Mercurial > gemma

comparison schema/manage_users_tests.sql @ 478:3af7ca761f6a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Purge password reset role The risk of SQL-injections and thus privilege escalation via the metamorphic user was estimated not high enough to justify the extra role. Thus, bring database back in line with rev. ffdb507d5b42 and re-enable password reset.
author Tom Gottfried <tom@intevation.de>
date Thu, 23 Aug 2018 16:41:44 +0200
parents 5611cf72cc92
children 6590208e3ee1
comparison
equal deleted inserted replaced
477:00b52d653039 478:3af7ca761f6a
312 SELECT throws_ok($$ 312 SELECT throws_ok($$
313 DELETE FROM users.list_users WHERE username = CAST(current_user AS varchar) 313 DELETE FROM users.list_users WHERE username = CAST(current_user AS varchar)
314 $$, 314 $$,
315 55006, NULL, 315 55006, NULL,
316 'Current user cannot be deleted'); 316 'Current user cannot be deleted');
317
318
319 --
320 -- Password reset
321 --
322
323 -- Workaround broken relocatability of pgtap (otherwise we could
324 -- put pgtap in its own schema and GRANT USAGE to PUBLIC on it)
325 RESET SESSION AUTHORIZATION;
326 GRANT USAGE ON SCHEMA public TO pw_reset;
327
328 SET SESSION AUTHORIZATION test_pw_reset;
329
330 SELECT isnt_empty($$
331 SELECT username, email_address FROM pw_reset.list_users
332 $$,
333 'Special role can see users with their email addresses');
334
335 SELECT results_eq($$
336 UPDATE pw_reset.list_users
337 SET pw = 'user_at2!' WHERE username = 'test_user_at'
338 RETURNING email_address
339 $$,
340 $$
341 SELECT email_address FROM pw_reset.list_users
342 WHERE username = 'test_user_at'
343 $$,
344 'Special role can update password');
345
346 SELECT throws_ok($$
347 UPDATE pw_reset.list_users
348 SET username = 'test_rename', email_address = 'test'
349 $$,
350 42501, NULL,
351 'Special role cannot update arbitrary user attributes');