fix #10209: restrict one's changes to user, group

components/dsl/resources/ome/dsl/psql-footer.vm

@@ -535,6 +535,82 @@ CREATE TRIGGER _fs_directory_mimetype
     BEFORE UPDATE ON originalfile
     FOR EACH ROW EXECUTE PROCEDURE _fs_directory_mimetype();
 
+-- Prevent SQL DELETE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_delete() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child = 0 THEN
+            IF OLD.parent = 0 THEN
+                RAISE EXCEPTION 'cannot remove system group membership for root';
+            ELSIF OLD.parent = 1 THEN
+                RAISE EXCEPTION 'cannot remove user group membership for root';
+            END IF;
+        END IF;
+        RETURN OLD;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_delete
+    BEFORE DELETE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_delete();
+
+-- Prevent SQL UPDATE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_update() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child != NEW.child OR OLD.parent != NEW.parent THEN
+            IF OLD.child = 0 THEN
+                IF OLD.parent = 0 THEN
+                    RAISE EXCEPTION 'cannot remove system group membership for root';
+                ELSIF OLD.parent = 1 THEN
+                    RAISE EXCEPTION 'cannot remove user group membership for root';
+                END IF;
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_update
+    BEFORE UPDATE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_update();
+
+-- Prevent the root and guest experimenters from being renamed.
+CREATE FUNCTION prevent_experimenter_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.omename != NEW.omename THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename root experimenter';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_rename
+    BEFORE UPDATE ON experimenter
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_rename();
+
+-- Prevent the system, user and guest groups from being renamed.
+CREATE FUNCTION prevent_experimenter_group_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.name != NEW.name THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename system experimenter group';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename user experimenter group';
+            ELSIF OLD.id = 2 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter group';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_group_rename
+    BEFORE UPDATE ON experimentergroup
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_group_rename();
+
 create table _fs_deletelog (
     event_id bigint not null,
     file_id bigint not null,

sql/psql/OMERO5.0DEV__6/OMERO4.4__0.sql

@@ -165,22 +165,6 @@ CREATE TABLE filesetversioninfo (
     CONSTRAINT fkfilesetversioninfo_update_id_event            FOREIGN KEY (update_id)   REFERENCES event
 );
 
--- CREATE TABLE count_fileset_annotationlinks_by_owner (
---     fileset_id INT8 NOT NULL,
---     "count" INT8 NOT NULL,
---     owner_id INT8 NOT NULL,
---     CONSTRAINT count_fileset_annotationlinks_by_owner_pkey PRIMARY KEY (fileset_id, owner_id),
---     CONSTRAINT fk_count_to_fileset_annotationLinks FOREIGN KEY (fileset_id) REFERENCES fileset
--- );
-
--- CREATE TABLE count_fileset_joblinks_by_owner (
---     fileset_id INT8 NOT NULL,
---     "count" INT8 NOT NULL,
---     owner_id INT8 NOT NULL,
---     CONSTRAINT count_fileset_joblinks_by_owner_pkey PRIMARY KEY (fileset_id, owner_id),
---     CONSTRAINT fk_count_to_fileset_jobLinks FOREIGN KEY (fileset_id) REFERENCES fileset
--- );
-
 CREATE VIEW count_fileset_annotationlinks_by_owner (fileset_id, owner_id, "count") AS
     SELECT parent, owner_id, count(*) FROM filesetannotationlink
     GROUP BY parent, owner_id ORDER BY parent;

sql/psql/OMERO5.0DEV__6/psql-footer.sql

@@ -2128,6 +2128,82 @@ CREATE TRIGGER _fs_directory_mimetype
     BEFORE UPDATE ON originalfile
     FOR EACH ROW EXECUTE PROCEDURE _fs_directory_mimetype();
 
