Fix created users permission and skip db test in CI (#32)

lewcpe · web-flow · commit c3e4614957cd · 2025-06-30T00:03:04.000+07:00
diff --git a/README.md b/README.md
@@ -117,6 +117,21 @@ The project includes end-to-end tests for the backend API using Cypress. These t
     ```
     *(Note: Ensure the `CYPRESS_BASE_URL` in `compose.test.yml` or your local Cypress config points to the correct backend URL for testing, typically `http://backend:8080` when run via compose, or `http://localhost:8080` if backend is run directly on host for local Cypress development).*
 
+### Backend Go Tests
+
+To run the backend's Go tests, you can use the `backend-tests` profile in the `compose.test.yml` file. This will run the tests in a containerized environment.
+
+```bash
+docker compose -f compose.test.yml --profile backend-tests up --build
+```
+
+Alternatively, you can run the tests directly on your host machine if you have Go installed:
+
+```bash
+cd backend
+PG_ADMIN_DSN="postgres://test_admin:test_password@localhost:5432/test_admin_db?sslmode=disable" go test ./...
+```
+
 ## 7. Project Structure
 
 ```
diff --git a/backend/dbutils/provision.go b/backend/dbutils/provision.go
@@ -296,11 +296,11 @@ func CreatePostgresDatabase(pgAdminDSN, dbName string) error {
 	}
 
 	// Set default CREATE and USAGE privileges for future schemas for write role
-	_, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT CREATE ON TABLES TO %s", writeRole))
+	_, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO %s", writeRole))
 	if err != nil {
 		return fmt.Errorf("failed to alter default CREATE privileges for public schema to write role %s: %w", writeRole, err)
 	}
-	_, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT CREATE ON TABLES TO %s", safeDBName, writeRole))
+	_, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON TABLES TO %s", safeDBName, writeRole))
 	if err != nil {
 		return fmt.Errorf("failed to alter default CREATE privileges for database schema to write role %s: %w", writeRole, err)
 	}
diff --git a/backend/dbutils/provision_test.go b/backend/dbutils/provision_test.go
@@ -252,6 +252,18 @@ func TestUserPermissionsAndIsolation(t *testing.T) {
 			t.Fatalf("Write user failed to delete data: %v", err)
 		}
 
+		// Verify CREATE INDEX is allowed
+		_, err = writeDB.Exec("CREATE INDEX idx_write_test ON write_test_table(id)")
+		if err != nil {
+			t.Fatalf("Write user failed to create index: %v", err)
+		}
+
+		// Verify DROP INDEX is allowed
+		_, err = writeDB.Exec("DROP INDEX idx_write_test")
+		if err != nil {
+			t.Fatalf("Write user failed to drop index: %v", err)
+		}
+
 		// Clean up table
 		_, err = writeDB.Exec("DROP TABLE write_test_table")
 		if err != nil {
@@ -325,3 +337,93 @@ func TestUserPermissionsAndIsolation(t *testing.T) {
 		t.Errorf("Failed to drop second test database %s: %v", testDBName2, err)
 	}
 }
+
+// TestUserCannotCreateOrDropDB verifies that a user with 'write' permissions cannot create or drop databases.
+func TestUserCannotCreateOrDropDB(t *testing.T) {
+	adminDSN := os.Getenv("PG_ADMIN_DSN")
+	if adminDSN == "" {
+		t.Skip("PG_ADMIN_DSN not set, skipping test")
+	}
+
+	// 1. Create a user with 'write' permissions
+	password, err := CreatePostgresUser(adminDSN, testDBName, testUser, "write")
+	if err != nil {
+		t.Fatalf("Failed to create postgres user: %v", err)
+	}
+
+	userDSN := getUserDSN(t, testUser, password, testDBName)
+
+	userDB, err := connectToDB(userDSN)
+	if err != nil {
+		t.Fatalf("Failed to connect to test DB as new user: %v", err)
+	}
+	defer userDB.Close()
+
+	// 2. Attempt to create a database (should fail)
+	_, err = userDB.Exec("CREATE DATABASE should_not_be_created_db")
+	if err == nil {
+		t.Fatal("User should not be able to create a database")
+	}
+	if !strings.Contains(err.Error(), "permission denied") {
+		t.Errorf("Expected 'permission denied' error, got: %v", err)
+	}
+
+	// 3. Attempt to drop a database (should fail)
+	_, err = userDB.Exec(fmt.Sprintf("DROP DATABASE %s", testDBName))
+	if err == nil {
+		t.Fatal("User should not be able to drop a database")
+	}
+	if !strings.Contains(err.Error(), "must be owner of database") {
+		t.Errorf("Expected 'must be owner of database' error, got: %v", err)
+	}
+
+	// 4. Cleanup the user
+	err = DeletePostgresUser(adminDSN, testDBName, testUser)
+	if err != nil {
+		t.Fatalf("Failed to delete postgres user: %v", err)
+	}
+}
+
+// TestUserCanCreateTable verifies a user with 'write' permissions can create and delete tables.
