Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1aQXAo-0004Zn-LQ for pgadmin-hackers@arkaria.postgresql.org; Tue, 02 Feb 2016 09:22:58 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84) (envelope-from ) id 1aQXAn-0006lx-4k for pgadmin-hackers@arkaria.postgresql.org; Tue, 02 Feb 2016 09:22:57 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1aQXAl-0006lo-Fn for pgadmin-hackers@postgresql.org; Tue, 02 Feb 2016 09:22:55 +0000 Received: from mail-pf0-x230.google.com ([2607:f8b0:400e:c00::230]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84) (envelope-from ) id 1aQXAc-0002rK-BB for pgadmin-hackers@postgresql.org; Tue, 02 Feb 2016 09:22:54 +0000 Received: by mail-pf0-x230.google.com with SMTP id w123so7395852pfb.0 for ; Tue, 02 Feb 2016 01:22:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=N/yDT/RLXocFa3tEnqZHdpUJexGzoZtG+rm2Xeb5F9A=; b=nUz6neCi1URHjd32IAz88B905Ihq9UNSqnCvPSjWf1dnNIpPviUPl5v7MUVubruhPD b5x3CJaYfokYbTQ59RqfZgurFk91UmzWqUQ6g+7jbWJVW3LTXG8bgTTFx/W+s9m4zfSv Wx49Zl15vh/+4h4u1mqBxhf//Ej2x1kLYPSkwvXI+h11oipqZXhJW55oiamMtDQtgNuq oxiRJUjUkTrn0+KSeRsdJruB7gKuRs1lCMtJuwIUUyJP5UeC1akKQvVR3iaf7dA9MNCa uGosq3KOix6sN3ft4nASxlVtAFtzjJ7ka5ekipaVBU7qV78u3lSIkwJKZEFhO4mi1qtc 4H4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:message-id:mime-version :subject:date:references:to:in-reply-to; bh=N/yDT/RLXocFa3tEnqZHdpUJexGzoZtG+rm2Xeb5F9A=; b=ISs2JTNj7+M331GNGp78ueD5L9QDS3VjviJm9ZwvgV1BImOUx9eVHHlDuS1EsAoooP 4Al/Y1dp7la1iiDaij+ZhLCuogcbhlp05JXNUncIFwMLeRk2dQhls1Hvsz87nuMKjxx7 pIgLhSqa76CaOt9yPv7eD6XiLwKEl6BQHEMdUCvpo5AjGGaOWI7R3iLK6BhCr/5RxhyI kS8rWM8pXd7o9N5yteemH29GQLwJX7pJ/QgTQY+0N8lEBuvx0WlbCP5l6JFdIgnlHNhm yd2DygodTrnlal7HiaWJANqArN9xIB/dYkzY4irpojoDWvqwR0IUVJ4UHaZ1YWQYtHzA DnNw== X-Gm-Message-State: AG10YOTnI9LIYD2DNWp00pQpWJRrtfl0AjjaRO4VsfOmG8/OksxYsj45UmfqJwbF5YkJfkpO X-Received: by 10.98.74.71 with SMTP id x68mr45181163pfa.80.1454404963966; Tue, 02 Feb 2016 01:22:43 -0800 (PST) Received: from [172.24.35.232] ([59.162.78.200]) by smtp.gmail.com with ESMTPSA id m86sm1069656pfi.27.2016.02.02.01.22.41 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 02 Feb 2016 01:22:43 -0800 (PST) From: Murtuza Zabuawala Content-Type: multipart/alternative; boundary="Apple-Mail=_19AD5AED-E94D-45D0-917D-8A765EFBB6A2" Message-Id: <01D3E3D9-3947-461D-9B3F-569420327220@enterprisedb.com> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: PATCH: Login/Group Role Node Date: Tue, 2 Feb 2016 14:52:39 +0530 References: <569759C0.90009@enterprisedb.com> <569F47F0.4070106@enterprisedb.com> To: Ashesh Vashi , pgadmin-hackers , Akshay Joshi In-Reply-To: <569F47F0.4070106@enterprisedb.com> X-Mailer: Apple Mail (2.2104) X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org --Apple-Mail=_19AD5AED-E94D-45D0-917D-8A765EFBB6A2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi Ashesh, I also found that we are not handling group role in macro templates. Steps to re-produce the issue: 1) Create a sample Group Role. name : my_group Click 'Ok' to create. 2) Go to privilege tab (in my case Database node) - Click on Add button - Select my_group (Group) from options=20 - grant any priviledges 3) Go to modified SQL tab - You will see wrong SQL generated GRANT ALL ON DATABASE postgres TO my_group WITH GRANT OPTIONS Expected SQL: GRANT ALL ON DATABASE postgres TO GROUP my_group WITH GRANT OPTIONS Regards, Murtuza > On 20-Jan-2016, at 2:10 pm, Murtuza Zabuawala = wrote: >=20 > Hi Ashesh, >=20 > Addition to below, I also observed two more issues, >=20 > - It's a bad idea to give md5 hash of current role's password in = properties/edit mode, A malicious user can use that hash to crack = another role's password. >=20 > - When you select a role and click on SQL panel (near to Statistic = panel), we encounter exception as below, >=20 > File = "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/= roles/__init__.py", line 531, in wrapped > return f(self, **kwargs) > File = "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/= roles/__init__.py", line 714, in sql > data=3Dself.request, > AttributeError: 'RoleView' object has no attribute 'request' >=20 >=20 > Regards, > Murtuza >=20 >=20 > On Thursday 14 January 2016 01:48 PM, Murtuza Zabuawala wrote: >> Hi Ashesh, >>=20 >> Observed so far, >>=20 >> In pgAdmin4,=20 >> 1) We are not displaying below items in properties when compare to = pgAdmin3 >> - Account expires >> - Member of >>=20 >> 2) Seems life one of menu item missing when right click on role >> - Reassign/ Drop owned >>=20 >> 3) Security label is disabled by default, Even though security label = is disabled, we get precondition error from server saying. >> "errormsg": "Security Label must be passed as an array of JSON object = in the following.." >>=20 >> Causing: >> - When we add variables in Security tab on existing role, Sql does = not gets generated in sql tab. >> - When we add roles role membership on existing role, Sql does not = gets generated in sql tab and it also allow us to enter invalid role = which does not exists. >>=20 >>=20 >> Regards, >> Murtuza >>=20 >> On Tuesday 12 January 2016 10:47 PM, Ashesh Vashi wrote: >>> Hi Team, >>>=20 >>> Please find the patch for Login/Group Role(s). >>>=20 >>> Akshay/Murtuza, >>>=20 >>> Can you please review it? >>>=20 >>> -- >>> Thanks & Regards, >>>=20 >>> Ashesh Vashi >>> EnterpriseDB INDIA: Enterprise PostgreSQL Company = >>>=20 >>> = http://www.linkedin.com/in/asheshv= ashi >=20 --Apple-Mail=_19AD5AED-E94D-45D0-917D-8A765EFBB6A2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
Hi Ashesh,

