fixed a bug when being root in postgres read/write

dstpierre · dstpierre · commit 91dd03770155 · 2022-08-16T03:16:41.000-04:00
diff --git a/database/postgresql/query.go b/database/postgresql/query.go
@@ -53,8 +53,8 @@ func applyFilter(where string, filters map[string]interface{}) string {
 }
 
 func secureRead(auth internal.Auth, col string) string {
-	if strings.HasPrefix(col, "pub_") && auth.Role < 100 {
-		return "WHERE 1=1 "
+	if strings.HasPrefix(col, "pub_") || auth.Role == 100 {
+		return "WHERE $1=$1 AND $2=$2 "
 	}
 
 	switch internal.ReadPermission(col) {
@@ -69,8 +69,8 @@ func secureRead(auth internal.Auth, col string) string {
 }
 
 func secureWrite(auth internal.Auth, col string) string {
-	if strings.HasPrefix(col, "pub_") && auth.Role < 100 {
-		return "WHERE 1=1 "
+	if strings.HasPrefix(col, "pub_") || auth.Role == 100 {
+		return "WHERE $1=$1 AND $2=$2 "
 	}
 
 	switch internal.WritePermission(col) {

Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,8 @@ func applyFilter(where string, filters map[string]interface{}) string {`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`func secureRead(auth internal.Auth, col string) string {`
`56`		`- if strings.HasPrefix(col, "pub_") && auth.Role < 100 {`
`57`		`- return "WHERE 1=1 "`
	`56`	`+ if strings.HasPrefix(col, "pub_") \|\| auth.Role == 100 {`
	`57`	`+ return "WHERE $1=$1 AND $2=$2 "`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`switch internal.ReadPermission(col) {`
`@@ -69,8 +69,8 @@ func secureRead(auth internal.Auth, col string) string {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`func secureWrite(auth internal.Auth, col string) string {`
`72`		`- if strings.HasPrefix(col, "pub_") && auth.Role < 100 {`
`73`		`- return "WHERE 1=1 "`
	`72`	`+ if strings.HasPrefix(col, "pub_") \|\| auth.Role == 100 {`
	`73`	`+ return "WHERE $1=$1 AND $2=$2 "`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`switch internal.WritePermission(col) {`