Request a Demo
Home   >   mailing lists

Re: Making "SECURITY DEFINER" procedures.. - Mailing list pgsql-sql

From Sergey Holod
Subject Re: Making "SECURITY DEFINER" procedures..
Date
Msg-id 200304300218.08129.sss@radiocom.net.ua
Whole thread Raw
In response to Re: Making "SECURITY DEFINER" procedures..  (Stephan Szabo <sszabo@megazone23.bigpanda.com>)
Responses Re: Making "SECURITY DEFINER" procedures.. - SOLVED
List pgsql-sql
Tree view 
SS> I made bogus gen_random_string and password functions and a bogus
SS> ManageUser table and couldn't reproduce an error like the above with a
SS> different user (one who can't read/write to the tables used), so I'd guess
SS> it's from something that isn't being shown.  Are there any foreign keys
SS> to ManageSession?

GRANT ALL ON SCHEMA public TO "data";

CREATE SCHEMA data AUTHORIZATION "data";

\connect - "data"
SET search_path = data;
..
Create table  ManageUser
(       id Serial NOT NULL,       Name Varchar(20) NOT NULL UNIQUE ,       Passwd bytea,       Birthday timestamp(0)
NOTNULL Default now(),       ManageGroupId integer NOT NULL,                         -- FOREIGN KEY 
 
TO ManageGroup       OnlyCustomerId integer NULL ,                                   -- 
FOREIGN KEY TO Customer       memo Varchar(500) NULL ,primary key (id)
);
..
Create table  ManageSession
(       id Serial NOT NULL,       UserId integer NOT NULL,                                        -- FOREIGN KEY TO
ManageUsertable       Key bytea NOT NULL,       Birthday timestamp(0) NOT NULL Default now(),primary key (id)
 
);
Alter table ManageSession add  foreign key (UserId) references ManageUser (id) on update cascade  on delete cascade ;
..
set search_path=public;
CREATE OR REPLACE FUNCTION new_session (character varying, character varying) 
RETURNS character varying   AS 'DECLARE       u_login ALIAS FOR $1;       u_passwd ALIAS FOR $2;       u_id INTEGER;
  u_key VARCHAR;       dbg VARCHAR;
 
BEGIN
select current_user into dbg;
raise notice ''current user is %'', dbg;       DELETE FROM data.ManageSession WHERE               (now()  - Birthday) >
CAST(''10min'' AS INTERVAL);
 
raise notice ''after delete'';       SELECT id INTO u_id FROM data.ManageUser WHERE Name = u_login AND 
Passwd = password(u_passwd);
raise notice ''after select - %'',u_id;       IF u_id IS NOT NULL THEN               u_key := gen_random_string(20);
          INSERT INTO data.ManageSession(UserId,Key) VALUES (u_id, 
 
password(u_key));
raise notice ''after insert - %'',u_key;       ELSE               RAISE EXCEPTION ''Wrong login or password'';
ENDIF;
 
raise notice ''before return - %'',u_key;       RETURN u_key;
END;
' LANGUAGE plpgsql EXTERNAL SECURITY DEFINER;
...


So thera are several foreign constraints. But:

$psql -U rcbilling billing
billing=> select new_session('sergey','password');
NOTICE:  current user is data
NOTICE:  after delete
NOTICE:  after select - 8
NOTICE:  after insert - KMp7ciFzJAL10Xxqft9O
NOTICE:  before return - KMp7ciFzJAL10Xxqft9O
ERROR:  data: permission denied

$psql -U data billing
billing=> select new_session('sergey','password');
NOTICE:  current user is data
NOTICE:  after delete
NOTICE:  after select - 8
NOTICE:  after insert - n7c1gAqPB0WuFwCEapy4
NOTICE:  before return - n7c1gAqPB0WuFwCEapy4    new_session
----------------------n7c1gAqPB0WuFwCEapy4
(1 row)


-- 
With Best Regards,
Sergey Holod

pgsql-sql by date:

Previous
From: Stephan Szabo
Date:
Subject: Re: Making "SECURITY DEFINER" procedures..
Next
From: Sergey Holod
Date:
Subject: Re: Making "SECURITY DEFINER" procedures.. - SOLVED