Perform privilege grants/revokes only when required

Use `has_table_privileges` and `has_database_privileges` to test whether a user already has a privilege before granting it, or whether a user doesn't have a privilege before revoking it.
2015-04-08 12:44:01 +10:00 · 2015-04-08 12:44:01 +10:00 · 7d66da35a7
commit 7d66da35a7
parent b4515c8909
1 changed files with 12 additions and 10 deletions
--- a/database/postgresql/postgresql_user.py
+++ b/database/postgresql/postgresql_user.py
@ -325,6 +325,8 @@ def user_delete(cursor, user):
    return True

 def has_table_privilege(cursor, user, table, priv):
+    if priv == 'ALL':
+        priv = [ p for p in VALID_PRIVS['table'] if p != 'ALL' ].join(',')
    query = 'SELECT has_table_privilege(%s, %s, %s)'
    cursor.execute(query, (user, table, priv))
    return cursor.fetchone()[0]
@ -378,6 +380,8 @@ def get_database_privileges(cursor, user, db):
    return o

 def has_database_privilege(cursor, user, db, priv):
+    if priv == 'ALL':
+        priv = [ p for p in VALID_PRIVS['database'] if p != 'ALL' ].join(',')
    query = 'SELECT has_database_privilege(%s, %s, %s)'
    cursor.execute(query, (user, db, priv))
    return cursor.fetchone()[0]
@ -415,14 +419,13 @@ def revoke_privileges(cursor, user, privs):
        return False

    changed = False
+    revoke_funcs = dict(table=revoke_table_privilege, database=revoke_database_privilege)
+    check_funcs = dict(table=has_table_privilege, database=has_database_privilege)
    for type_ in privs:
-        revoke_func = {
-            'table':revoke_table_privilege,
-            'database':revoke_database_privilege
-        }[type_]
        for name, privileges in privs[type_].iteritems():
            for privilege in privileges:
-                changed = revoke_func(cursor, user, name, privilege)\
+                if check_funcs[type_](cursor, user, name, privilege):
+                    changed = revoke_funcs[type_](cursor, user, name, privilege)\
                        or changed

    return changed
@ -430,16 +433,15 @@ def revoke_privileges(cursor, user, privs):
 def grant_privileges(cursor, user, privs):
    if privs is None:
        return False
+    grant_funcs = dict(table=grant_table_privilege, database=grant_database_privilege)
+    check_funcs = dict(table=has_table_privilege, database=has_database_privilege)

    changed = False
    for type_ in privs:
-        grant_func = {
-            'table':grant_table_privilege,
-            'database':grant_database_privilege
-        }[type_]
        for name, privileges in privs[type_].iteritems():
            for privilege in privileges:
-                changed = grant_func(cursor, user, name, privilege)\
+                if not check_funcs[type_](cursor, user, name, privilege):
+                    changed = grant_funcs[type_](cursor, user, name, privilege)\
                        or changed

    return changed