Commit 4393cad8 authored by Murray Cumming's avatar Murray Cumming

Use escape_sql_id() for privileges SQL queries.

* glom/base_db.cc:
* glom/libglom/db_utils.cc:
* glom/libglom/privs.cc:
* glom/mode_design/users/dialog_groups_list.cc:
* glom/mode_design/users/dialog_users_list.cc: Use
DbUtils::escape_sql_id() instead of manually adding quotes with
no escaping. This seems to be the right thing to do for these
queries.
parent 40437da2
2011-11-08 Murray Cumming <murrayc@murrayc.com>
Use escape_sql_id() for privileges SQL queries.
* glom/base_db.cc:
* glom/libglom/db_utils.cc:
* glom/libglom/privs.cc:
* glom/mode_design/users/dialog_groups_list.cc:
* glom/mode_design/users/dialog_users_list.cc: Use
DbUtils::escape_sql_id() instead of manually adding quotes with
no escaping. This seems to be the right thing to do for these
queries.
2011-11-08 Murray Cumming <murrayc@murrayc.com>
More use of escape_sql_id().
......
......@@ -1738,15 +1738,14 @@ bool Base_DB::add_user(const Glib::ustring& user, const Glib::ustring& password,
if(user.empty() || password.empty() || group.empty())
return false;
//TODO: Quote and escape the group and user names.
//Create the user:
//Note that ' around the user fails, so we use ".
Glib::ustring strQuery = "CREATE USER \"" + user + "\" PASSWORD '" + password + "'" ; //TODO: Escape the password.
Glib::ustring strQuery = "CREATE USER " + DbUtils::escape_sql_id(user) + " PASSWORD '" + password + "'" ; //TODO: Escape the password.
if(group == GLOM_STANDARD_GROUP_NAME_DEVELOPER)
strQuery += " SUPERUSER CREATEDB CREATEROLE"; //Because SUPERUSER is not "inherited" from groups to members.
//Glib::ustring strQuery = "CREATE USER \"" + user + "\"";
//Glib::ustring strQuery = "CREATE USER " + DbUtils::escape_sql_id(user);
//if(group == GLOM_STANDARD_GROUP_NAME_DEVELOPER)
// strQuery += " WITH SUPERUSER"; //Because SUPERUSER is not "inherited" from groups to members.
//strQuery += " PASSWORD '" + password + "'" ; //TODO: Escape the password.
......@@ -1760,7 +1759,7 @@ bool Base_DB::add_user(const Glib::ustring& user, const Glib::ustring& password,
}
//Add it to the group:
strQuery = "ALTER GROUP \"" + group + "\" ADD USER \"" + user + "\"";
strQuery = "ALTER GROUP " + DbUtils::escape_sql_id(group) + " ADD USER " + DbUtils::escape_sql_id(user);
test = DbUtils::query_execute_string(strQuery);
if(!test)
{
......@@ -1778,7 +1777,7 @@ bool Base_DB::add_user(const Glib::ustring& user, const Glib::ustring& password,
for(Document::type_listTableInfo::const_iterator iter = table_list.begin(); iter != table_list.end(); ++iter)
{
const Glib::ustring table_name = (*iter)->get_name();
const Glib::ustring strQuery = "REVOKE ALL PRIVILEGES ON " + DbUtils::escape_sql_id(table_name) + " FROM \"" + user + "\"";
const Glib::ustring strQuery = "REVOKE ALL PRIVILEGES ON " + DbUtils::escape_sql_id(table_name) + " FROM " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cerr << G_STRFUNC << ": REVOKE failed." << std::endl;
......@@ -1793,7 +1792,7 @@ bool Base_DB::remove_user(const Glib::ustring& user)
if(user.empty())
return false;
const Glib::ustring strQuery = "DROP USER \"" + user + "\"";
const Glib::ustring strQuery = "DROP USER " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
{
......@@ -1809,7 +1808,7 @@ bool Base_DB::remove_user_from_group(const Glib::ustring& user, const Glib::ustr
if(user.empty() || group.empty())
return false;
const Glib::ustring strQuery = "ALTER GROUP \"" + group + "\" DROP USER \"" + user + "\"";
const Glib::ustring strQuery = "ALTER GROUP " + DbUtils::escape_sql_id(group) + " DROP USER " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
{
......@@ -1830,7 +1829,7 @@ bool Base_DB::set_database_owner_user(const Glib::ustring& user)
if(database_name.empty())
return false;
const Glib::ustring strQuery = "ALTER DATABASE \"" + database_name + "\" OWNER TO \"" + user + "\"";
const Glib::ustring strQuery = "ALTER DATABASE " + DbUtils::escape_sql_id(database_name) + " OWNER TO " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
{
......@@ -1854,7 +1853,7 @@ bool Base_DB::disable_user(const Glib::ustring& user)
remove_user_from_group(user, group);
}
const Glib::ustring strQuery = "ALTER ROLE \"" + user + "\" NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE";
const Glib::ustring strQuery = "ALTER ROLE " + DbUtils::escape_sql_id(user) + " NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE";
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
{
......
......@@ -555,7 +555,7 @@ bool add_standard_groups(Document* document)
//TODO: Escape and quote the user and group names here?
//The "SUPERUSER" here has no effect because SUPERUSER is not "inherited" to member users.
