CartoDB-SQL-API icon indicating copy to clipboard operation
CartoDB-SQL-API copied to clipboard
verified publisher icon CartoDB

Inserting in shared tables fails because of sequence permission

Open juanignaciosl opened this issue 10 years ago • 13 comments

I can add rows in this table through the editor, but not with the SQL API:

➜  ~  curl -d "api_key=<myapikey>&q=insert into rtorre.csv_3 (kkk) values ('Japan')" https://juanignaciosl.cartodb.com/api/v2/sql
{"error":["permission denied for sequence csv_3_cartodb_id_seq"]}%

I report it here for @rochoa to take a look, but it probably involves a fix in CartoDB backend organization user creation

juanignaciosl avatar Jun 09 '15 11:06 juanignaciosl

Which pg role/user is doing the query in the editor? The same user/role should generate the error, right?

rochoa avatar Jun 09 '15 14:06 rochoa

bump!

rochoa avatar Jun 17 '15 08:06 rochoa

that means the editor is not using the right permissions ?

javisantana avatar Jun 17 '15 09:06 javisantana

In the editor table owner role is used.

juanignaciosl avatar Jun 17 '15 09:06 juanignaciosl

and why not the current user performing the edition?

javisantana avatar Jun 17 '15 09:06 javisantana

¯_(ツ)_/¯

Let's summon @rafatower , maybe he knows a reason on why Table always uses owner. It just looks like usage of Table has always been based on owner instead of viewer_user, which looks like is not used for data handling at all.

juanignaciosl avatar Jun 17 '15 09:06 juanignaciosl

I think it's a bug in rails.

FYI: Basically those inserts should be performed from the frontend using SQL, it's the only part of the frontend that still needs to be migrated cc @CartoDB/frontend

javisantana avatar Jun 17 '15 09:06 javisantana

Ok, back to the issue, this might turn into a "user should've had permission on sequence" error, isn't it? Maybe I can fix it at CartoDB/issues#3859 as well.

juanignaciosl avatar Jun 17 '15 09:06 juanignaciosl

shouldn't be fixed in cartodb-postgres?

javisantana avatar Jun 17 '15 09:06 javisantana

True, maybe in CDB_Organization_Add_Table_Read_Write_Permission?

juanignaciosl avatar Jun 17 '15 09:06 juanignaciosl

Yes, I think so. That function should take care to grant permission on table associated entities.

Will this pop for other entities like indexes? The problem I see is: what happens if another entity is associated to the table, like a new index, will that mean that the granted users will get again in a situation where they cannot insert? Something like STR:

  1. User A creates table wadus with sequence wadus_cartodb_id_seq
  2. User A grants write permission to User B with CDB_Organization_Add_Table_Read_Write_Permission
  3. User B insert data into wadus
  4. User A creates a new index in table wadus.

rochoa avatar Jun 17 '15 10:06 rochoa

Adding an index is not a problem, isn't it? It's transparent to user B. Only entities with high coupling to the tables, like sequences, should be granted, and I can't think about any other specific need. Maybe if A creates a trigger on wadus which uses a function that B can't use? Rare corner cases, I think.

juanignaciosl avatar Jun 17 '15 11:06 juanignaciosl

IMO there's no good reason to do that with the owner from Table. The editor should rely more on the sql api for its job whenever possible.

rafatower avatar Jun 17 '15 13:06 rafatower