From: | Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz> |
---|---|
To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, Ravi Roy <ravi(dot)aroy(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Creating a role with read only privileges but user is allowed to change password |
Date: | 2014-05-11 20:27:25 |
Message-ID: | 536FDD2D.8050003@archidevsys.co.nz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 12/05/14 06:09, Adrian Klaver wrote:
> On 05/11/2014 10:17 AM, Ravi Roy wrote:
>> Thanks a lot Tom, it worked by putting off the read only mode to off
>> before changing the password and putting it on again.
>>
>>> SET default_transaction_read_only = off;
>>
>> Worked for me..
>
> It works but the point Tom was making is here:
>
> "You realize, I hope, that breaking out of that restriction is no harder
> than issuing
>
> SET default_transaction_read_only = off;
>
> or even
>
> BEGIN TRANSACTION READ WRITE;
>
> So that ALTER ROLE might be of some use as a protection against
> accidental
> changes, but it's certainly no form of security restriction. (What you
> probably want to do instead of this is make sure the role doesn't have
> select/update/delete privileges for any of your tables.)
> "
>
> Given that in your original post you said:
>
> "Because I wanted this role to readonly (can not change anything in DB
> but only view)."
>
>
> you might want to rethink what you are doing.
>
>>
>> Many thanks to you!
>>
>> Regards
>> Ravi
>
I suggest that you move the password to a separate table
(my_role_password) with 2 columns:
1. my_role_id
2. password.
This way you can make the my_role table totally unalterable by the user,
yet they can change their own password.
Actually, you should NOT be storing passwords in plain text, they should
be stored as a secure hash (better than MD5).
Cheers,
Gavin
From | Date | Subject | |
---|---|---|---|
Next Message | David G Johnston | 2014-05-11 20:33:18 | Re: Creating a role with read only privileges but user is allowed to change password |
Previous Message | David G Johnston | 2014-05-11 20:24:03 | Re: Creating a role with read only privileges but user is allowed to change password |