Mercurial > gemma
diff schema/manage_users_tests.sql @ 478:3af7ca761f6a
Purge password reset role
The risk of SQL-injections and thus privilege escalation
via the metamorphic user was estimated not high enough to
justify the extra role. Thus, bring database back in line
with rev. ffdb507d5b42 and re-enable password reset.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Thu, 23 Aug 2018 16:41:44 +0200 |
parents | 5611cf72cc92 |
children | 6590208e3ee1 |
line wrap: on
line diff
--- a/schema/manage_users_tests.sql Thu Aug 23 16:18:07 2018 +0200 +++ b/schema/manage_users_tests.sql Thu Aug 23 16:41:44 2018 +0200 @@ -314,38 +314,3 @@ $$, 55006, NULL, 'Current user cannot be deleted'); - - --- --- Password reset --- - --- Workaround broken relocatability of pgtap (otherwise we could --- put pgtap in its own schema and GRANT USAGE to PUBLIC on it) -RESET SESSION AUTHORIZATION; -GRANT USAGE ON SCHEMA public TO pw_reset; - -SET SESSION AUTHORIZATION test_pw_reset; - -SELECT isnt_empty($$ - SELECT username, email_address FROM pw_reset.list_users - $$, - 'Special role can see users with their email addresses'); - -SELECT results_eq($$ - UPDATE pw_reset.list_users - SET pw = 'user_at2!' WHERE username = 'test_user_at' - RETURNING email_address - $$, - $$ - SELECT email_address FROM pw_reset.list_users - WHERE username = 'test_user_at' - $$, - 'Special role can update password'); - -SELECT throws_ok($$ - UPDATE pw_reset.list_users - SET username = 'test_rename', email_address = 'test' - $$, - 42501, NULL, - 'Special role cannot update arbitrary user attributes');