Instructors and DB Managers can execute functions createUser and dropUser (E)

DASSL / ClassDB

An open-source system to let students experiment with relational data

https://dassl.github.io/ClassDB/

Other

7 stars 2 forks source link

Instructors and DB Managers can execute functions createUser and dropUser (E) #113

Closed smurthys closed 7 years ago

smurthys commented 7 years ago

The discussion in #107 convinces me that ClassDB functions should not be used to create/drop general users. ClassDB should work with and be responsible only for users in roles relevant to its purpose.

smurthys commented 7 years ago

The fix seems rather straightforward: remove the following statement and one other similar statement in addUserMgmt.sql:

GRANT EXECUTE ON FUNCTION classdb.createUser(userName VARCHAR(63), initialPwd VARCHAR(128))
TO ClassDB_Instructor, ClassDB_DBManager;

afig commented 7 years ago

I agree that these functions should not be executed by any user other than ClassDB itself.

However, provided that this is addressed, there is no use whatsoever for the dropUser() function since it is not called by any other function. Previously, it remained defined in case an unregistered user had been created by manually calling createUser(). We may want to open a separate issue for this.

wildtayne commented 7 years ago

I can remove that function as part of #114.