//But let's keep it to make the purpose of this group obvious.
bool test = query_execute_string("CREATE GROUP \"" GLOM_STANDARD_GROUP_NAME_DEVELOPER "\" WITH SUPERUSER");
bool test = query_execute_string("CREATE GROUP " + DbUtils::escape_sql_id(GLOM_STANDARD_GROUP_NAME_DEVELOPER) + " WITH SUPERUSER");
if(!test)
{
std::cerr << G_STRFUNC << ": CREATE GROUP failed when adding the developer group." << std::endl;
......@@ -565,7 +565,7 @@ bool add_standard_groups(Document* document)
//Make sure the current user is in the developer group.
//(If he is capable of creating these groups then he is obviously a developer, and has developer rights on the postgres server.)
const Glib::ustring current_user = ConnectionPool::get_instance()->get_user();
const Glib::ustring strQuery = "ALTER GROUP \"" GLOM_STANDARD_GROUP_NAME_DEVELOPER "\" ADD USER \"" + current_user + "\"";
const Glib::ustring strQuery = "ALTER GROUP " + DbUtils::escape_sql_id(GLOM_STANDARD_GROUP_NAME_DEVELOPER) + " ADD USER " + DbUtils::escape_sql_id(current_user);
test = query_execute_string(strQuery);
if(!test)
{
......@@ -638,7 +638,7 @@ bool add_groups_from_document(Document* document)
type_vec_strings::const_iterator iterFind = std::find(database_groups.begin(), database_groups.end(), name);
if(!name.empty() && iterFind == database_groups.end())
{
Glib::ustring query = "CREATE GROUP \"" + name + "\"";
Glib::ustring query = "CREATE GROUP " + escape_sql_id(name);
//The "SUPERUSER" here has no effect because SUPERUSER is not "inherited" to member users.
//But let's keep it to make the purpose of this group obvious.
......
......@@ -231,8 +231,7 @@ void Privs::set_table_privileges(const Glib::ustring& group_name, const Glib::us
//This must match the Grant or Revoke:
strQuery += "TO";
//TODO: Quote and escape group_name?
strQuery += " GROUP \"" + group_name + "\"";
strQuery += " GROUP " + DbUtils::escape_sql_id(group_name);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
......
......@@ -222,7 +222,7 @@ void Dialog_GroupsList::on_button_group_delete()
if(response == Gtk::RESPONSE_OK)
{
const Glib::ustring strQuery = "DROP GROUP \"" + group + "\"";
const Glib::ustring strQuery = "DROP GROUP " + DbUtils::escape_sql_id(group);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cerr << G_STRFUNC << ": DROP GROUP failed." << std::endl;
......@@ -255,7 +255,7 @@ void Dialog_GroupsList::on_button_group_new()
if(!group_name.empty())
{
const Glib::ustring strQuery = "CREATE GROUP \"" + group_name + "\"";
const Glib::ustring strQuery = "CREATE GROUP " + DbUtils::escape_sql_id(group_name);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cout << "debug: " << G_STRFUNC << ": CREATE GROUP failed." << std::endl;
......@@ -485,8 +485,7 @@ bool Dialog_GroupsList::set_table_privilege(const Glib::ustring& table_name, con
else
strQuery += "FROM";
//TODO: Quote and escape group_name?
strQuery += " GROUP \"" + group_name + "\"";
strQuery += " GROUP " + DbUtils::escape_sql_id(group_name);
const bool test = DbUtils::query_execute_string(strQuery); //TODO: Handle errors.
if(!test)
......
......@@ -204,8 +204,7 @@ void Dialog_UsersList::on_button_user_add()
if(!user.empty())
{
//Add it to the group:
//TODO: Quote and escape the group and user names?
const Glib::ustring strQuery = "ALTER GROUP \"" + m_combo_group->get_active_text() + "\" ADD USER \"" + user + "\"";
const Glib::ustring strQuery = "ALTER GROUP " + DbUtils::escape_sql_id(m_combo_group->get_active_text()) + " ADD USER " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cerr << G_STRFUNC << ": ALTER GROUP failed." << std::endl;
......@@ -215,9 +214,8 @@ void Dialog_UsersList::on_button_user_add()
for(Document::type_listTableInfo::const_iterator iter = table_list.begin(); iter != table_list.end(); ++iter)
{
//TODO: Quote and escape user?
const Glib::ustring table_name = (*iter)->get_name();
const Glib::ustring strQuery = "REVOKE ALL PRIVILEGES ON " + DbUtils::escape_sql_id(table_name) + " FROM \"" + user + "\"";
const Glib::ustring strQuery = "REVOKE ALL PRIVILEGES ON " + DbUtils::escape_sql_id(table_name) + " FROM " + DbUtils::escape_sql_id(user);
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cerr << G_STRFUNC << ": REVOKE failed." << std::endl;
......@@ -328,7 +326,7 @@ void Dialog_UsersList::on_button_user_edit()
if(!user.empty() && !password.empty())
{
const Glib::ustring strQuery = "ALTER USER \"" + user + "\" PASSWORD '" + password + "'" ; //TODO: Escape the password.
const Glib::ustring strQuery = "ALTER USER " + DbUtils::escape_sql_id(user) + " PASSWORD '" + password + "'" ; //TODO: Escape the password.
const bool test = DbUtils::query_execute_string(strQuery);
if(!test)
std::cerr << G_STRFUNC << ": ALTER USER failed." << std::endl;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment