From 6952d169792fc2780555f9d5a2e8b941480cc3c3 Mon Sep 17 00:00:00 2001
From: Lorin Hochstein <lorin@nimbisservices.com>
Date: Mon, 18 Feb 2013 21:33:36 -0500
Subject: [PATCH] postgresql_user: Add support for PUBLIC

This change enables users to add and remove permissions to all roles,
using the PUBLIC user. This is equivalent to using the PUBLIC keyword
in GRANT and DENY postgres SQL commands.

For example, see: <http://www.postgresql.org/docs/current/interactive/sql-grant.html>

Fixes #1833
---
 postgresql_user | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/postgresql_user b/postgresql_user
index 95e0162ae67..ab8b4590152 100644
--- a/postgresql_user
+++ b/postgresql_user
@@ -129,6 +129,9 @@ else:
 
 
 def user_exists(cursor, user):
+    # The PUBLIC user is a special case that is always there
+    if user == 'PUBLIC':
+        return True
     query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"
     cursor.execute(query, {'user': user})
     return cursor.rowcount > 0
@@ -144,6 +147,14 @@ def user_alter(cursor, user, password, role_attr_flags):
     """Change user password"""
     changed = False
 
+    if user == 'PUBLIC':
+        if password is not None:
+            module.fail_json(msg="cannot change the password for PUBLIC user")
+        elif role_attr_flags != '':
+            module.fail_json(msg="cannot change the role_attr_flags for PUBLIC user")
+        else:
+            return False
+
     # Handle passwords.
     if password is not None or role_attr_flags is not None:
         # Select password and all flag-like columns in order to verify changes.
@@ -241,14 +252,20 @@ def has_database_privilege(cursor, user, db, priv):
 
 def grant_database_privilege(cursor, user, db, priv):
     prev_priv = get_database_privileges(cursor, user, db)
-    query = 'GRANT %s ON DATABASE \"%s\" TO \"%s\"' % (priv, db, user)
+    if user == "PUBLIC":
+        query = 'GRANT %s ON DATABASE \"%s\" TO PUBLIC' % (priv, db)
+    else:
+        query = 'GRANT %s ON DATABASE \"%s\" TO \"%s\"' % (priv, db, user)
     cursor.execute(query)
     curr_priv = get_database_privileges(cursor, user, db)
     return len(curr_priv) > len(prev_priv)
 
 def revoke_database_privilege(cursor, user, db, priv):
     prev_priv = get_database_privileges(cursor, user, db)
-    query = 'REVOKE %s ON DATABASE \"%s\" FROM \"%s\"' % (priv, db, user)
+    if user == "PUBLIC":
+        query = 'REVOKE %s ON DATABASE \"%s\" FROM PUBLIC' % (priv, db)
+    else:
+        query = 'REVOKE %s ON DATABASE \"%s\" FROM \"%s\"' % (priv, db, user)
     cursor.execute(query)
     curr_priv = get_database_privileges(cursor, user, db)
     return len(curr_priv) < len(prev_priv)