lib: Grant SELECT on auth_user

If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365

2 files changed, 2 insertions, 0 deletions

diff --git a/lib/sql/grant-all.mysql.sql b/lib/sql/grant-all.mysql.sql
index 98cb455..e0314a3 100644
--- a/lib/sql/grant-all.mysql.sql
+++ b/lib/sql/grant-all.mysql.sql
@@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost;
 GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost;
+GRANT SELECT ON auth_user TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_project TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_state TO 'nobody'@localhost;
diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql
index a85326e..a3b192b 100644
--- a/lib/sql/grant-all.postgres.sql
+++ b/lib/sql/grant-all.postgres.sql
@@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON
 	patchwork_series
 TO "nobody";
 GRANT SELECT ON
+	auth_user,
 	patchwork_delegationrule,
 	patchwork_project,
 	patchwork_state,