Mercurial > gemma
changeset 468:ff9dbe14f033
Don't use hex encoding for user impersonation when running it from a planned statement.
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Wed, 22 Aug 2018 17:56:16 +0200 |
| parents | 73c7b2d6246e |
| children | 788c87b99bae |
| files | pkg/auth/opendb.go schema/manage_users.sql |
| diffstat | 2 files changed, 12 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/pkg/auth/opendb.go Wed Aug 22 17:43:30 2018 +0200 +++ b/pkg/auth/opendb.go Wed Aug 22 17:56:16 2018 +0200 @@ -2,7 +2,6 @@ import ( "database/sql" - "encoding/hex" "errors" "github.com/jackc/pgx" @@ -77,9 +76,7 @@ return nil } defer db.Close() - if _, err = db.Exec( - `SELECT public.setrole($1)`, hex.EncodeToString([]byte(role)), - ); err == nil { + if _, err = db.Exec(`SELECT public.setrole_plan($1)`, role); err == nil { err = fn(db) } return err
--- a/schema/manage_users.sql Wed Aug 22 17:43:30 2018 +0200 +++ b/schema/manage_users.sql Wed Aug 22 17:56:16 2018 +0200 @@ -215,3 +215,14 @@ END; $$ LANGUAGE plpgsql; + +-- To set a role in form of a plannable statement (which is save from SQL injections). +CREATE OR REPLACE FUNCTION public.setrole_plan(role text) RETURNS void +AS $$ +BEGIN + IF role IS NOT NULL AND role <> '' THEN + EXECUTE format('SET ROLE %I', role); + END IF; +END; +$$ + LANGUAGE plpgsql;