Perform privilege grants/revokes only when required
Use `has_table_privileges` and `has_database_privileges` to test whether a user already has a privilege before granting it, or whether a user doesn't have a privilege before revoking it.
This commit is contained in:
parent
b4515c8909
commit
7d66da35a7
1 changed files with 12 additions and 10 deletions
|
@ -325,6 +325,8 @@ def user_delete(cursor, user):
|
|||
return True
|
||||
|
||||
def has_table_privilege(cursor, user, table, priv):
|
||||
if priv == 'ALL':
|
||||
priv = [ p for p in VALID_PRIVS['table'] if p != 'ALL' ].join(',')
|
||||
query = 'SELECT has_table_privilege(%s, %s, %s)'
|
||||
cursor.execute(query, (user, table, priv))
|
||||
return cursor.fetchone()[0]
|
||||
|
@ -378,6 +380,8 @@ def get_database_privileges(cursor, user, db):
|
|||
return o
|
||||
|
||||
def has_database_privilege(cursor, user, db, priv):
|
||||
if priv == 'ALL':
|
||||
priv = [ p for p in VALID_PRIVS['database'] if p != 'ALL' ].join(',')
|
||||
query = 'SELECT has_database_privilege(%s, %s, %s)'
|
||||
cursor.execute(query, (user, db, priv))
|
||||
return cursor.fetchone()[0]
|
||||
|
@ -415,14 +419,13 @@ def revoke_privileges(cursor, user, privs):
|
|||
return False
|
||||
|
||||
changed = False
|
||||
revoke_funcs = dict(table=revoke_table_privilege, database=revoke_database_privilege)
|
||||
check_funcs = dict(table=has_table_privilege, database=has_database_privilege)
|
||||
for type_ in privs:
|
||||
revoke_func = {
|
||||
'table':revoke_table_privilege,
|
||||
'database':revoke_database_privilege
|
||||
}[type_]
|
||||
for name, privileges in privs[type_].iteritems():
|
||||
for privilege in privileges:
|
||||
changed = revoke_func(cursor, user, name, privilege)\
|
||||
if check_funcs[type_](cursor, user, name, privilege):
|
||||
changed = revoke_funcs[type_](cursor, user, name, privilege)\
|
||||
or changed
|
||||
|
||||
return changed
|
||||
|
@ -430,16 +433,15 @@ def revoke_privileges(cursor, user, privs):
|
|||
def grant_privileges(cursor, user, privs):
|
||||
if privs is None:
|
||||
return False
|
||||
grant_funcs = dict(table=grant_table_privilege, database=grant_database_privilege)
|
||||
check_funcs = dict(table=has_table_privilege, database=has_database_privilege)
|
||||
|
||||
changed = False
|
||||
for type_ in privs:
|
||||
grant_func = {
|
||||
'table':grant_table_privilege,
|
||||
'database':grant_database_privilege
|
||||
}[type_]
|
||||
for name, privileges in privs[type_].iteritems():
|
||||
for privilege in privileges:
|
||||
changed = grant_func(cursor, user, name, privilege)\
|
||||
if not check_funcs[type_](cursor, user, name, privilege):
|
||||
changed = grant_funcs[type_](cursor, user, name, privilege)\
|
||||
or changed
|
||||
|
||||
return changed
|
||||
|
|
Loading…
Reference in a new issue