On Mon, 2017-08-28 at 19:39 +0800, Jeremy Kerr wrote: > Some tables are no longer present, and others that are used by the web > interface and mail parser need access permissions added. > > This change was required to get patchwork going on patchwork.ozlabs.org; > there may be other permissions required, that we haven't hit yet. So, > some review would be good here. > > Also: it's unlikely that we need DELETE for the mail parser, but I'm not > confident enough to remove that at the moment. > > Signed-off-by: Jeremy Kerr <j...@ozlabs.org>
Some small comments below but this looks good to me. I'll wait a bit for other comments before applying. Reviewed-by: Stephen Finucane <step...@that.guru> > --- > lib/sql/grant-all.postgres.sql | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > > diff --git a/lib/sql/grant-all.postgres.sql b/lib/sql/grant-all.postgres.sql > index 405ba44..c709866 100644 > --- a/lib/sql/grant-all.postgres.sql > +++ b/lib/sql/grant-all.postgres.sql > @@ -12,6 +12,7 @@ GRANT SELECT, UPDATE, INSERT, DELETE ON > auth_group, > auth_user_user_permissions, > auth_permission, > + authtoken_token, Yup, forgot about that one. > patchwork_emailconfirmation, > patchwork_state, > patchwork_comment, > @@ -47,9 +48,7 @@ GRANT SELECT, UPDATE ON > patchwork_bundle_id_seq, > patchwork_bundlepatch_id_seq, > patchwork_comment_id_seq, > - patchwork_submission_id_seq, > patchwork_patch_id_seq, > - patchwork_coverletter_id_seq, So there's no id column now that these are JOINed with 'submission'? Make sense. > patchwork_series_id_seq, > patchwork_seriespatch_id_seq, > patchwork_seriesreference_id_seq, > @@ -69,16 +68,17 @@ TO "www-data"; > -- cover letters) and series > GRANT INSERT, SELECT ON > patchwork_submission, > - patchwork_patch, > patchwork_coverletter, > - patchwork_series, > patchwork_seriespatch, > patchwork_seriesreference, > patchwork_comment, > - patchwork_person > + patchwork_event > TO "nobody"; > GRANT INSERT, SELECT, UPDATE, DELETE ON As you say, I can't see why DELETE would be necessary for this, but I'm also not confident enough to remove this. > - patchwork_patchtag > + patchwork_patchtag, > + patchwork_patch, > + patchwork_series, > + patchwork_person I'm assuming the UPDATE permission is required due to how series work. Makes sense. > TO "nobody"; > GRANT SELECT ON > patchwork_project, > @@ -87,15 +87,14 @@ GRANT SELECT ON > patchwork_delegationrule > TO "nobody"; > GRANT UPDATE, SELECT ON > - patchwork_submission_id_seq, > patchwork_patch_id_seq, > - patchwork_coverletter_id_seq, > patchwork_series_id_seq, > patchwork_seriespatch_id_seq, > patchwork_seriesreference_id_seq, > patchwork_person_id_seq, > patchwork_comment_id_seq, > - patchwork_patchtag_id_seq > + patchwork_patchtag_id_seq, > + patchwork_event_id_seq > TO "nobody"; > > COMMIT; _______________________________________________ Patchwork mailing list Patchwork@lists.ozlabs.org https://lists.ozlabs.org/listinfo/patchwork
