[{"id":1758588,"web_url":"http://patchwork.ozlabs.org/comment/1758588/","msgid":"<1503926967.5702.9.camel@that.guru>","list_archive_url":null,"date":"2017-08-28T13:29:27","subject":"Re: [PATCH 2/2] lib/sql: fix permissions for v2.0.0 on postgres","submitter":{"id":69991,"url":"http://patchwork.ozlabs.org/api/people/69991/","name":"Stephen Finucane","email":"stephen@that.guru"},"content":"On Mon, 2017-08-28 at 19:39 +0800, Jeremy Kerr wrote:\n> Some tables are no longer present, and others that are used by the web\n> interface and mail parser need access permissions added.\n> \n> This change was required to get patchwork going on patchwork.ozlabs.org;\n> there may be other permissions required, that we haven't hit yet. So,\n> some review would be good here.\n> \n> Also: it's unlikely that we need DELETE for the mail parser, but I'm not\n> confident enough to remove that at the moment.\n> \n> Signed-off-by: Jeremy Kerr \n\nSome small comments below but this looks good to me. I'll wait a bit for other\ncomments before applying.\n\nReviewed-by: Stephen Finucane \n\n> ---\n> lib/sql/grant-all.postgres.sql | 17 ++++++++---------\n> 1 file changed, 8 insertions(+), 9 deletions(-)\n> \n> diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql\n> index 405ba44..c709866 100644\n> --- a/lib/sql/grant-all.postgres.sql\n> +++ b/lib/sql/grant-all.postgres.sql\n> @@ -12,6 +12,7 @@ GRANT SELECT, UPDATE, INSERT, DELETE ON\n> \tauth_group,\n> \tauth_user_user_permissions,\n> \tauth_permission,\n> +\tauthtoken_token,\n\nYup, forgot about that one.\n\n> \tpatchwork_emailconfirmation,\n> \tpatchwork_state,\n> \tpatchwork_comment,\n> @@ -47,9 +48,7 @@ GRANT SELECT, UPDATE ON\n> \tpatchwork_bundle_id_seq,\n> \tpatchwork_bundlepatch_id_seq,\n> \tpatchwork_comment_id_seq,\n> -\tpatchwork_submission_id_seq,\n> \tpatchwork_patch_id_seq,\n> -\tpatchwork_coverletter_id_seq,\n\nSo there's no id column now that these are JOINed with 'submission'? Make\nsense.\n\n> \tpatchwork_series_id_seq,\n> \tpatchwork_seriespatch_id_seq,\n> \tpatchwork_seriesreference_id_seq,\n> @@ -69,16 +68,17 @@ TO \"www-data\";\n> -- cover letters) and series\n> GRANT INSERT, SELECT ON\n> \tpatchwork_submission,\n> -\tpatchwork_patch,\n> \tpatchwork_coverletter,\n> -\tpatchwork_series,\n> \tpatchwork_seriespatch,\n> \tpatchwork_seriesreference,\n> \tpatchwork_comment,\n> -\tpatchwork_person\n> +\tpatchwork_event\n> TO \"nobody\";\n> GRANT INSERT, SELECT, UPDATE, DELETE ON\n\nAs you say, I can't see why DELETE would be necessary for this, but I'm also\nnot confident enough to remove this.\n\n> -\tpatchwork_patchtag\n> +\tpatchwork_patchtag,\n> +\tpatchwork_patch,\n> +\tpatchwork_series,\n> +\tpatchwork_person\n\nI'm assuming the UPDATE permission is required due to how series work. Makes\nsense.\n\n> TO \"nobody\";\n> GRANT SELECT ON\n> \tpatchwork_project,\n> @@ -87,15 +87,14 @@ GRANT SELECT ON\n> \tpatchwork_delegationrule\n> TO \"nobody\";\n> GRANT UPDATE, SELECT ON\n> -\tpatchwork_submission_id_seq,\n> \tpatchwork_patch_id_seq,\n> -\tpatchwork_coverletter_id_seq,\n> \tpatchwork_series_id_seq,\n> \tpatchwork_seriespatch_id_seq,\n> \tpatchwork_seriesreference_id_seq,\n> \tpatchwork_person_id_seq,\n> \tpatchwork_comment_id_seq,\n> -\tpatchwork_patchtag_id_seq\n> +\tpatchwork_patchtag_id_seq,\n> +\tpatchwork_event_id_seq\n> TO \"nobody\";\n> \n> COMMIT;","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","patchwork@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","patchwork@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xgt0w6f28z9sNr\n\tfor ;\n\tMon, 28 Aug 2017 23:29:52 +1000 (AEST)","from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3xgt0w4ThgzDqF3\n\tfor ;\n\tMon, 28 Aug 2017 23:29:52 +1000 (AEST)","from nov-007-i543.relay.mailchannels.net\n\t(nov-007-i543.relay.mailchannels.net [46.232.183.97])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3xgt0l4mLzzDq8X\n\tfor ;\n\tMon, 28 Aug 2017 23:29:42 +1000 (AEST)","from relay.mailchannels.net (localhost [127.0.0.1])\n\tby relay.mailchannels.net (Postfix) with ESMTP id F00437CAD69;\n\tMon, 28 Aug 2017 13:29:31 +0000 (UTC)","from one.mxroute.com (unknown [100.96.140.129])\n\t(Authenticated sender: mxroute)\n\tby relay.mailchannels.net (Postfix) with ESMTPA id 7FC907C7ACF;\n\tMon, 28 Aug 2017 13:29:31 +0000 (UTC)","from one.mxroute.com (one-outgoing.mxroute.com [172.20.107.195])\n\t(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)\n\tby 0.0.0.0:2500 (trex/5.9.10); Mon, 28 Aug 2017 13:29:31 +0000"],"Authentication-Results":["ozlabs.org;\n\tdkim=fail reason=\"key not found in DNS\" (0-bit key;\n\tunprotected) header.d=that.guru header.i=@that.guru\n\theader.b=\"gjg9GAAT\"; dkim-atps=neutral","lists.ozlabs.org;\n\tdkim=fail reason=\"key not found in DNS\" (0-bit key;\n\tunprotected) header.d=that.guru header.i=@that.guru\n\theader.b=\"gjg9GAAT\"; dkim-atps=neutral","lists.ozlabs.org;\n\tdkim=fail reason=\"key not found in DNS\" (0-bit key;\n\tunprotected) header.d=that.guru header.i=@that.guru\n\theader.b=\"gjg9GAAT\"; dkim-atps=neutral"],"X-Sender-Id":["mxroute|x-authuser|stephen@that.guru","mxroute|x-authuser|stephen@that.guru"],"X-MC-Relay":"Neutral","X-MailChannels-SenderId":"mxroute|x-authuser|stephen@that.guru","X-MailChannels-Auth-Id":"mxroute","X-White-Name":"235421ae0a083ff0_1503926971837_2231167634","X-MC-Loop-Signature":"1503926971837:3994481962","X-MC-Ingress-Time":"1503926971837","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=that.guru;\n\ts=default;\n\th=Content-Transfer-Encoding:Mime-Version:Content-Type:References:\n\tIn-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID:\n\tContent-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc\n\t:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:\n\tList-Post:List-Owner:List-Archive;\n\tbh=eBj+5QvsdtresQUFZJkGOBU2k/gLm61vd4obuWq8UjI=;\n\tb=gjg9GAATVFKoEWDTsgGJX53JGi\n\tPd9AF0Cpw20oIIPqjA3wxWPnmEIw9nAv8YPSGI9W7iNlFPBwup9ymkEJM/zFY3q4DOEVczU+i1wwa\n\tq6mZMEkuq3kppTB3qLKb/C5BO+M2O35Vv1TEan2vziwX83HRA3f9k9W6GD7TIZ7qYrMw3rUkJQzxS\n\t9Ppd7YFrpo2dQpWKnOT4/gtOkfTPvE1Y24b5FhAzijUzb7zG4B8acfsChjOpmrVJmEbBH+eKplcjj\n\tKdNuOJxxlb1x1P7jZcCxcGaAeYGxoWrjRqBVK+4oL2BMMIshoN+hmFVx8hNFqZKVK0hL9TLCo4DXp\n\tornzu9WQ==;","Message-ID":"<1503926967.5702.9.camel@that.guru>","Subject":"Re: [PATCH 2/2] lib/sql: fix permissions for v2.0.0 on postgres","From":"Stephen Finucane ","To":"Jeremy Kerr , patchwork@lists.ozlabs.org","Date":"Mon, 28 Aug 2017 14:29:27 +0100","In-Reply-To":"<1503920358-26652-2-git-send-email-jk@ozlabs.org>","References":"<1503920358-26652-1-git-send-email-jk@ozlabs.org>\n\t<1503920358-26652-2-git-send-email-jk@ozlabs.org>","X-Mailer":"Evolution 3.24.5 (3.24.5-1.fc26) ","Mime-Version":"1.0","X-AuthUser":"stephen@that.guru","X-BeenThere":"patchwork@lists.ozlabs.org","X-Mailman-Version":"2.1.23","Precedence":"list","List-Id":"Patchwork development ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org","Sender":"\"Patchwork\"\n\t"}}]