From e3df592b95db5d07fbe5ada3341626bad344a082 Mon Sep 17 00:00:00 2001 From: einhverfr Date: Tue, 11 Mar 2008 19:18:31 +0000 Subject: Adding roles for voucher/batch deletion. Moving functions to SECURITY DEFINER to allow for more granular delete permissions. git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@2106 4979c152-3d1c-0410-bac9-87ea11338e46 --- sql/modules/Roles.sql | 10 ++++++++++ sql/modules/Voucher.sql | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'sql') diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index e10a23a6..80c98771 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -1395,3 +1395,13 @@ GRANT ALL ON pending_job_id_seq TO public; -- CT: The following grant is required for now, but will hopefully become less -- important when we get to 1.4 and can more sensibly lock things down. GRANT ALL ON dpt_trans TO public; + +-- Roles dependant on FUNCTIONS +CREATE ROLE lsmb___voucher_delete +WITH INHERIT NOLOGIN; + +GRANT EXECUTE ON FUNCTION voucher__delete(int) +TO lsmb___voucher_delete; + +GRANT EXECUTE ON FUNCTION batch__delete(int) +TO lsmb___voucher_delete; diff --git a/sql/modules/Voucher.sql b/sql/modules/Voucher.sql index a04c5ed7..736abcfc 100644 --- a/sql/modules/Voucher.sql +++ b/sql/modules/Voucher.sql @@ -333,7 +333,9 @@ BEGIN RETURN 1; END; -$$ language plpgsql; +$$ language plpgsql SECURITY DEFINER; + +REVOKE ALL ON FUNCTION batch__delete(int) FROM PUBLIC; CREATE OR REPLACE FUNCTION voucher__delete(in_voucher_id int) RETURNS int AS @@ -371,4 +373,6 @@ BEGIN END IF; RETURN 1; END; -$$ LANGUAGE PLPGSQL; +$$ LANGUAGE PLPGSQL SECURITY DEFINER; + +REVOKE ALL ON voucher__delete FROM public; -- cgit v1.2.3