Drop role management

Roles are not created anymore, previously private functions for table information extraction (CDB_UserTables, CDB_TableIndexes, CDB_ColumnNames, CDB_ColumnType) will now be callable by anyone while only returning information about tables over which the calling user has SELECT privilege. Closes #36
10 years ago · 01ae7b8c10
parent edc56e60ee
commit 01ae7b8c10
8 changed files with 10 additions and 33 deletions
--- a/1
+++ b/1
@ -6,7 +6,6 @@ EXTVERSION = 0.2.0dev
 SED = sed
 CDBSCRIPTS = \
  scripts-available/CDB_Roles.sql \
  scripts-enabled/*.sql \
  scripts-available/CDB_SearchPath.sql \
  scripts-available/CDB_DDLTriggers.sql \
--- a/4
+++ b/4
@ -4,6 +4,10 @@
 Important changes:
 - This release adds dependency on "plpythonu" extension
 - Roles are not created anymore, previously private functions
   for table information extraction will now be callable by
   anyone while only returning information about tables over
   which the calling user has SELECT privilege (#36)
 Bug fixes:
--- a/scripts-available/CDB_ColumnNames.sql
+++ b/scripts-available/CDB_ColumnNames.sql
@ -11,6 +11,3 @@ AS $$
 $$ LANGUAGE SQL;
 -- This is a private function, so only the db owner need privileges
 REVOKE ALL ON FUNCTION CDB_ColumnNames(REGCLASS) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION CDB_ColumnNames(REGCLASS) TO ":DATABASE_USERNAME";
--- a/scripts-available/CDB_ColumnType.sql
+++ b/scripts-available/CDB_ColumnType.sql
@ -12,6 +12,3 @@ AS $$
 $$ LANGUAGE SQL;
 -- This is a private function, so only the db owner need privileges
 REVOKE ALL ON FUNCTION CDB_ColumnType(REGCLASS, TEXT) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION CDB_ColumnType(REGCLASS, TEXT) TO ":DATABASE_USERNAME";
--- a/scripts-available/CDB_DDLTriggers.sql
+++ b/scripts-available/CDB_DDLTriggers.sql
@ -1,8 +1,3 @@
 --LOAD 'schema_triggers.so';
 --CREATE EXTENSION IF NOT EXISTS schema_triggers;
 --GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA schema_triggers TO public;
 -- Table creation
 -- {
 CREATE OR REPLACE FUNCTION cartodb.cdb_handle_create_table ()
--- a/scripts-available/CDB_Roles.sql
+++ b/scripts-available/CDB_Roles.sql
@ -1,13 +0,0 @@
 DO LANGUAGE 'plpgsql' $$
 BEGIN
  IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= 'cdb_org_admin' )
  THEN
    CREATE ROLE cdb_org_admin NOLOGIN;
  END IF;
  IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= 'cdb_org_user' )
  THEN
    CREATE ROLE cdb_org_user NOLOGIN;
  END IF;
 END
 $$;
--- a/scripts-available/CDB_TableIndexes.sql
+++ b/scripts-available/CDB_TableIndexes.sql
@ -17,10 +17,8 @@ AS $$
  ON pg_class.oid = idx.indexrelid 
  WHERE pg_indexes.tablename = '' || $1 || ''
  AND '' || $1 || '' IN (SELECT CDB_UserTables())
-  AND pg_class.relname=pg_indexes.indexname;
+  AND pg_class.relname=pg_indexes.indexname
  ;
 $$ LANGUAGE SQL;
 -- This is a private function, so only the db owner need privileges
 REVOKE ALL ON FUNCTION CDB_TableIndexes(REGCLASS) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION CDB_TableIndexes(REGCLASS) TO ":DATABASE_USERNAME";
--- a/scripts-available/CDB_UserTables.sql
+++ b/scripts-available/CDB_UserTables.sql
@ -26,14 +26,14 @@ AS $$
    FROM usertables
  )
  SELECT t FROM perms
-  WHERE p = CASE WHEN $1 = 'private' THEN false
+  WHERE (
    p = CASE WHEN $1 = 'private' THEN false
                 WHEN $1 = 'public' THEN true
                 ELSE not p -- none
            END
    OR $1 = 'all'
  )
  AND has_table_privilege('public'||'.'||t, 'SELECT')
   ;
 $$ LANGUAGE 'sql';
 -- This is a private function, so only the db owner need privileges
 REVOKE ALL ON FUNCTION CDB_UserTables(text) FROM PUBLIC;
 GRANT EXECUTE ON FUNCTION CDB_UserTables(text) TO ":DATABASE_USERNAME";