Use 'publicuser' as public role, not 'public', closes #95.
This is consistent with cartodb behaviour, but not exactly the same as the contract that the 'public' role guarantees access to public resources. Possibly a better fix would be to audit (ug) everything and make sure that it's really using the public role to mean public, rather than the 'publicuser' connection role. That CDB creates.
This commit is contained in:
parent
8516cbd4c3
commit
734561de4c
@ -12,16 +12,14 @@ AS $$
|
||||
|
||||
SELECT c.relname
|
||||
FROM pg_class c
|
||||
JOIN pg_roles r ON r.oid = c.relowner
|
||||
JOIN pg_namespace n ON n.oid = c.relnamespace
|
||||
WHERE r.rolname = current_user
|
||||
AND c.relkind = 'r'
|
||||
WHERE c.relkind = 'r'
|
||||
AND c.relname NOT IN ('cdb_tablemetadata', 'spatial_ref_sys')
|
||||
AND n.nspname NOT IN ('pg_catalog', 'information_schema')
|
||||
AND CASE WHEN perm = 'public' THEN has_table_privilege('public', c.oid, 'SELECT')
|
||||
WHEN perm = 'private' THEN has_table_privilege(c.oid, 'SELECT') AND NOT
|
||||
has_table_privilege('public', c.oid, 'SELECT')
|
||||
WHEN perm = 'all' THEN has_table_privilege(c.oid, 'SELECT')
|
||||
AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'topology')
|
||||
AND CASE WHEN perm = 'public' THEN has_table_privilege('publicuser', c.oid, 'SELECT')
|
||||
WHEN perm = 'private' THEN (has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege(current_user, c.oid, 'SELECT'))
|
||||
AND NOT has_table_privilege('publicuser', c.oid, 'SELECT')
|
||||
WHEN perm = 'all' THEN has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege('publicuser', c.oid, 'SELECT')
|
||||
ELSE false END;
|
||||
|
||||
$$ LANGUAGE 'sql';
|
||||
|
@ -1,11 +1,13 @@
|
||||
create table pub(a int);
|
||||
create table prv(a int);
|
||||
GRANT SELECT ON TABLE pub TO public;
|
||||
REVOKE SELECT ON TABLE prv FROM public;
|
||||
CREATE ROLE publicuser;
|
||||
CREATE TABLE pub(a int);
|
||||
CREATE TABLE prv(a int);
|
||||
GRANT SELECT ON TABLE pub TO publicuser;
|
||||
REVOKE SELECT ON TABLE prv FROM publicuser;
|
||||
SELECT CDB_UserTables() ORDER BY 1;
|
||||
SELECT 'all',CDB_UserTables('all') ORDER BY 2;
|
||||
SELECT 'public',CDB_UserTables('public') ORDER BY 2;
|
||||
SELECT 'private',CDB_UserTables('private') ORDER BY 2;
|
||||
SELECT '--unsupported--',CDB_UserTables('--unsupported--') ORDER BY 2;
|
||||
drop table pub;
|
||||
drop table prv;
|
||||
DROP TABLE pub;
|
||||
DROP TABLE prv;
|
||||
DROP ROLE publicuser;
|
||||
|
@ -1,3 +1,4 @@
|
||||
CREATE ROLE
|
||||
CREATE TABLE
|
||||
CREATE TABLE
|
||||
GRANT
|
||||
@ -10,3 +11,4 @@ public|pub
|
||||
private|prv
|
||||
DROP TABLE
|
||||
DROP TABLE
|
||||
DROP ROLE
|
||||
|
Loading…
Reference in New Issue
Block a user