[PATCH] lib: Grant SELECT on auth_user

Stephen Finucane stephen at that.guru
Sun Nov 29 04:35:05 AEDT 2020


If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.

Signed-off-by: Stephen Finucane <stephen at that.guru>
Suggested-by: Ali Alnubani <alialnu at mellanox.com>
Closes: #365
---
I'll backport to this stable/2.2 if this makes sense to people.
---
 lib/sql/grant-all.mysql.sql    | 1 +
 lib/sql/grant-all.postgres.sql | 1 +
 2 files changed, 2 insertions(+)

diff --git lib/sql/grant-all.mysql.sql lib/sql/grant-all.mysql.sql
index 98cb4557..e0314a35 100644
--- lib/sql/grant-all.mysql.sql
+++ lib/sql/grant-all.mysql.sql
@@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost;
 GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost;
+GRANT SELECT ON auth_user TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_project TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_state TO 'nobody'@localhost;
diff --git lib/sql/grant-all.postgres.sql lib/sql/grant-all.postgres.sql
index a85326e0..a3b192b4 100644
--- lib/sql/grant-all.postgres.sql
+++ lib/sql/grant-all.postgres.sql
@@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON
 	patchwork_series
 TO "nobody";
 GRANT SELECT ON
+	auth_user,
 	patchwork_delegationrule,
 	patchwork_project,
 	patchwork_state,
-- 
2.28.0



More information about the Patchwork mailing list