From 12e90ef6a42564a5bf71a4b98d3687c4fd7d203c Mon Sep 17 00:00:00 2001 From: Raul Ochoa Date: Tue, 24 Jun 2014 19:56:17 +0200 Subject: [PATCH] CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it --- scripts-available/CDB_Organizations.sql | 45 +++++++++++++++++++++++++ test/organization/test.sh | 37 ++++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/scripts-available/CDB_Organizations.sql b/scripts-available/CDB_Organizations.sql index 0b531a6..19d09ec 100644 --- a/scripts-available/CDB_Organizations.sql +++ b/scripts-available/CDB_Organizations.sql @@ -1,3 +1,22 @@ +DO LANGUAGE 'plpgsql' $$ +BEGIN + IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= 'cdb_org_member' ) + THEN + CREATE ROLE cdb_org_member NOLOGIN; + END IF; +END +$$; + +CREATE OR REPLACE +FUNCTION cartodb.CDB_Organization_Create_Member(role_name text) + RETURNS void +AS $$ +BEGIN + EXECUTE 'GRANT cdb_org_member TO "' || role_name || '"'; +END +$$ LANGUAGE PLPGSQL VOLATILE; + + ------------------------------------------------------------------------------- -- Sharing tables ------------------------------------------------------------------------------- @@ -11,6 +30,14 @@ BEGIN END $$ LANGUAGE PLPGSQL VOLATILE; +CREATE OR REPLACE +FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Permission(from_schema text, table_name text) + RETURNS void +AS $$ +BEGIN + EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');'; +END +$$ LANGUAGE PLPGSQL VOLATILE; CREATE OR REPLACE FUNCTION cartodb.CDB_Organization_Add_Table_Read_Write_Permission(from_schema text, table_name text, to_role_name text) @@ -22,6 +49,15 @@ BEGIN END $$ LANGUAGE PLPGSQL VOLATILE; +CREATE OR REPLACE +FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Write_Permission(from_schema text, table_name text) + RETURNS void +AS $$ +BEGIN + EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Write_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');'; +END +$$ LANGUAGE PLPGSQL VOLATILE; + CREATE OR REPLACE FUNCTION cartodb.CDB_Organization_Remove_Access_Permission(from_schema text, table_name text, to_role_name text) @@ -34,3 +70,12 @@ BEGIN -- any permission granted within the schema from_schema END $$ LANGUAGE PLPGSQL VOLATILE; + +CREATE OR REPLACE +FUNCTION cartodb.CDB_Organization_Remove_Organization_Access_Permission(from_schema text, table_name text) + RETURNS void +AS $$ +BEGIN + EXECUTE 'SELECT cartodb.CDB_Organization_Remove_Access_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');'; +END +$$ LANGUAGE PLPGSQL VOLATILE; diff --git a/test/organization/test.sh b/test/organization/test.sh index 9d6cb13..017ced9 100644 --- a/test/organization/test.sh +++ b/test/organization/test.sh @@ -89,8 +89,18 @@ function create_role_and_schema() { sql "CREATE ROLE ${ROLE} LOGIN;" sql "GRANT CONNECT ON DATABASE \"${DATABASE}\" TO ${ROLE};" sql "CREATE SCHEMA ${ROLE} AUTHORIZATION ${ROLE};" + sql "SELECT cartodb.CDB_Organization_Create_Member('${ROLE}')" } + +function drop_role_and_schema() { + local ROLE=$1 + sql "DROP SCHEMA \"${ROLE}\";" + sql "REVOKE CONNECT ON DATABASE \"${DATABASE}\" FROM \"${ROLE}\";" + sql "DROP ROLE \"${ROLE}\";" +} + + function create_table() { if [[ $# -ne 2 ]] then @@ -256,6 +266,33 @@ function test_giving_permissions_to_two_tables_and_removing_from_first_table_sho sql cdb_testmember_1 'DROP TABLE cdb_testmember_1.foo_2;' } +function test_cdb_org_member_role_allows_reading_to_all_users_without_explicit_permission() { + sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' fails + sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Add_Table_Organization_Read_Permission('cdb_testmember_1', 'foo');" + sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5 +} + +function test_user_can_read_when_it_has_permission_after_organization_permission_is_removed() { + create_role_and_schema cdb_testmember_3 + + # shares with cdb_testmember_2 and can read but cdb_testmember_3 cannot + sql cdb_testmember_1 "SELECT * FROM cartodb.CDB_Organization_Add_Table_Read_Permission('cdb_testmember_1', 'foo', 'cdb_testmember_2')" + sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5 + sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' fails + + # granting to organization allows to read to both: cdb_testmember_2 and cdb_testmember_3 + sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Add_Table_Organization_Read_Permission('cdb_testmember_1', 'foo');" + sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5 + sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5 + + # removing access from organization should keep permission on cdb_testmember_2 but drop it to cdb_testmember_3 + sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Remove_Organization_Access_Permission('cdb_testmember_1', 'foo');" + sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5 + sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' fails + + drop_role_and_schema cdb_testmember_3 +} + #################################################### TESTS END HERE ####################################################