public inbox for [email protected]help / color / mirror / Atom feed
Regarding Feature #5305 4+ messages / 2 participants [nested] [flat]
* Regarding Feature #5305 @ 2025-03-19 11:12 Akshay Joshi <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Akshay Joshi @ 2025-03-19 11:12 UTC (permalink / raw) To: pgadmin-hackers Hi Dave/Hackers, I have started working on the feature #5305 <https://github.com/pgadmin-org/pgadmin4/issues/5305;. Based on my understanding, the Object Explorer should only display nodes or objects where the currently logged-in user has at least one permission granted in the ACL. In other words, the user must have some level of access to each object displayed. For example, consider two users: 'postgres' (the default user) and 'test'. There are objects, such as a table, where the 'test' user does not have any permissions. This table was created by the 'postgres' user, who has revoked all permissions for other users. Now, if the 'test' user logs into the database server, we need to check whether the logged-in user has any permissions on the object. If not, it should not be displayed in the Object Explorer. We will have a preference for whether to apply this check or not. There are following two solutions that can be implemented: 1) Change the *nodes.sql* to filter out the nodes based on privileges. It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in the WHERE clause, and other different attempts to filter out Table nodes, but seems we will find some solution for sure). 2) Once nodes are fetched then filter out the data at the backend. Any other solution or suggestion? Akshay Joshi Principal Engineer | pgAdmin Hacker enterprisedb.com * Blog*: https://www.enterprisedb.com/akshay-joshi * GitHub*: https://github.com/akshay-joshi * LinkedIn*: https:// <http://goog_373708537; www.linkedin.com/in/akshay-joshi-a9317b14 ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Regarding Feature #5305 @ 2025-03-19 11:41 Dave Page <[email protected]> parent: Akshay Joshi <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Dave Page @ 2025-03-19 11:41 UTC (permalink / raw) To: Akshay Joshi <[email protected]>; +Cc: pgadmin-hackers On Wed, 19 Mar 2025 at 11:12, Akshay Joshi <[email protected]> wrote: > Hi Dave/Hackers, > > I have started working on the feature #5305 > <https://github.com/pgadmin-org/pgadmin4/issues/5305;. Based on my > understanding, the Object Explorer should only display nodes or objects > where the currently logged-in user has at least one permission granted in > the ACL. In other words, the user must have some level of access to each > object displayed. > > For example, consider two users: 'postgres' (the default user) and 'test'. > There are objects, such as a table, where the 'test' user does not have any > permissions. This table was created by the 'postgres' user, who has revoked > all permissions for other users. Now, if the 'test' user logs into the > database server, we need to check whether the logged-in user has any > permissions on the object. If not, it should not be displayed in the Object > Explorer. > > We will have a preference for whether to apply this check or not. There > are following two solutions that can be implemented: > 1) Change the *nodes.sql* to filter out the nodes based on privileges. > It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in the > WHERE clause, and other different attempts to filter out Table nodes, but > seems we will find some solution for sure). > 2) Once nodes are fetched then filter out the data at the backend. > > Any other solution or suggestion? > This seems like it would be a very large amount of work, for very little gain, and would certainly be inconsistent with how we would expect to browse files and folders for example. I do not think it is worth the effort. -- Dave Page pgAdmin: https://www.pgadmin.org PostgreSQL: https://www.postgresql.org pgEdge: https://www.pgedge.com ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Regarding Feature #5305 @ 2025-03-19 12:42 Akshay Joshi <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Akshay Joshi @ 2025-03-19 12:42 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: pgadmin-hackers On Wed, Mar 19, 2025 at 5:11 PM Dave Page <[email protected]> wrote: > > > On Wed, 19 Mar 2025 at 11:12, Akshay Joshi <[email protected]> > wrote: > >> Hi Dave/Hackers, >> >> I have started working on the feature #5305 >> <https://github.com/pgadmin-org/pgadmin4/issues/5305;. Based on my >> understanding, the Object Explorer should only display nodes or objects >> where the currently logged-in user has at least one permission granted in >> the ACL. In other words, the user must have some level of access to each >> object displayed. >> >> For example, consider two users: 'postgres' (the default user) and >> 'test'. There are objects, such as a table, where the 'test' user does not >> have any permissions. This table was created by the 'postgres' user, who >> has revoked all permissions for other users. Now, if the 'test' user logs >> into the database server, we need to check whether the logged-in user has >> any permissions on the object. If not, it should not be displayed in the >> Object Explorer. >> >> We will have a preference for whether to apply this check or not. There >> are following two solutions that can be implemented: >> 1) Change the *nodes.sql* to filter out the nodes based on privileges. >> It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in the >> WHERE clause, and other different attempts to filter out Table nodes, but >> seems we will find some solution for sure). >> 2) Once nodes are fetched then filter out the data at the backend. >> >> Any other solution or suggestion? >> > > This seems like it would be a very large amount of work, for very little > gain, and would certainly be inconsistent with how we would expect to > browse files and folders for example. I do not think it is worth the effort. > OK Thanks, So should we keep this feature request open or close it? > > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > pgEdge: https://www.pgedge.com > > ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Regarding Feature #5305 @ 2025-03-19 13:08 Dave Page <[email protected]> parent: Akshay Joshi <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Dave Page @ 2025-03-19 13:08 UTC (permalink / raw) To: Akshay Joshi <[email protected]>; +Cc: pgadmin-hackers On Wed, 19 Mar 2025 at 12:42, Akshay Joshi <[email protected]> wrote: > > > On Wed, Mar 19, 2025 at 5:11 PM Dave Page <[email protected]> wrote: > >> >> >> On Wed, 19 Mar 2025 at 11:12, Akshay Joshi <[email protected]> >> wrote: >> >>> Hi Dave/Hackers, >>> >>> I have started working on the feature #5305 >>> <https://github.com/pgadmin-org/pgadmin4/issues/5305;. Based on my >>> understanding, the Object Explorer should only display nodes or objects >>> where the currently logged-in user has at least one permission granted in >>> the ACL. In other words, the user must have some level of access to each >>> object displayed. >>> >>> For example, consider two users: 'postgres' (the default user) and >>> 'test'. There are objects, such as a table, where the 'test' user does not >>> have any permissions. This table was created by the 'postgres' user, who >>> has revoked all permissions for other users. Now, if the 'test' user logs >>> into the database server, we need to check whether the logged-in user has >>> any permissions on the object. If not, it should not be displayed in the >>> Object Explorer. >>> >>> We will have a preference for whether to apply this check or not. There >>> are following two solutions that can be implemented: >>> 1) Change the *nodes.sql* to filter out the nodes based on privileges. >>> It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in the >>> WHERE clause, and other different attempts to filter out Table nodes, but >>> seems we will find some solution for sure). >>> 2) Once nodes are fetched then filter out the data at the backend. >>> >>> Any other solution or suggestion? >>> >> >> This seems like it would be a very large amount of work, for very little >> gain, and would certainly be inconsistent with how we would expect to >> browse files and folders for example. I do not think it is worth the effort. >> > > OK Thanks, So should we keep this feature request open or close it? > I'd close it. -- Dave Page pgAdmin: https://www.pgadmin.org PostgreSQL: https://www.postgresql.org pgEdge: https://www.pgedge.com ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2025-03-19 13:08 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2025-03-19 11:12 Regarding Feature #5305 Akshay Joshi <[email protected]> 2025-03-19 11:41 ` Dave Page <[email protected]> 2025-03-19 12:42 ` Akshay Joshi <[email protected]> 2025-03-19 13:08 ` Dave Page <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox