From 45439c8559a59a01a196a77f79330d496d01bbc8 Mon Sep 17 00:00:00 2001 From: jordi fita mas Date: Tue, 17 Jan 2023 13:05:58 +0100 Subject: [PATCH] Remove the revocation of all function executions I need to execute some functions in public for citext, such as texticregexeq, or guest users would not be able to login. --- deploy/encrypt_password.sql | 2 ++ deploy/ensure_role_exists.sql | 2 ++ deploy/find_user_role.sql | 2 ++ deploy/login.sql | 1 + deploy/schema_public.sql | 2 -- 5 files changed, 7 insertions(+), 2 deletions(-) diff --git a/deploy/encrypt_password.sql b/deploy/encrypt_password.sql index cd20790..937d493 100644 --- a/deploy/encrypt_password.sql +++ b/deploy/encrypt_password.sql @@ -21,6 +21,8 @@ language plpgsql; comment on function encrypt_password() is 'Encrypts and salts the input password with the blowfish encryption algorithm'; +revoke execute on function encrypt_password() from public; + create trigger encrypt_password before insert or update on "user" diff --git a/deploy/ensure_role_exists.sql b/deploy/ensure_role_exists.sql index 2b48e36..cd50fc3 100644 --- a/deploy/ensure_role_exists.sql +++ b/deploy/ensure_role_exists.sql @@ -20,6 +20,8 @@ language plpgsql; comment on function ensure_role_exists() is 'Makes sure that a role given to a user is a valid, existing role in the cluster.'; +revoke execute on function ensure_role_exists() from public; + create trigger ensure_role_exists after insert or update on "user" diff --git a/deploy/find_user_role.sql b/deploy/find_user_role.sql index 90ff583..81fb0f9 100644 --- a/deploy/find_user_role.sql +++ b/deploy/find_user_role.sql @@ -21,4 +21,6 @@ stable; comment on function find_user_role(email, text) is 'Return the database role assigned to the user with the given email and password'; +revoke execute on function find_user_role(email, text) from public; + commit; diff --git a/deploy/login.sql b/deploy/login.sql index a0928d5..54e5677 100644 --- a/deploy/login.sql +++ b/deploy/login.sql @@ -28,6 +28,7 @@ security definer; comment on function login(email, text) is 'Checks that the email and password pair is valid and returns the user’s databasse role.'; +revoke execute on function login(email, text) from public; grant execute on function login(email, text) to guest; commit; diff --git a/deploy/schema_public.sql b/deploy/schema_public.sql index dee047f..2b2a2e5 100644 --- a/deploy/schema_public.sql +++ b/deploy/schema_public.sql @@ -6,8 +6,6 @@ begin; revoke create on schema public from public; revoke usage on schema public from public; -alter default privileges revoke execute on functions from public; - grant usage on schema public to guest; grant usage on schema public to invoicer; grant usage on schema public to admin;