+-- Prevent SQL DELETE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_delete() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child = 0 THEN
+            IF OLD.parent = 0 THEN
+                RAISE EXCEPTION 'cannot remove system group membership for root';
+            ELSIF OLD.parent = 1 THEN
+                RAISE EXCEPTION 'cannot remove user group membership for root';
+            END IF;
+        END IF;
+        RETURN OLD;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_delete
+    BEFORE DELETE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_delete();
+
+-- Prevent SQL UPDATE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_update() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child != NEW.child OR OLD.parent != NEW.parent THEN
+            IF OLD.child = 0 THEN
+                IF OLD.parent = 0 THEN
+                    RAISE EXCEPTION 'cannot remove system group membership for root';
+                ELSIF OLD.parent = 1 THEN
+                    RAISE EXCEPTION 'cannot remove user group membership for root';
+                END IF;
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_update
+    BEFORE UPDATE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_update();
+
+-- Prevent the root and guest experimenters from being renamed.
+CREATE FUNCTION prevent_experimenter_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.omename != NEW.omename THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename root experimenter';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_rename
+    BEFORE UPDATE ON experimenter
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_rename();
+
+-- Prevent the system, user and guest groups from being renamed.
+CREATE FUNCTION prevent_experimenter_group_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.name != NEW.name THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename system experimenter group';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename user experimenter group';
+            ELSIF OLD.id = 2 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter group';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_group_rename
+    BEFORE UPDATE ON experimentergroup
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_group_rename();
+
 create table _fs_deletelog (
     event_id bigint not null,
     file_id bigint not null,

sql/psql/OMERO5.0__0/OMERO5.0DEV__6.sql

@@ -64,6 +64,82 @@ CREATE TRIGGER _fs_directory_mimetype
     BEFORE UPDATE ON originalfile
     FOR EACH ROW EXECUTE PROCEDURE _fs_directory_mimetype();
 
+-- Prevent SQL DELETE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_delete() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child = 0 THEN
+            IF OLD.parent = 0 THEN
+                RAISE EXCEPTION 'cannot remove system group membership for root';
+            ELSIF OLD.parent = 1 THEN
+                RAISE EXCEPTION 'cannot remove user group membership for root';
+            END IF;
+        END IF;
+        RETURN OLD;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_delete
+    BEFORE DELETE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_delete();
+
+-- Prevent SQL UPDATE from removing the root experimenter from the system or user group.
+CREATE FUNCTION prevent_root_deactivate_update() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.child != NEW.child OR OLD.parent != NEW.parent THEN
+            IF OLD.child = 0 THEN
+                IF OLD.parent = 0 THEN
+                    RAISE EXCEPTION 'cannot remove system group membership for root';
+                ELSIF OLD.parent = 1 THEN
+                    RAISE EXCEPTION 'cannot remove user group membership for root';
+                END IF;
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_root_deactivate_update
+    BEFORE UPDATE ON groupexperimentermap
+    FOR EACH ROW EXECUTE PROCEDURE prevent_root_deactivate_update();
+
+-- Prevent the root and guest experimenters from being renamed.
+CREATE FUNCTION prevent_experimenter_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.omename != NEW.omename THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename root experimenter';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_rename
+    BEFORE UPDATE ON experimenter
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_rename();
+
+-- Prevent the system, user and guest groups from being renamed.
+CREATE FUNCTION prevent_experimenter_group_rename() RETURNS "trigger" AS $$
+    BEGIN
+        IF OLD.name != NEW.name THEN
+            IF OLD.id = 0 THEN
+                RAISE EXCEPTION 'cannot rename system experimenter group';
+            ELSIF OLD.id = 1 THEN
+                RAISE EXCEPTION 'cannot rename user experimenter group';
+            ELSIF OLD.id = 2 THEN
+                RAISE EXCEPTION 'cannot rename guest experimenter group';
+            END IF;
+        END IF;
+        RETURN NEW;
+    END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_experimenter_group_rename
+    BEFORE UPDATE ON experimentergroup
+    FOR EACH ROW EXECUTE PROCEDURE prevent_experimenter_group_rename();
+
 --
 -- FINISHED
 --