Benature/omnivore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Alter omnivore_admin role to prevent omnivore_admin to be inherited by app_user or omnivore_user

Browse Source
This commit is contained in:
Hongbo Wu
2024-06-21 11:42:36 +08:00
parent f91c4cd5b5
commit 5a63af25f9
2 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
packages/db/migrations/0183.do.alter_omnivore_admin_role.sql Executable file
View File

@ -0,0 +1,36 @@
-- Type: DO
-- Name: alter_omnivore_admin_role
-- Description: Alter omnivore_admin role to prevent omnivore_admin to be inherited by app_user or omnivore_user
BEGIN;
DROP POLICY user_admin_policy ON omnivore.user;
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA omnivore from omnivore_admin;
REVOKE ALL PRIVILEGES ON SCHEMA omnivore from omnivore_admin;
DROP OWNED BY omnivore_admin;
DROP ROLE omnivore_admin;
CREATE ROLE omnivore_admin;
GRANT USAGE ON SCHEMA omnivore TO omnivore_admin;
ALTER ROLE omnivore_user NOINHERIT; -- This is to prevent omnivore_user from inheriting omnivore_admin role
GRANT omnivore_admin TO omnivore_user; -- This is to allow app_user to set omnivore_admin role
GRANT SELECT, INSERT, UPDATE, DELETE ON omnivore.user TO omnivore_admin;
CREATE POLICY user_admin_policy on omnivore.user
FOR ALL
TO omnivore_admin
USING (true);
GRANT SELECT, INSERT, UPDATE, DELETE ON omnivore.library_item TO omnivore_admin;
CREATE POLICY library_item_admin_policy ON omnivore.library_item
FOR ALL
TO omnivore_admin
USING (true);
COMMIT;

31
packages/db/migrations/0183.undo.alter_omnivore_admin_role.sql Executable file
View File

@ -0,0 +1,31 @@
-- Type: UNDO
-- Name: alter_omnivore_admin_role
-- Description: Alter omnivore_admin role to prevent omnivore_admin to be inherited by app_user or omnivore_user
BEGIN;
DROP POLICY library_item_admin_policy ON omnivore.library_item;
REVOKE SELECT, INSERT, UPDATE, DELETE ON omnivore.library_item FROM omnivore_admin;
DROP POLICY user_admin_policy ON omnivore.user;
REVOKE SELECT, INSERT, UPDATE, DELETE ON omnivore.user FROM omnivore_admin;
DROP OWNED BY omnivore_admin;
DROP ROLE omnivore_admin;
ALTER ROLE omnivore_user INHERIT;
CREATE ROLE omnivore_admin;
GRANT omnivore_admin TO app_user;
GRANT ALL PRIVILEGES ON SCHEMA omnivore TO omnivore_admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA omnivore TO omnivore_admin;
CREATE POLICY user_admin_policy on omnivore.user
FOR ALL
TO omnivore_admin
USING (true);
COMMIT;