DASSL / ClassDB

An open-source system to let students experiment with relational data
https://dassl.github.io/ClassDB/
Other
8 stars 2 forks source link

Users known in one ClassDB database are able to log in to all ClassDB databases on the same server (W) #278

Open smurthys opened 5 years ago

smurthys commented 5 years ago

With two ClassDB databases on the same server, and user1 is added as a ClassDB role (say as a student) to one database, but the same user is not added as a ClassDB role to the other database, user1 is still able to login to the second database.

In this scenario, a student user does not have unauthorized access to any object in the second database, but instructors and DB managers could.

I will add another comment soon with an analysis of the problem and potential solutions.

This issue is related to Issue #277.

smurthys commented 5 years ago

The issue is caused by granting database connect privilege to ClassDB group roles in initializeDB.sql.

A solution is to grant database connect privilege to specific users instead, and dropping the connect privilege if the user no longer has any role in the context of the database

Addressing Issue #277 in the manner described at the end of my comment on that issue automatically addresses the issue described here, but the issue described here needs to be fixed with urgency without waiting for Issue #277 to be fixed.