Opened 12 years ago

Closed 11 years ago

#1795 closed defect (fixed)

spatial_ref_sys, geometry_columns, raster views should be publicly readable

Reported by: robe Owned by: strk
Priority: medium Milestone: PostGIS 2.1.0
Component: build Version: 2.0.x
Keywords: history Cc:

Description

This is probably something we should do for 1.5 as well but at least for extensions, all works out of the box except if you are using an account other than the one you installed extensions with, you have to explicitly grant permissions to public for spatial_ref_sys and I'm guessing geometry_columns as well.

I don't see why we can't always have an explicit public on these as part of the install process. geometry_columns,raster_columns etc now that they are all views are safe to make public since I believe we now only list tables that are visible to the user querying the view, so there is no risk of them seeing tables listed they have no access to.

Change History (9)

comment:1 by robe, 12 years ago

hmm forgot also geography_columns

comment:2 by strk, 12 years ago

At that point also public usage on topology (for calling functions) and select on topology.topology and topology.layer ? For creating topologies you'll also need schema creation rights, but even without you should be able to read existing ones.

I'm not sure permissions should be tweaked by the default install script. It would be up to the DBA to decide what to do with which roles.

Maybe we could provide utility SQL scripts to do it in one way (the way we think makes more sense). It should be checked if existence of "public" can be relied upon.

comment:3 by robe, 12 years ago

Milestone: PostGIS 2.0.1PostGIS 2.1.0

comment:4 by robe, 11 years ago

I'm not really quite sure what you mean by existence of public. public group always exists though public schema may not. anyrate like I said topology aside, I see no reason why we can't make geometry_columns, geography_columns, raster_columns, spatial_ref_sys publically readable since they are already internally limited by the account viewing it (minus — spatial_ref_sys), but hey spatial_ref_sys is pretty much the same across all postgis dbs so what's the big deal with people seeing what is in there.

comment:5 by pramsey, 11 years ago

Do it.

comment:6 by robe, 11 years ago

do it for 2.0 or just 2.1?

comment:7 by pramsey, 11 years ago

2.1, it's too large a change for 2.0

comment:8 by robe, 11 years ago

done at r10750. raster_columns, raster_views, spatial_ref_sys, geometry_columns, geography_columns are all public viewable on install.

The only issue is that the GRANT command is being stripped for geometry_columns, geography_columns, spatial_ref_sys for upgrades. Do we want that? I'm scared of that perl script so don't want to touch it.

I also did not touch topology since those really ARE tables so we might have security concerns there since what is listed can't be protected by internal logic check of view.

comment:9 by robe, 11 years ago

Keywords: history added
Resolution: fixed
Status: newclosed

In making my last change to postgis.sql.in, I noticed this is already done. Maybe I just forgot to close it out.

Note: See TracTickets for help on using tickets.