gemma: schema/manage_users.sql comparison

comparison schema/manage_users.sql @ 343:5b03f420957d

Use INSTEAD OF trigger for user creation Now make the whole thing look like a real table. There is no more function in schema sys_admin, thus remove respective privilege test.

author	Tom Gottfried <tom@intevation.de>
date	Mon, 06 Aug 2018 13:25:18 +0200
parents	c6bd6ed18942
children	fe87457a05d7

comparison

equal deleted inserted replaced

-:c6bd6ed18942
+:5b03f420957d
 AND p.country = users.current_user_country()
 OR pg_has_role('pw_reset', 'MEMBER')
 OR pg_has_role('sys_admin', 'MEMBER');
-CREATE OR REPLACE FUNCTION sys_admin.create_user(
+CREATE OR REPLACE FUNCTION internal.create_user() RETURNS trigger
-userrole varchar,
-username internal.user_profiles.username%TYPE,
-pw varchar,
-country internal.user_profiles.country%TYPE,
-map_extent internal.user_profiles.map_extent%TYPE,
-email_address internal.user_profiles.email_address%TYPE
-)
-RETURNS void
 AS $$
 BEGIN
-IF map_extent IS NULL
+IF NEW.map_extent IS NULL
 THEN
-map_extent = ST_Extent(area) FROM users.responsibility_areas ra
+NEW.map_extent = ST_Extent(area) FROM users.responsibility_areas ra
-WHERE ra.country = create_user.country;
+WHERE ra.country = NEW.country;
 END IF;
 INSERT INTO internal.user_profiles (
 username, country, map_extent, email_address)
-VALUES (username, country, map_extent, email_address);
+VALUES (NEW.username, NEW.country, NEW.map_extent, NEW.email_address);
 EXECUTE format(
 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L',
-username,
+NEW.username,
-userrole,
+NEW.rolname,
-internal.check_password(pw));
+internal.check_password(NEW.pw));
+-- Do not leak new password
+NEW.pw = '';
+RETURN NEW;
 END;
 $$
 LANGUAGE plpgsql
 SECURITY DEFINER;
+CREATE TRIGGER create_user INSTEAD OF INSERT ON users.list_users FOR EACH ROW
+EXECUTE PROCEDURE internal.create_user();
 CREATE OR REPLACE FUNCTION internal.update_user() RETURNS trigger
 AS $$
 DECLARE

Mercurial > gemma

comparison schema/manage_users.sql @ 343:5b03f420957d