diff --git a/src/db/core/addRoleBaseMgmtCore.sql b/src/db/core/addRoleBaseMgmtCore.sql index 51115d6..c04d163 100644 --- a/src/db/core/addRoleBaseMgmtCore.sql +++ b/src/db/core/addRoleBaseMgmtCore.sql @@ -309,13 +309,23 @@ BEGIN ); END IF; - --give the server role LOGIN capability if it is a user - --do not remove LOGIN for a team, because instructors may have their reasons - -- to make a LOGIN server role a team + --in case a pre-existing server role is now registered, give that role LOGIN + -- capability if it is a user (in case that privilege was somehow removed); + -- but don'o't remove LOGIN from a team: instr. may have reason to let a team login IF NOT($3 OR ClassDB.canLogin($1)) THEN EXECUTE FORMAT('ALTER ROLE %s LOGIN', $1); END IF; + --permit the role to connect to this database + -- can remove this code segment if db-specific group roles are used (when + -- initializing the database) to address Issue #277 + --this code segment is intentionally not merge/optimize with the preceding + -- segment (which grants LOGIN to a user role) for clarity, and to make it + -- easier to remove/modify this code when Issue #277 is addressed + IF ClassDB.canLogin($1) THEN + EXECUTE FORMAT('GRANT CONNECT ON DATABASE %I TO %s', current_database(), $1); + END IF; + -------- schema management -------------------------------------- @@ -426,6 +436,15 @@ BEGIN --revoke the specified ClassDB role from the role EXECUTE FORMAT('REVOKE %s FROM %s', $2, $1); + --if rolename revoked has no more ClassDB roles, revoke connection to this DB + -- can remove this code segment if db-specific group roles are used (when + -- initializing the database) to address Issue #277 + IF (NOT ClassDB.hasClassDBRole($1)) THEN + EXECUTE FORMAT('REVOKE CONNECT ON DATABASE %I FROM %s', + current_database(), $1 + ); + END IF; + END; $$ LANGUAGE plpgsql SECURITY DEFINER; diff --git a/src/db/core/initializeDBCore.sql b/src/db/core/initializeDBCore.sql index 4ca7bae..797aa5a 100644 --- a/src/db/core/initializeDBCore.sql +++ b/src/db/core/initializeDBCore.sql @@ -78,10 +78,19 @@ BEGIN -- Postgres grants CONNECT to all by default EXECUTE format('REVOKE CONNECT ON DATABASE %I FROM PUBLIC', currentDB); + + --the comment and code segment within lined comments can be reinstated if + -- db-specific roles are used to address Issue #277 + -- at that time also look at related comments and code in functions createRole + -- and revokeClassDBRole + -- the purpose of the disabled code is to address Issue #278 before Issue #277 + +-------------------------------------------------------------------------------- --Let only app-specific roles connect to the DB -- no need for ClassDB to connect to the DB - EXECUTE format('GRANT CONNECT ON DATABASE %I TO ClassDB_Instructor, ' - 'ClassDB_Student, ClassDB_DBManager', currentDB); + --EXECUTE format('GRANT CONNECT ON DATABASE %I TO ClassDB_Instructor, ' + -- 'ClassDB_Student, ClassDB_DBManager', currentDB); +-------------------------------------------------------------------------------- --Allow ClassDB and ClassDB users to create schemas on the current database EXECUTE format('GRANT CREATE ON DATABASE %I TO ClassDB, ClassDB_Instructor,'