Mercurial > gemma
changeset 336:9d69eb2f0af3
Merged.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Fri, 03 Aug 2018 17:59:16 +0200 |
parents | bd292a554b6e (current diff) df1fc589ad9d (diff) |
children | e48da6f427c8 |
files | |
diffstat | 3 files changed, 24 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/schema/manage_users.sql Fri Aug 03 17:58:51 2018 +0200 +++ b/schema/manage_users.sql Fri Aug 03 17:59:16 2018 +0200 @@ -93,6 +93,14 @@ BEGIN cur_username = OLD.username; + IF cur_username <> session_user + AND NOT (pg_has_role(session_user, 'sys_admin', 'MEMBER') + OR pg_has_role(session_user, 'pw_reset', 'MEMBER')) + THEN + -- Discard row. This is what WITH CHECK in an RLS policy would do. + RETURN NULL; + END IF; + UPDATE internal.user_profiles p SET (username, country, map_extent, email_address) = (NEW.username, NEW.country, NEW.map_extent, NEW.email_address)
--- a/schema/manage_users_tests.sql Fri Aug 03 17:58:51 2018 +0200 +++ b/schema/manage_users_tests.sql Fri Aug 03 17:59:16 2018 +0200 @@ -123,6 +123,21 @@ 42501, NULL, 'Waterway user cannot update arbitrary user attributes'); +SET SESSION AUTHORIZATION test_admin_at; + +SELECT results_eq($$ + UPDATE users.list_users + SET (pw, map_extent, email_address) + = ('user_at2!', 'BOX(0 0,1 1)', 'user_at_test') + WHERE country = users.current_user_country() + AND username <> current_user + RETURNING * + $$, + $$ + SELECT '' WHERE false -- Empty result set + $$, + 'Waterway admin cannot update attributes of other users in country'); + SET SESSION AUTHORIZATION test_sys_admin1; SELECT lives_ok($$
--- a/schema/run_tests.sh Fri Aug 03 17:58:51 2018 +0200 +++ b/schema/run_tests.sh Fri Aug 03 17:59:16 2018 +0200 @@ -16,7 +16,7 @@ -c 'SET client_min_messages TO WARNING' \ -c "DROP ROLE IF EXISTS $TEST_ROLES" \ -f tap_tests_data.sql \ - -c 'SELECT plan(44)' \ + -c 'SELECT plan(45)' \ -f auth_tests.sql \ -f manage_users_tests.sql \ -c 'SELECT * FROM finish()'