Mailing List Archive

On Wed, 10 Mar 2010 00:28:40 +0100
Michael Rasmussen <mir at datanom.net> wrote:

> Any ideas?
>
Forgot to mention that I can still login using the users which should
have shown up and requesting for events still shows each users events.

--
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
There is no distinctly native American criminal class except Congress.
-- Mark Twain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100310/60b0173c/attachment.pgp>
-------------- next part --------------

On Wed, 10 Mar 2010 00:32:07 +0100
Michael Rasmussen <mir at datanom.net> wrote:

> On Wed, 10 Mar 2010 00:28:40 +0100
> Michael Rasmussen <mir at datanom.net> wrote:
>
> > Any ideas?
> >
> Forgot to mention that I can still login using the users which should
> have shown up and requesting for events still shows each users events.
>
In the log a see this and a hose of similar lines:
[error] [client 192.168.2.79] davical: LOG: Browse:User Calendar
Principals:DoQuery: Query: QF: ERROR: permission denied for relation
principal, referer: http://davical.datanom.net/index.php

user configured to use is davical_app and this user can connect either
via unix_socket or vis tcp_socket. Logging in as this user also shows
that select from principal is permitted by the user.

--
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
Write clearly - don't sacrifice clarity for "efficiency".
- The Elements of Programming Style (Kernighan & Plaugher)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100310/05121339/attachment-0001.pgp>
-------------- next part --------------

On Wed, 2010-03-10 at 00:28 +0100, Michael Rasmussen wrote:
> Hi Andrew,
>
> After upgrading to 0.9.8.4 the web interface List Users and List
> Resources displays no users and resources while the Setup page shows
> this:
> No. of Principals No. of Collections No. of Resources
> 3 2 352
>
> On my development server I see a similar output
> No. of Principals No. of Collections No. of Resources
> 5 4 712
>
> Any ideas?

Yeah, I think you're probably still suffering from this issue here:

http://wiki.davical.org/w/Issues/Wrong_table_owner

Cheers,
Andrew.
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
You will experience a strong urge to do good; but it will pass.
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100310/92ab8a48/attachment.pgp>
-------------- next part --------------

On Wed, 10 Mar 2010 15:46:23 +1300
Andrew McMillan <andrew at morphoss.com> wrote:

>
> Yeah, I think you're probably still suffering from this issue here:
>
I did follow your solution to the problem but the solution you have
given dos not completely solve the issue. To completely solve the issue
you need to revoke all grants given by the owner to other users as well
as revoke all grants given by that your to itself before changing owner
of the tables, views, sequences and triggers because you will otherwise
have grants given by the former owner listed first in the UCL for the
objects and apparently postgres uses a first match when looking up
access rights. The problem is then that these grants given by the
former owner, which is no longer owner, is not valid anymore. Missing
to revoke grants will permanently damage your database which you are
not able to resolve in any other way than to export all data, drop the
database and then recreate it importing your old database.

regards,
Michael

On Wed, 2010-03-10 at 11:05 +0100, Michael Rasmussen wrote:
> On Wed, 10 Mar 2010 15:46:23 +1300
> Andrew McMillan <andrew at morphoss.com> wrote:
>
> >
> > Yeah, I think you're probably still suffering from this issue here:
> >
> I did follow your solution to the problem but the solution you have
> given dos not completely solve the issue. To completely solve the issue
> you need to revoke all grants given by the owner to other users as well
> as revoke all grants given by that your to itself before changing owner
> of the tables, views, sequences and triggers because you will otherwise
> have grants given by the former owner listed first in the UCL for the
> objects and apparently postgres uses a first match when looking up
> access rights. The problem is then that these grants given by the
> former owner, which is no longer owner, is not valid anymore. Missing
> to revoke grants will permanently damage your database which you are
> not able to resolve in any other way than to export all data, drop the
> database and then recreate it importing your old database.

Well, that's overstating the case a little, perhaps, since a database
'superuser' should always be able to access the database and fix it up.

The "--revoke dbusername" option to update-davical-database is also
there in order to revoke permissions from database users that have
previously been granted permission mistakenly or accidentally.

In some cases like this, however, the order of processing by
update-davical-database can work against it. The *last* thing it does
is to set the permissions on everything, which is normally the right
behaviour, but if the permissions denied it the ability to make changes
earlier in the procedure, then you will unfortunately need to run it a
second time.

Cheers,
Andrew.

------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
You will live a long, healthy, happy life and make bags of money.
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100311/b56b5fe4/attachment.pgp>
-------------- next part --------------