.com' }, + headers: {host: 'vizzuality.localhost.lan:8080' }, method: 'GET' },{ status: 200 @@ -20,7 +20,7 @@ tests['valid api key should allow insert in protected tables'] = function(){ tests['invalid api key should NOT allow insert in protected tables'] = function(){ assert.response(app, { // view prepare_db.sh to see where to set api_key - url: "/api/v1/sql?api_key=RAMBO&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('test')&database=cartodb_dev_user_1_db", + url: "/api/v1/sql?api_key=RAMBO&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('test')", headers: {host: 'vizzuality.cartodb.com' }, method: 'GET' diff --git a/test/test.sql b/test/test.sql index 5b7cb8d5..c9db9360 100644 --- a/test/test.sql +++ b/test/test.sql @@ -7,7 +7,7 @@ -- > createdb -Upostgres -hlocalhost -Ttemplate_postgis -Opostgres -EUTF8 cartodb_test_user_1_db -- > psql -Upostgres -hlocalhost cartodb_test_user_1_db < test.sql -- --- NOTE: requires a postgis template called template_postgis +-- NOTE: requires a postgis template called template_postgis with CDB functions included -- SET statement_timeout = 0; @@ -21,7 +21,32 @@ SET default_tablespace = ''; SET default_with_oids = false; +-- Return an array of table names used by a given query +CREATE OR REPLACE FUNCTION CDB_QueryTables(query text) +RETURNS name[] +AS $$ +DECLARE + exp XML; + tables NAME[]; +BEGIN + + EXECUTE 'EXPLAIN (FORMAT XML) ' || query INTO STRICT exp; + + -- Now need to extract all values of + + --RAISE DEBUG 'Explain: %', exp; + + tables := xpath('//x:Relation-Name/text()', exp, ARRAY[ARRAY['x', 'http://www.postgresql.org/2009/explain']]); + + --RAISE DEBUG 'Tables: %', tables; + + return tables; +END +$$ LANGUAGE 'plpgsql' VOLATILE STRICT; + + -- first table +DROP TABLE IF EXISTS untitle_table_4; CREATE TABLE untitle_table_4 ( updated_at timestamp without time zone DEFAULT now(), created_at timestamp without time zone DEFAULT now(), @@ -62,6 +87,7 @@ ALTER TABLE ONLY untitle_table_4 ADD CONSTRAINT test_table_pkey PRIMARY KEY (car CREATE INDEX test_table_the_geom_idx ON untitle_table_4 USING gist (the_geom); CREATE INDEX test_table_the_geom_webmercator_idx ON untitle_table_4 USING gist (the_geom_webmercator); +DROP TABLE IF EXISTS private_table; CREATE TABLE private_table ( updated_at timestamp without time zone DEFAULT now(), created_at timestamp without time zone DEFAULT now(),