lib: Grant SELECT on auth_user

Message ID	20201128173505.30446-1-stephen@that.guru
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> sender: mN4UYu2MZsgR) by mail-109-mta231.mxroute.com (ZoneMTA) with ESMTPSA id 1760fec440d0007603.001 for <patchwork@lists.ozlabs.org> (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256); Sat, 28 Nov 2020 17:35:10 +0000 From: Stephen Finucane <stephen@that.guru> To: patchwork@lists.ozlabs.org Subject: [PATCH] lib: Grant SELECT on auth_user Date: Sat, 28 Nov 2020 17:35:05 +0000 Message-Id: <20201128173505.30446-1-stephen@that.guru> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	lib: Grant SELECT on auth_user \| expand lib: Grant SELECT on auth_user

Message ID

20201128173505.30446-1-stephen@that.guru

State

Accepted

Headers

From: Stephen Finucane <stephen@that.guru>
To: patchwork@lists.ozlabs.org
Subject: [PATCH] lib: Grant SELECT on auth_user
Date: Sat, 28 Nov 2020 17:35:05 +0000
Message-Id: <20201128173505.30446-1-stephen@that.guru>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
 <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

lib: Grant SELECT on auth_user | expand

Commit Message

Stephen Finucane Nov. 28, 2020, 5:35 p.m. UTC

If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365
---
I'll backport to this stable/2.2 if this makes sense to people.
---
 lib/sql/grant-all.mysql.sql    | 1 +
 lib/sql/grant-all.postgres.sql | 1 +
 2 files changed, 2 insertions(+)

Comments

Stephen Finucane Dec. 13, 2020, 6:20 p.m. UTC | #1

On Sat, 2020-11-28 at 17:35 +0000, Stephen Finucane wrote:
If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365

I've applied this and backported it to stable/2.2.

Stephen

diff --git lib/sql/grant-all.mysql.sql lib/sql/grant-all.mysql.sql
index 98cb4557..e0314a35 100644
--- lib/sql/grant-all.mysql.sql
+++ lib/sql/grant-all.mysql.sql
@@ -46,6 +46,7 @@  GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost;
 GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost;
+GRANT SELECT ON auth_user TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_project TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_state TO 'nobody'@localhost;
diff --git lib/sql/grant-all.postgres.sql lib/sql/grant-all.postgres.sql
index a85326e0..a3b192b4 100644
--- lib/sql/grant-all.postgres.sql
+++ lib/sql/grant-all.postgres.sql
@@ -85,6 +85,7 @@  GRANT INSERT, SELECT, UPDATE, DELETE ON
 	patchwork_series
 TO "nobody";
 GRANT SELECT ON
+	auth_user,
 	patchwork_delegationrule,
 	patchwork_project,
 	patchwork_state,