[PATCH 2/2] lib/sql: fix permissions for v2.0.0 on postgres

Stephen Finucane stephen at that.guru
Mon Aug 28 23:29:27 AEST 2017 

On Mon, 2017-08-28 at 19:39 +0800, Jeremy Kerr wrote:
> Some tables are no longer present, and others that are used by the web
> interface and mail parser need access permissions added.
> 
> This change was required to get patchwork going on patchwork.ozlabs.org;
> there may be other permissions required, that we haven't hit yet. So,
> some review would be good here.
> 
> Also: it's unlikely that we need DELETE for the mail parser, but I'm not
> confident enough to remove that at the moment.
> 
> Signed-off-by: Jeremy Kerr <jk at ozlabs.org>

Some small comments below but this looks good to me. I'll wait a bit for other
comments before applying.

Reviewed-by: Stephen Finucane <stephen at that.guru>

> ---
>  lib/sql/grant-all.postgres.sql | 17 ++++++++---------
>  1 file changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql
> index 405ba44..c709866 100644
> --- a/lib/sql/grant-all.postgres.sql
> +++ b/lib/sql/grant-all.postgres.sql
> @@ -12,6 +12,7 @@ GRANT SELECT, UPDATE, INSERT, DELETE ON
>  	auth_group,
>  	auth_user_user_permissions,
>  	auth_permission,
> +	authtoken_token,

Yup, forgot about that one.

>  	patchwork_emailconfirmation,
>  	patchwork_state,
>  	patchwork_comment,
> @@ -47,9 +48,7 @@ GRANT SELECT, UPDATE ON
>  	patchwork_bundle_id_seq,
>  	patchwork_bundlepatch_id_seq,
>  	patchwork_comment_id_seq,
> -	patchwork_submission_id_seq,
>  	patchwork_patch_id_seq,
> -	patchwork_coverletter_id_seq,

So there's no id column now that these are JOINed with 'submission'? Make
sense.

>  	patchwork_series_id_seq,
>  	patchwork_seriespatch_id_seq,
>  	patchwork_seriesreference_id_seq,
> @@ -69,16 +68,17 @@ TO "www-data";
>  -- cover letters) and series
>  GRANT INSERT, SELECT ON
>  	patchwork_submission,
> -	patchwork_patch,
>  	patchwork_coverletter,
> -	patchwork_series,
>  	patchwork_seriespatch,
>  	patchwork_seriesreference,
>  	patchwork_comment,
> -	patchwork_person
> +	patchwork_event
>  TO "nobody";
>  GRANT INSERT, SELECT, UPDATE, DELETE ON

As you say, I can't see why DELETE would be necessary for this, but I'm also
not confident enough to remove this.

> -	patchwork_patchtag
> +	patchwork_patchtag,
> +	patchwork_patch,
> +	patchwork_series,
> +	patchwork_person

I'm assuming the UPDATE permission is required due to how series work. Makes
sense.

>  TO "nobody";
>  GRANT SELECT ON
>  	patchwork_project,
> @@ -87,15 +87,14 @@ GRANT SELECT ON
>  	patchwork_delegationrule
>  TO "nobody";
>  GRANT UPDATE, SELECT ON
> -	patchwork_submission_id_seq,
>  	patchwork_patch_id_seq,
> -	patchwork_coverletter_id_seq,
>  	patchwork_series_id_seq,
>  	patchwork_seriespatch_id_seq,
>  	patchwork_seriesreference_id_seq,
>  	patchwork_person_id_seq,
>  	patchwork_comment_id_seq,
> -	patchwork_patchtag_id_seq
> +	patchwork_patchtag_id_seq,
> +	patchwork_event_id_seq
>  TO "nobody";
>  
>  COMMIT;

More information about the Patchwork mailing list