[PATCH] lib: Grant SELECT on auth_user
Stephen Finucane
stephen at that.guru
Sun Nov 29 04:35:05 AEDT 2020
If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.
Signed-off-by: Stephen Finucane <stephen at that.guru>
Suggested-by: Ali Alnubani <alialnu at mellanox.com>
Closes: #365
---
I'll backport to this stable/2.2 if this makes sense to people.
---
lib/sql/grant-all.mysql.sql | 1 +
lib/sql/grant-all.postgres.sql | 1 +
2 files changed, 2 insertions(+)
diff --git lib/sql/grant-all.mysql.sql lib/sql/grant-all.mysql.sql
index 98cb4557..e0314a35 100644
--- lib/sql/grant-all.mysql.sql
+++ lib/sql/grant-all.mysql.sql
@@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost;
GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost;
GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost;
GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost;
+GRANT SELECT ON auth_user TO 'nobody'@localhost;
GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost;
GRANT SELECT ON patchwork_project TO 'nobody'@localhost;
GRANT SELECT ON patchwork_state TO 'nobody'@localhost;
diff --git lib/sql/grant-all.postgres.sql lib/sql/grant-all.postgres.sql
index a85326e0..a3b192b4 100644
--- lib/sql/grant-all.postgres.sql
+++ lib/sql/grant-all.postgres.sql
@@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON
patchwork_series
TO "nobody";
GRANT SELECT ON
+ auth_user,
patchwork_delegationrule,
patchwork_project,
patchwork_state,
--
2.28.0
More information about the Patchwork
mailing list