lib: Grant SELECT on auth_user

If a mail arrives with the 'X-Patchwork-Delegate' hint header, the
'patchwork.parser' script will need to index the users table to find the
appropriate user. This should be okay from a security perspective since
passwords are hashed and salted and the rest of the information is
mostly accessible publicly via the web UI and REST API.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Suggested-by: Ali Alnubani <alialnu@mellanox.com>
Closes: #365

diff --git a/lib/sql/grant-all.mysql.sql b/lib/sql/grant-all.mysql.sql
index 98cb4557bb4be32baa26bc93d0cd1545b7e39375..e0314a35312383d4e4e17a85785011da0c66a571 100644 (file)
--- a/lib/sql/grant-all.mysql.sql
+++ b/lib/sql/grant-all.mysql.sql
@@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost;
 GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost;
 GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost;
+GRANT SELECT ON auth_user TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_project TO 'nobody'@localhost;
 GRANT SELECT ON patchwork_state TO 'nobody'@localhost;

diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql
index a85326e0b23f6a05a88034392e1655ce21c9c476..a3b192b4997f09e6ed398673ae47dd45652d795c 100644 (file)
--- a/lib/sql/grant-all.postgres.sql
+++ b/lib/sql/grant-all.postgres.sql
@@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON
        patchwork_series
 TO "nobody";
 GRANT SELECT ON
+       auth_user,
        patchwork_delegationrule,
        patchwork_project,
        patchwork_state,