Commit 91ecb6a6 authored by Stan Hu's avatar Stan Hu Committed by Mayra Cabrera

Fix database permission check for triggers on Amazon RDS

On some instances of Amazon RDS, running a SELECT against
`'information_schema.role_table_grants'` fails with a `permission denied
for relation pg_authid` error. This happens because `role_table_grants`
is a PostgreSQL view that ultimately accesses the `pg_authid` table.

The PostgreSQL system function `has_table_privileges` doesn't actually
need a FROM clause. We can simplify the query to just call:

SELECT has_table_privilege('projects', 'TRIGGER')

Closes https://gitlab.com/gitlab-org/gitlab/issues/199468
parent 3e9f52f8
---
title: Fix database permission check for triggers on Amazon RDS
merge_request: 24035
author:
type: fixed
......@@ -3,23 +3,18 @@
module Gitlab
module Database
# Model that can be used for querying permissions of a SQL user.
class Grant < ActiveRecord::Base
include FromUnion
self.table_name = 'information_schema.role_table_grants'
class Grant
# Returns true if the current user can create and execute triggers on the
# given table.
def self.create_and_execute_trigger?(table)
# We _must not_ use quote_table_name as this will produce double
# quotes on PostgreSQL and for "has_table_privilege" we need single
# quotes.
connection = ActiveRecord::Base.connection
quoted_table = connection.quote(table)
begin
from(nil)
.pluck(Arel.sql("has_table_privilege(#{quoted_table}, 'TRIGGER')"))
.first
connection.select_one("SELECT has_table_privilege(#{quoted_table}, 'TRIGGER')").present?
rescue ActiveRecord::StatementInvalid
# This error is raised when using a non-existing table name. In this
# case we just want to return false as a user technically can't
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment