Roles with login are not granted login privilege

DASSL / ClassDB

An open-source system to let students experiment with relational data

https://dassl.github.io/ClassDB/

Other

7 stars 2 forks source link

Roles with login are not granted login privilege #280

Closed smurthys closed 5 years ago

smurthys commented 5 years ago

If function createRole is called for a role that already exists, the logic to grant login privilege to the role incorrectly skips granting that privilege.

The issue is due to an incorrect logical expression which reads as follows:

   IF NOT($3 OR ClassDB.canLogin($1)) THEN
      EXECUTE FORMAT('ALTER ROLE %s LOGIN', $1);
   END IF;

The code should be as follows:

   IF NOT $3 OR ClassDB.canLogin($1) THEN
      EXECUTE FORMAT('ALTER ROLE %s LOGIN', $1);
   END IF;

smurthys commented 5 years ago

Upon reviewing the code carefully, I have concluded this is not an issue: the purpose of the existing code is to grant login to a user who may have lost that privilege through an out-of-band means. If createRole is called to create a user (for an existing server role), it is indeed necessary to grant login.

Should clarify comment in code to avoid future confusion.

smurthys commented 5 years ago

Re-opening the issue because a comment was changed in source file and the change needs to be verified.