Use 'publicuser' as public role, not 'public', closes #95.

This is consistent with cartodb behaviour, but not exactly
the same as the contract that the 'public' role guarantees
access to public resources. Possibly a better fix would be
to audit (ug) everything and make sure that it's really
using the public role to mean public, rather than the
'publicuser' connection role. That CDB creates.
This commit is contained in:
Paul Ramsey 2015-07-07 05:49:28 -07:00
parent 8516cbd4c3
commit 734561de4c
3 changed files with 16 additions and 14 deletions

View File

@ -12,16 +12,14 @@ AS $$
SELECT c.relname
FROM pg_class c
JOIN pg_roles r ON r.oid = c.relowner
JOIN pg_namespace n ON n.oid = c.relnamespace
WHERE r.rolname = current_user
AND c.relkind = 'r'
WHERE c.relkind = 'r'
AND c.relname NOT IN ('cdb_tablemetadata', 'spatial_ref_sys')
AND n.nspname NOT IN ('pg_catalog', 'information_schema')
AND CASE WHEN perm = 'public' THEN has_table_privilege('public', c.oid, 'SELECT')
WHEN perm = 'private' THEN has_table_privilege(c.oid, 'SELECT') AND NOT
has_table_privilege('public', c.oid, 'SELECT')
WHEN perm = 'all' THEN has_table_privilege(c.oid, 'SELECT')
AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'topology')
AND CASE WHEN perm = 'public' THEN has_table_privilege('publicuser', c.oid, 'SELECT')
WHEN perm = 'private' THEN (has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege(current_user, c.oid, 'SELECT'))
AND NOT has_table_privilege('publicuser', c.oid, 'SELECT')
WHEN perm = 'all' THEN has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege('publicuser', c.oid, 'SELECT')
ELSE false END;
$$ LANGUAGE 'sql';

View File

@ -1,11 +1,13 @@
create table pub(a int);
create table prv(a int);
GRANT SELECT ON TABLE pub TO public;
REVOKE SELECT ON TABLE prv FROM public;
CREATE ROLE publicuser;
CREATE TABLE pub(a int);
CREATE TABLE prv(a int);
GRANT SELECT ON TABLE pub TO publicuser;
REVOKE SELECT ON TABLE prv FROM publicuser;
SELECT CDB_UserTables() ORDER BY 1;
SELECT 'all',CDB_UserTables('all') ORDER BY 2;
SELECT 'public',CDB_UserTables('public') ORDER BY 2;
SELECT 'private',CDB_UserTables('private') ORDER BY 2;
SELECT '--unsupported--',CDB_UserTables('--unsupported--') ORDER BY 2;
drop table pub;
drop table prv;
DROP TABLE pub;
DROP TABLE prv;
DROP ROLE publicuser;

View File

@ -1,3 +1,4 @@
CREATE ROLE
CREATE TABLE
CREATE TABLE
GRANT
@ -10,3 +11,4 @@ public|pub
private|prv
DROP TABLE
DROP TABLE
DROP ROLE