If a mail arrives with the 'X-Patchwork-Delegate' hint header, the 'patchwork.parser' script will need to index the users table to find the appropriate user. This should be okay from a security perspective since passwords are hashed and salted and the rest of the information is mostly accessible publicly via the web UI and REST API.
Signed-off-by: Stephen Finucane <[email protected]> Suggested-by: Ali Alnubani <[email protected]> Closes: #365 --- I'll backport to this stable/2.2 if this makes sense to people. --- lib/sql/grant-all.mysql.sql | 1 + lib/sql/grant-all.postgres.sql | 1 + 2 files changed, 2 insertions(+) diff --git lib/sql/grant-all.mysql.sql lib/sql/grant-all.mysql.sql index 98cb4557..e0314a35 100644 --- lib/sql/grant-all.mysql.sql +++ lib/sql/grant-all.mysql.sql @@ -46,6 +46,7 @@ GRANT INSERT, SELECT ON patchwork_person TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_series TO 'nobody'@localhost; GRANT INSERT, SELECT ON patchwork_seriesreference TO 'nobody'@localhost; GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_patchtag TO 'nobody'@localhost; +GRANT SELECT ON auth_user TO 'nobody'@localhost; GRANT SELECT ON patchwork_delegationrule TO 'nobody'@localhost; GRANT SELECT ON patchwork_project TO 'nobody'@localhost; GRANT SELECT ON patchwork_state TO 'nobody'@localhost; diff --git lib/sql/grant-all.postgres.sql lib/sql/grant-all.postgres.sql index a85326e0..a3b192b4 100644 --- lib/sql/grant-all.postgres.sql +++ lib/sql/grant-all.postgres.sql @@ -85,6 +85,7 @@ GRANT INSERT, SELECT, UPDATE, DELETE ON patchwork_series TO "nobody"; GRANT SELECT ON + auth_user, patchwork_delegationrule, patchwork_project, patchwork_state, -- 2.28.0 _______________________________________________ Patchwork mailing list [email protected] https://lists.ozlabs.org/listinfo/patchwork
