Mercurial > gemma
diff schema/manage_users.sql @ 343:5b03f420957d
Use INSTEAD OF trigger for user creation
Now make the whole thing look like a real table.
There is no more function in schema sys_admin, thus remove respective
privilege test.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Mon, 06 Aug 2018 13:25:18 +0200 |
parents | c6bd6ed18942 |
children | fe87457a05d7 |
line wrap: on
line diff
--- a/schema/manage_users.sql Mon Aug 06 12:37:06 2018 +0200 +++ b/schema/manage_users.sql Mon Aug 06 13:25:18 2018 +0200 @@ -56,35 +56,34 @@ OR pg_has_role('sys_admin', 'MEMBER'); -CREATE OR REPLACE FUNCTION sys_admin.create_user( - userrole varchar, - username internal.user_profiles.username%TYPE, - pw varchar, - country internal.user_profiles.country%TYPE, - map_extent internal.user_profiles.map_extent%TYPE, - email_address internal.user_profiles.email_address%TYPE - ) - RETURNS void +CREATE OR REPLACE FUNCTION internal.create_user() RETURNS trigger AS $$ BEGIN - IF map_extent IS NULL + IF NEW.map_extent IS NULL THEN - map_extent = ST_Extent(area) FROM users.responsibility_areas ra - WHERE ra.country = create_user.country; + NEW.map_extent = ST_Extent(area) FROM users.responsibility_areas ra + WHERE ra.country = NEW.country; END IF; INSERT INTO internal.user_profiles ( username, country, map_extent, email_address) - VALUES (username, country, map_extent, email_address); + VALUES (NEW.username, NEW.country, NEW.map_extent, NEW.email_address); EXECUTE format( 'CREATE ROLE %I IN ROLE %I LOGIN PASSWORD %L', - username, - userrole, - internal.check_password(pw)); + NEW.username, + NEW.rolname, + internal.check_password(NEW.pw)); + + -- Do not leak new password + NEW.pw = ''; + RETURN NEW; END; $$ LANGUAGE plpgsql SECURITY DEFINER; +CREATE TRIGGER create_user INSTEAD OF INSERT ON users.list_users FOR EACH ROW + EXECUTE PROCEDURE internal.create_user(); + CREATE OR REPLACE FUNCTION internal.update_user() RETURNS trigger AS $$