Message ID | 20201128173505.30446-1-stephen@that.guru |
---|---|
State | Accepted |
Headers | show |
Series | lib: Grant SELECT on auth_user | expand |
On Sat, 2020-11-28 at 17:35 +0000, Stephen Finucane wrote:
If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365
I've applied this and backported it to stable/2.2.
Stephen
diff --git lib/sql/grant-all.mysql.sql lib/sql/grant-all.mysql.sql index 98cb4557..e0314a35 100644 --- lib/sql/grant-all.mysql.sql +++ lib/sql/grant-all.mysql.sql @@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost; GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost; +GRANT SELECT ON auth_user TO 'nobody'@localhost; GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost; GRANT SELECT ON patchwork_project TO 'nobody'@localhost; GRANT SELECT ON patchwork_state TO 'nobody'@localhost; diff --git lib/sql/grant-all.postgres.sql lib/sql/grant-all.postgres.sql index a85326e0..a3b192b4 100644 --- lib/sql/grant-all.postgres.sql +++ lib/sql/grant-all.postgres.sql @@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_series TO "nobody"; GRANT SELECT ON + auth_user, patchwork_delegationrule, patchwork_project, patchwork_state,
If a mail arrives with the 'X-Patchwork-Delegate' hint header, the 'patchwork.parser' script will need to index the users table to find the appropriate user. This should be okay from a security perspective since passwords are hashed and salted and the rest of the information is mostly accessible publicly via the web UI and REST API. Signed-off-by: Stephen Finucane <stephen@that.guru> Suggested-by: Ali Alnubani <alialnu@mellanox.com> Closes: #365 --- I'll backport to this stable/2.2 if this makes sense to people. --- lib/sql/grant-all.mysql.sql | 1 + lib/sql/grant-all.postgres.sql | 1 + 2 files changed, 2 insertions(+)