+func TestUserCanCreateTable(t *testing.T) {
+	adminDSN := os.Getenv("PG_ADMIN_DSN")
+	if adminDSN == "" {
+		t.Skip("PG_ADMIN_DSN not set, skipping test")
+	}
+
+	// 1. Create a user with 'write' permissions
+	testUser := "writeuser_createtable_" + uuid.New().String()[:8]
+	password, err := CreatePostgresUser(adminDSN, testDBName, testUser, "write")
+	if err != nil {
+		t.Fatalf("Failed to create postgres user: %v", err)
+	}
+
+	// Defer user deletion
+	defer func() {
+		err := DeletePostgresUser(adminDSN, testDBName, testUser)
+		if err != nil {
+			t.Errorf("Failed to delete postgres user %s: %v", testUser, err)
+		}
+	}()
+
+	userDSN := getUserDSN(t, testUser, password, testDBName)
+
+	userDB, err := connectToDB(userDSN)
+	if err != nil {
+		t.Fatalf("Failed to connect to test DB as new user: %v", err)
+	}
+	defer userDB.Close()
+
+	// 2. Create a table
+	tableName := "test_table_creation"
+	_, err = userDB.Exec(fmt.Sprintf("CREATE TABLE %s (id INT)", tableName))
+	if err != nil {
+		t.Fatalf("User failed to create table: %v", err)
+	}
+
+	// 3. Drop the table
+	_, err = userDB.Exec(fmt.Sprintf("DROP TABLE %s", tableName))
+	if err != nil {
+		t.Fatalf("User failed to drop table: %v", err)
+	}
+}
diff --git a/compose.test.yml b/compose.test.yml
@@ -62,6 +62,8 @@ services:
       - frontend
 
   backend-tests:
+    profiles:
+      - backend-tests
     container_name: pgweb_test_backend_tests
     build:
       context: ./backend
@@ -70,8 +72,7 @@ services:
       PG_ADMIN_DSN: "postgres://test_admin:test_password@postgres:5432/test_admin_db?sslmode=disable"
       PG_HOST: "postgres"
     depends_on:
-      cypress:
-        condition: service_completed_successfully
+      - backend
 
   cypress:
     image: cypress/included:12.17.0

Original file line number	Diff line number	Diff line change
`@@ -296,11 +296,11 @@ func CreatePostgresDatabase(pgAdminDSN, dbName string) error {`
`296`	`296`	`}`
`297`	`297`
`298`	`298`	`// Set default CREATE and USAGE privileges for future schemas for write role`
`299`		`- _, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT CREATE ON TABLES TO %s", writeRole))`
	`299`	`+ _, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO %s", writeRole))`
`300`	`300`	`if err != nil {`
`301`	`301`	`return fmt.Errorf("failed to alter default CREATE privileges for public schema to write role %s: %w", writeRole, err)`
`302`	`302`	`}`
`303`		`- _, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT CREATE ON TABLES TO %s", safeDBName, writeRole))`
	`303`	`+ _, err = newDB.Exec(fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT ALL ON TABLES TO %s", safeDBName, writeRole))`
`304`	`304`	`if err != nil {`
`305`	`305`	`return fmt.Errorf("failed to alter default CREATE privileges for database schema to write role %s: %w", writeRole, err)`
`306`	`306`	`}`