Use has_table_privilege for TRIGGER on PostgreSQL

This fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/38634.

Use has_table_privilege for TRIGGER on PostgreSQL
This fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/38634.
15b92e7c · Yorick Peterse · fa037e7c · 15b92e7c · 15b92e7c
Commit 15b92e7c authored Jan 22, 2018 by Yorick Peterse
Showing with 35 additions and 20 deletions

changelogs/unreleased/fix-postgresql-table-grant.yml changelogs/unreleased/fix-postgresql-table-grant.yml +5 -0

lib/gitlab/database/grant.rb lib/gitlab/database/grant.rb +30 -20

No files found.
--- a/changelogs/unreleased/fix-postgresql-table-grant.yml
+++ b/changelogs/unreleased/fix-postgresql-table-grant.yml
+---
+title: Use has_table_privilege for TRIGGER on PostgreSQL
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/database/grant.rb
+++ b/lib/gitlab/database/grant.rb
@@ -12,30 +12,40 @@ module Gitlab
      # Returns true if the current user can create and execute triggers on the
      # given table.
      def self.create_and_execute_trigger?(table)
-        priv =
-          if Database.postgresql?
-            where(privilege_type: 'TRIGGER', table_name: table)
-              .where('grantee = user')
-          else
-            queries = [
-              Grant.select(1)
-                .from('information_schema.user_privileges')
-                .where("PRIVILEGE_TYPE = 'SUPER'")
-                .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')"),
+        if Database.postgresql?
+          # We _must not_ use quote_table_name as this will produce double
+          # quotes on PostgreSQL and for "has_table_privilege" we need single
+          # quotes.
+          quoted_table = connection.quote(table)

-              Grant.select(1)
-                .from('information_schema.schema_privileges')
-                .where("PRIVILEGE_TYPE = 'TRIGGER'")
-                .where('TABLE_SCHEMA = ?', Gitlab::Database.database_name)
-                .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')")
-            ]
+          begin
+            from(nil)
+              .pluck("has_table_privilege(#{quoted_table}, 'TRIGGER')")
+              .first
+          rescue ActiveRecord::StatementInvalid
+            # This error is raised when using a non-existing table name. In this
+            # case we just want to return false as a user technically can't
+            # create triggers for such a table.
+            false
+          end
+        else
+          queries = [
+            Grant.select(1)
+              .from('information_schema.user_privileges')
+              .where("PRIVILEGE_TYPE = 'SUPER'")
+              .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')"),

-            union = SQL::Union.new(queries).to_sql
+            Grant.select(1)
+              .from('information_schema.schema_privileges')
+              .where("PRIVILEGE_TYPE = 'TRIGGER'")
+              .where('TABLE_SCHEMA = ?', Gitlab::Database.database_name)
+              .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')")
+          ]

-            Grant.from("(#{union}) privs")
-          end
+          union = SQL::Union.new(queries).to_sql

-        priv.any?
+          Grant.from("(#{union}) privs").any?
+        end
      end
    end
  end