summaryrefslogtreecommitdiff
path: root/sql/modules
diff options
context:
space:
mode:
Diffstat (limited to 'sql/modules')
-rw-r--r--sql/modules/Roles.sql10
-rw-r--r--sql/modules/Voucher.sql8
2 files changed, 16 insertions, 2 deletions
diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql
index e10a23a6..80c98771 100644
--- a/sql/modules/Roles.sql
+++ b/sql/modules/Roles.sql
@@ -1395,3 +1395,13 @@ GRANT ALL ON pending_job_id_seq TO public;
-- CT: The following grant is required for now, but will hopefully become less
-- important when we get to 1.4 and can more sensibly lock things down.
GRANT ALL ON dpt_trans TO public;
+
+-- Roles dependant on FUNCTIONS
+CREATE ROLE lsmb_<?lsmb dbname ?>__voucher_delete
+WITH INHERIT NOLOGIN;
+
+GRANT EXECUTE ON FUNCTION voucher__delete(int)
+TO lsmb_<?lsmb dbname ?>__voucher_delete;
+
+GRANT EXECUTE ON FUNCTION batch__delete(int)
+TO lsmb_<?lsmb dbname ?>__voucher_delete;
diff --git a/sql/modules/Voucher.sql b/sql/modules/Voucher.sql
index a04c5ed7..736abcfc 100644
--- a/sql/modules/Voucher.sql
+++ b/sql/modules/Voucher.sql
@@ -333,7 +333,9 @@ BEGIN
RETURN 1;
END;
-$$ language plpgsql;
+$$ language plpgsql SECURITY DEFINER;
+
+REVOKE ALL ON FUNCTION batch__delete(int) FROM PUBLIC;
CREATE OR REPLACE FUNCTION voucher__delete(in_voucher_id int)
RETURNS int AS
@@ -371,4 +373,6 @@ BEGIN
END IF;
RETURN 1;
END;
-$$ LANGUAGE PLPGSQL;
+$$ LANGUAGE PLPGSQL SECURITY DEFINER;
+
+REVOKE ALL ON voucher__delete FROM public;
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-27 03:17:58 +0000