cartodb4/cartodb-postgresql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use 'publicuser' as public role, not 'public', closes #95.

Browse Source 
This is consistent with cartodb behaviour, but not exactly
the same as the contract that the 'public' role guarantees
access to public resources. Possibly a better fix would be
to audit (ug) everything and make sure that it's really
using the public role to mean public, rather than the
'publicuser' connection role. That CDB creates.
This commit is contained in:
Paul Ramsey 2015-07-07 05:49:28 -07:00
parent 8516cbd4c3
commit 734561de4c
3 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
scripts-available/CDB_UserTables.sql
View File

@ -12,16 +12,14 @@ AS $$
SELECT c.relname SELECT c.relname
FROM pg_class c FROM pg_class c
JOIN pg_roles r ON r.oid = c.relowner
JOIN pg_namespace n ON n.oid = c.relnamespace JOIN pg_namespace n ON n.oid = c.relnamespace
WHERE r.rolname = current_user WHERE c.relkind = 'r'
AND c.relkind = 'r'
AND c.relname NOT IN ('cdb_tablemetadata', 'spatial_ref_sys') AND c.relname NOT IN ('cdb_tablemetadata', 'spatial_ref_sys')
AND n.nspname NOT IN ('pg_catalog', 'information_schema') AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'topology')
AND CASE WHEN perm = 'public' THEN has_table_privilege('public', c.oid, 'SELECT') AND CASE WHEN perm = 'public' THEN has_table_privilege('publicuser', c.oid, 'SELECT')
WHEN perm = 'private' THEN has_table_privilege(c.oid, 'SELECT') AND NOT WHEN perm = 'private' THEN (has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege(current_user, c.oid, 'SELECT'))
has_table_privilege('public', c.oid, 'SELECT') AND NOT has_table_privilege('publicuser', c.oid, 'SELECT')
WHEN perm = 'all' THEN has_table_privilege(c.oid, 'SELECT') WHEN perm = 'all' THEN has_table_privilege(c.relowner, c.oid, 'SELECT') OR has_table_privilege('publicuser', c.oid, 'SELECT')
ELSE false END; ELSE false END;
$$ LANGUAGE 'sql'; $$ LANGUAGE 'sql';

14
test/CDB_UserTablesTest.sql
View File

@ -1,11 +1,13 @@
create table pub(a int); CREATE ROLE publicuser;
create table prv(a int); CREATE TABLE pub(a int);
GRANT SELECT ON TABLE pub TO public; CREATE TABLE prv(a int);
REVOKE SELECT ON TABLE prv FROM public; GRANT SELECT ON TABLE pub TO publicuser;
REVOKE SELECT ON TABLE prv FROM publicuser;
SELECT CDB_UserTables() ORDER BY 1; SELECT CDB_UserTables() ORDER BY 1;
SELECT 'all',CDB_UserTables('all') ORDER BY 2; SELECT 'all',CDB_UserTables('all') ORDER BY 2;
SELECT 'public',CDB_UserTables('public') ORDER BY 2; SELECT 'public',CDB_UserTables('public') ORDER BY 2;
SELECT 'private',CDB_UserTables('private') ORDER BY 2; SELECT 'private',CDB_UserTables('private') ORDER BY 2;
SELECT '--unsupported--',CDB_UserTables('--unsupported--') ORDER BY 2; SELECT '--unsupported--',CDB_UserTables('--unsupported--') ORDER BY 2;
drop table pub; DROP TABLE pub;
drop table prv; DROP TABLE prv;
DROP ROLE publicuser;

2
test/CDB_UserTablesTest_expect
View File

@ -1,3 +1,4 @@
CREATE ROLE
CREATE TABLE CREATE TABLE
CREATE TABLE CREATE TABLE
GRANT GRANT
@ -10,3 +11,4 @@ public|pub
private|prv private|prv
DROP TABLE DROP TABLE
DROP TABLE DROP TABLE
DROP ROLE