Mercurial > gemma
comparison schema/manage_users_tests.sql @ 478:3af7ca761f6a
Purge password reset role
The risk of SQL-injections and thus privilege escalation
via the metamorphic user was estimated not high enough to
justify the extra role. Thus, bring database back in line
with rev. ffdb507d5b42 and re-enable password reset.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Thu, 23 Aug 2018 16:41:44 +0200 |
parents | 5611cf72cc92 |
children | 6590208e3ee1 |
comparison
equal
deleted
inserted
replaced
477:00b52d653039 | 478:3af7ca761f6a |
---|---|
312 SELECT throws_ok($$ | 312 SELECT throws_ok($$ |
313 DELETE FROM users.list_users WHERE username = CAST(current_user AS varchar) | 313 DELETE FROM users.list_users WHERE username = CAST(current_user AS varchar) |
314 $$, | 314 $$, |
315 55006, NULL, | 315 55006, NULL, |
316 'Current user cannot be deleted'); | 316 'Current user cannot be deleted'); |
317 | |
318 | |
319 -- | |
320 -- Password reset | |
321 -- | |
322 | |
323 -- Workaround broken relocatability of pgtap (otherwise we could | |
324 -- put pgtap in its own schema and GRANT USAGE to PUBLIC on it) | |
325 RESET SESSION AUTHORIZATION; | |
326 GRANT USAGE ON SCHEMA public TO pw_reset; | |
327 | |
328 SET SESSION AUTHORIZATION test_pw_reset; | |
329 | |
330 SELECT isnt_empty($$ | |
331 SELECT username, email_address FROM pw_reset.list_users | |
332 $$, | |
333 'Special role can see users with their email addresses'); | |
334 | |
335 SELECT results_eq($$ | |
336 UPDATE pw_reset.list_users | |
337 SET pw = 'user_at2!' WHERE username = 'test_user_at' | |
338 RETURNING email_address | |
339 $$, | |
340 $$ | |
341 SELECT email_address FROM pw_reset.list_users | |
342 WHERE username = 'test_user_at' | |
343 $$, | |
344 'Special role can update password'); | |
345 | |
346 SELECT throws_ok($$ | |
347 UPDATE pw_reset.list_users | |
348 SET username = 'test_rename', email_address = 'test' | |
349 $$, | |
350 42501, NULL, | |
351 'Special role cannot update arbitrary user attributes'); |