From 289f93784e320576a46006ff2641bfcc262b04f8 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Sat, 28 Nov 2020 17:32:32 +0000 Subject: [PATCH] lib: Grant SELECT on auth_user If a mail arrives with the 'X-Patchwork-Delegate' hint header, the 'patchwork.parser' script will need to index the users table to find the appropriate user. This should be okay from a security perspective since passwords are hashed and salted and the rest of the information is mostly accessible publicly via the web UI and REST API. Signed-off-by: Stephen Finucane Suggested-by: Ali Alnubani Closes: #365 (cherry picked from commit e69a2adcf50b57980d5eb0074cc72698d5cac31a) --- lib/sql/grant-all.mysql.sql | 1 + lib/sql/grant-all.postgres.sql | 1 + 2 files changed, 2 insertions(+) diff --git a/lib/sql/grant-all.mysql.sql b/lib/sql/grant-all.mysql.sql index 100cd387..c8044c68 100644 --- a/lib/sql/grant-all.mysql.sql +++ b/lib/sql/grant-all.mysql.sql @@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_submission TO 'nobody'@localhost; GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost; +GRANT SELECT ON auth_user TO 'nobody'@localhost; GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost; GRANT SELECT ON patchwork_project TO 'nobody'@localhost; GRANT SELECT ON patchwork_state TO 'nobody'@localhost; diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql index 427c3e8d..cac70a87 100644 --- a/lib/sql/grant-all.postgres.sql +++ b/lib/sql/grant-all.postgres.sql @@ -84,6 +84,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_series TO "nobody"; GRANT SELECT ON + auth_user, patchwork_delegationrule, patchwork_project, patchwork_state, -- 2.47.3