Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1aLp0s-00050t-Kf for pgadmin-hackers@arkaria.postgresql.org; Wed, 20 Jan 2016 09:25:14 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84) (envelope-from ) id 1aLp0s-0001e1-1T for pgadmin-hackers@arkaria.postgresql.org; Wed, 20 Jan 2016 09:25:14 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1aLp0r-0001dj-DE for pgadmin-hackers@postgresql.org; Wed, 20 Jan 2016 09:25:13 +0000 Received: from mail-pf0-x22b.google.com ([2607:f8b0:400e:c00::22b]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84) (envelope-from ) id 1aLp0k-0006bF-BX for pgadmin-hackers@postgresql.org; Wed, 20 Jan 2016 09:25:12 +0000 Received: by mail-pf0-x22b.google.com with SMTP id 65so1850044pff.2 for ; Wed, 20 Jan 2016 01:25:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=WP/r2f20r8y/iKORj9W41NysmhsUhPUDVTl5HEX9xzY=; b=xpB3CkV7aH1tY9yPYlNPKkFgW3GkrssSIIyD6qQmoTEmQFlQkt/WCnWpPFz+ApeLfe udVwBtmfjAPobQW4AnwxYn6K3MNOqsK1fwOBe5/xOoq4095sIVbezMnDuPYLSXMt6ual EQcyu5nqu/+xZhvBORg/4N2mkaKtIRZDb+pm9N54QuC0cpIjy+8r4DAnZiuYddMDTffR EtWDhAtTs3kIvsMTJ+5VZ0zvPKaWcy22zeodwMHhTuto8n0VC2brzuq+jGZ/WA2eS43e efDst2ptHOhr1U7O+Xt18kRtDC/nPYYyrBB34o05K3ofXQeT9cfvK9vMMuXnSMEYEOaO Ll3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=WP/r2f20r8y/iKORj9W41NysmhsUhPUDVTl5HEX9xzY=; b=UQM5D+zvVSeYTvogbv4BSOipdws2ygWHuWdMM0Z+MEK+LFVudnd+oZBwrzKDusB17h M5T0zHvIUvVuTascv3J17FseR43TbQWAEchlyK8GOuwJTbax/I/Gye2vfFyCkzVHhOBd ZuR7U/WWiOPmPpQh8VoC2CIYtTKtPXukwG17YoxnzTyM5mIcWOd8SvYPW3UyIep23HNk 63GEd+X7Pyz6Vp0ljyBGkgiaeKnAy60QW8JxNVptzSEMQ7T1VmQQWHuQ6U2NYAfCiP9Q EXr0fVAF/jXeep3QRmySz4pDzQJ12TcfVRJrqoUa/IAzzUlaphmH+b4CVygs72imKIo5 XQfQ== X-Gm-Message-State: AG10YOSUS+0IfROOeZIium+lxkQJsqOTIpsG+4+P7nkTgQs6/uAKXjI2PXmgq+hin6W4pPuA X-Received: by 10.98.10.73 with SMTP id s70mr45240740pfi.85.1453281905170; Wed, 20 Jan 2016 01:25:05 -0800 (PST) Received: from [172.24.35.244] ([59.162.78.200]) by smtp.gmail.com with ESMTPSA id 63sm47188953pfo.67.2016.01.20.01.25.03 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 20 Jan 2016 01:25:04 -0800 (PST) Subject: Re: PATCH: Login/Group Role Node To: Ashesh Vashi , pgadmin-hackers , Akshay Joshi References: <569759C0.90009@enterprisedb.com> From: Murtuza Zabuawala Message-ID: <569F47F0.4070106@enterprisedb.com> Date: Wed, 20 Jan 2016 14:10:16 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <569759C0.90009@enterprisedb.com> Content-Type: multipart/alternative; boundary="------------020402090504000102030306" X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org This is a multi-part message in MIME format. --------------020402090504000102030306 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Hi Ashesh, Addition to below, I also observed two more issues, - It's a bad idea to give md5 hash of current role's password in properties/edit mode, A malicious user can use that hash to crack another role's password. - When you select a role and click on SQL panel (near to Statistic panel), we encounter exception as below, File "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/roles/__init__.py", line 531, in wrapped return f(self, **kwargs) File "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/roles/__init__.py", line 714, in sql data=self.request, AttributeError: 'RoleView' object has no attribute 'request' Regards, Murtuza On Thursday 14 January 2016 01:48 PM, Murtuza Zabuawala wrote: > Hi Ashesh, > > Observed so far, > > In pgAdmin4, > 1) We are not displaying below items in properties when compare to > pgAdmin3 > - Account expires > - Member of > > 2) Seems life one of menu item missing when right click on role > - Reassign/ Drop owned > > 3) Security label is disabled by default, Even though security label > is disabled, we get precondition error from server saying. > /|"errormsg": "Security Label must be passed as an array of JSON object > in the following.."|/ > > Causing: > - When we add variables in Security tab on existing role, Sql does not > gets generated in sql tab. > - When we add roles role membership on existing role, Sql does not > gets generated in sql tab and it also allow us to enter invalid role > which does not exists. > > > Regards, > Murtuza > > On Tuesday 12 January 2016 10:47 PM, Ashesh Vashi wrote: >> Hi Team, >> >> Please find the patch for Login/Group Role(s). >> >> Akshay/Murtuza, >> >> Can you please review it? >> >> -- >> >> Thanks & Regards, >> >> Ashesh Vashi >> EnterpriseDB INDIA: Enterprise PostgreSQL Company >> >> >> >> /http://www.linkedin.com/in/asheshvashi/ >> > --------------020402090504000102030306 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit Hi Ashesh,

Addition to below, I also observed two more issues,

- It's a bad idea to give md5 hash of current role's password in properties/edit mode, A malicious user can use that hash to crack another role's password.

- When you select a role and click on SQL panel (near to Statistic panel), we encounter exception as below,

  File "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/roles/__init__.py", line 531, in wrapped
    return f(self, **kwargs)
  File "/home/murtuza/PROJECT/pgadmin4/web/pgadmin/browser/server_groups/servers/roles/__init__.py", line 714, in sql
    data=self.request,
AttributeError: 'RoleView' object has no attribute 'request'


Regards,
Murtuza


On Thursday 14 January 2016 01:48 PM, Murtuza Zabuawala wrote:
Hi Ashesh,

Observed so far,

In pgAdmin4,
1) We are not displaying below items in properties when compare to pgAdmin3
- Account expires
- Member of

2) Seems life one of menu item missing when right click on role
- Reassign/ Drop owned

3) Security label is disabled by default, Even though security label is disabled, we get precondition error from server saying.
"errormsg": "Security Label must be passed as an array of JSON object in the following.."

Causing:
- When we add variables in Security tab on existing role, Sql does not gets generated in sql tab.
- When we add roles role membership on existing role,  Sql does not gets generated in sql tab and it also allow us to enter invalid role which does not exists.


Regards,
Murtuza

On Tuesday 12 January 2016 10:47 PM, Ashesh Vashi wrote:
Hi Team,

Please find the patch for Login/Group Role(s).

Akshay/Murtuza,

Can you please review it?

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company


http://www.linkedin.com/in/asheshvashi



--------------020402090504000102030306--