diff options
author | Stephen Finucane <stephen@that.guru> | 2020-11-28 17:32:32 +0000 |
---|---|---|
committer | Stephen Finucane <stephen@that.guru> | 2020-12-13 18:21:06 +0000 |
commit | e69a2adcf50b57980d5eb0074cc72698d5cac31a (patch) | |
tree | 2a0efcc5b7605d409dbecac8d78cbb4242c53078 /lib/sql/grant-all.postgres.sql | |
parent | 2fdc8895b047dfec00105d35b96d0ed17f0daf39 (diff) | |
download | patchwork-e69a2adcf50b57980d5eb0074cc72698d5cac31a.tar patchwork-e69a2adcf50b57980d5eb0074cc72698d5cac31a.tar.gz |
lib: Grant SELECT on auth_user
If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.
Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365
Diffstat (limited to 'lib/sql/grant-all.postgres.sql')
-rw-r--r-- | lib/sql/grant-all.postgres.sql | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql index a85326e..a3b192b 100644 --- a/lib/sql/grant-all.postgres.sql +++ b/lib/sql/grant-all.postgres.sql @@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_series TO "nobody"; GRANT SELECT ON + auth_user, patchwork_delegationrule, patchwork_project, patchwork_state, |