pgAdmin 4 in server mode had no data isolation between users — any
authenticated user could access other users' private servers,
background processes, and debugger state by guessing object IDs.
The shared server feature had 21 vulnerabilities including credential
leaks, privilege escalation via passexec_cmd, and owner data
corruption via SQLAlchemy session mutations.
Centralized access control:
- New server_access.py with get_server(), get_server_group(),
get_user_server_query() replacing ~20 unfiltered queries
- connection_manager() raises ObjectGone (HTTP 410) in server mode
when access is denied — fixes 155+ unguarded callers
- UserScopedMixin.for_user() on 10 models replaces scattered
user_id filters
Shared server isolation (all 21 audit issues):
- Expunge server from session before property merge to prevent
owner data corruption
- Suppress passexec_cmd, post_connection_sql for non-owners in
merge, API response, and ServerManager
- Override all 6 SSL/passfile connection_params keys from
SharedServer; strip owner-only keys; sanitize on creation
- _is_non_owner() helper centralises 15+ inline ownership checks
- SharedServer lookup uses (osid, user_id) not name
- Unique constraint on SharedServer(osid, user_id)
- Tunnel/DB password save, change_password, clear_saved_password,
clear_sshtunnel_password all branch on ownership
- Only owner can unshare (delete_shared_server guard)
- Session restore includes shared servers
- tunnel_port/tunnel_keep_alive copied from owner, not hardcoded
Tool/module hardening:
- All tool endpoints use get_server()
- Debugger function arguments scoped by user_id
- Background processes use Process.for_user()
- Workspace adhoc servers scoped to current user
Migration (schema version 49 -> 50):
- Add user_id to debugger_function_arguments composite PK
- Add indexes on server, sharedserver, servergroup
- Add unique constraint on sharedserver(osid, user_id)
1) Replace the deprecated unit test method.
2) Wraps filter usage in a list call.
3) Converts the old metaclass syntax to new.
4) Use range instead of xrange method.
5) Change Unicode to str.
6) Several other transformations.
7) Fixed change password test cases.
8) Use simplejson instead of plain JSON.
1) Rename field "node_type" to prevent any misunderstanding/clash with field "NODE_TYPE" defined.
2) Define a constant instead of duplicating this literal.
Solution:
1) Rename the field "NODE_TYPE" and "COLLECTION_LABEL" to "_NODE_TYPE" and "_COLLECTION_LABEL"
2) Declare the constant in PGChildNodeView for SQL files.
'static' directory from 'templates' in the respective module directory:
- Server Group
- Server
- Database
- Schema
- Cast
- Event trigger
- Extension
- Foreign data wrapper
- Language
- Catalog Object
- Collation
- Domain Constraint
- Domain
- Foreign server
- FTS Configuration
- FTS Dictionary
- FTS Parser
- FTS Template
- Function
- Procedure
- Trigger Function
- Package
- Sequence
- Catalog
- Schema
- Synonym
- Table
- Type
- Materialized View
- View
- pgAgent Modules
+ Job (pga_job)
+ Schedule (pga_schedule)
+ Steps (pga_jobstep)
Added new dynanic modules for listing the supported server types, and
current user information.
NOTE: We've not yet moved the javascripts for the children of the table
module.
Created a url_for function module to be used by different javascript
modules to use the same functionality of flask at client side.
A python module can expose the list of endpoints, used by its
javascripts, by overriding the 'get_exposed_url_endpoints(self)'
function.
In this patch, we have modified all the browser modules to use this
function. It will allow us to move the majority of the javascript
modules of browser nodes from templates directory to the static
directory.
TODO::
- Move these javascripts modules to the static directory.
- Use this function in all the applicable javascript modules.
e.g. tools, miscellaneous modules
algorithm.
This patch takes care of:
* Consistent behaviour during create, update operation on any node.
- It should return the node data during creating a new object, or
updating the existing one.
* Now that - we have consistent behaviour during these operations, we
can consistently move, update the tree item based the node data from
the server.
* Implemented the methods for each node to get the information about
that particular node only.
* Using the above changes to implement the 'refresh' operation on tree
node properly.
I must thank Surinder, and Harshal for helping me implement the 'node'
method, and also changed the behaviour of create & update methods to
return the node data for most of the nodes.
Fixes#1244
tree nodes.
Each individual node is responsible for introducing the 'canDrop'
function/flag to decide whether the 'Delete/Drop' context menu should be
enabled/disabled.
In commit-id: 26aa5607ad, 'obj.canDrop'
was set to true in the 'pgBrowser.Node' in delete callback, just to make
the server-group droppable, which is wrong, as all the nodes are
getting affected because of this change in a wrong way.
To fix the issue, added the 'canDrop' function in the server-group node.
Apart from them, also added restriction for not allowing to delete the
default server-group.
Also, handled the same restriction at the server end.
Also - includes:
* Added 'parent_id' in the 'generate_browser_node' function of the Nodes
to allow them to move around the parents objects (specially through
update/save functionality).
* Handles the issue related to adding the older object back to the
collection (DataModel).
Author: Ashesh Vashi
Reviewed by: Neel Patel, and Akshay Joshi.
Ashesh Vashi
Akshay Joshi
Khushboo Vashi
Benjamin Blattberg
Matěj Cepl
Mark Mayo
Aditya Toshniwal
Pradip Parkale
Nikhil Mohite
Cyril Jouve
Dave Page
Murtuza Zabuawala
Harshal Dhumal
Surinder Kumar
Jonas Thelemann