I also found that we are not handling = group role in macro templates.

Steps to re-produce the = issue:
1) Create a sample Group Role.
    name : my_group

Click 'Ok' to create.

2) Go to privilege tab = (in my case Database node)
- Click on Add = button
- Select my_group (Group) from = options 
- grant any priviledges

3) Go to modified SQL = tab

- You will = see wrong SQL generated
GRANT ALL ON DATABASE = postgres TO my_group WITH GRANT OPTIONS

Expected = SQL:
GRANT ALL ON DATABASE = postgres TO GROUP my_group WITH GRANT = OPTIONS


Regards,
Murtuza


On = 20-Jan-2016, at 2:10 pm, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:

=20 =20
Hi Ashesh,

Addition to below, I also observed two more issues,

- It's a bad idea to give md5 hash of current role's password in properties/edit mode, A malicious user can use that hash to crack another role's password.

- When you select a role and click on SQL panel (near to Statistic panel), we encounter exception as below,

  File = "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/= roles/__init__.py", line 531, in wrapped
    return f(self, **kwargs)
  File = "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/= roles/__init__.py", line 714, in sql
    data=3Dself.request,
AttributeError: 'RoleView' object has no attribute 'request'


Regards,
Murtuza


On Thursday 14 January 2016 01:48 PM, Murtuza Zabuawala wrote:
Hi Ashesh,

Observed so far,

In pgAdmin4,
1) We are not displaying below items in properties when compare to pgAdmin3
- Account expires
- Member of

2) Seems life one of menu item missing when right click on role
- Reassign/ Drop owned

3) Security label is disabled by default, Even though security label is disabled, we get precondition error from server = saying.
"errormsg": "Security =
Label must be passed as an array of JSON object in the =
following.."

Causing:
- When we add variables in Security tab on existing role, Sql does not gets generated in sql tab.
- When we add roles role membership on existing role,  Sql = does not gets generated in sql tab and it also allow us to enter invalid role which does not exists.


Regards,
Murtuza

On Tuesday 12 January 2016 10:47 = PM, Ashesh Vashi wrote:
Hi Team,

Please find the patch for Login/Group Role(s).

Akshay/Murtuza,

Can you please review it?

--
Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company




= --Apple-Mail=_19AD5AED-E94D-45D0-917D-8A765EFBB6A2--