fix: permission for net tables and remove secdef

Author: steve-chavez

Diff for: sql/pg_net--0.11.0--0.11.1.sql

@@ -0,0 +1,13 @@
+alter function net.http_get(text, jsonb, jsonb, integer) security invoker;
+
+alter function net.http_post(text, jsonb, jsonb, jsonb, integer) security invoker;
+
+alter function net.http_delete ( text, jsonb, jsonb, integer) security invoker;
+
+alter function net._http_collect_response ( bigint, boolean) security invoker;
+
+alter function net.http_collect_response ( bigint, boolean) security invoker;
+
+grant usage on schema net to PUBLIC;
+grant all on all sequences in schema net to PUBLIC;
+grant all on all tables in schema net to PUBLIC;

Diff for: sql/pg_net.sql

@@ -115,7 +115,6 @@ create or replace function net.http_get(
     volatile
     parallel safe
     language plpgsql
-    security definer
 as $$
 declare
     request_id bigint;
@@ -159,7 +158,6 @@ create or replace function net.http_post(
     volatile
     parallel safe
     language plpgsql
-    security definer
 as $$
 declare
     request_id bigint;
@@ -229,7 +227,6 @@ create or replace function net.http_delete(
     volatile
     parallel safe
     language plpgsql
-    security definer
 as $$
 declare
     request_id bigint;
@@ -290,7 +287,6 @@ create or replace function net._http_collect_response(
     volatile
     parallel safe
     language plpgsql
-    security definer
 as $$
 declare
     rec net._http_response;
@@ -345,22 +341,13 @@ create or replace function net.http_collect_response(
     volatile
     parallel safe
     language plpgsql
-    security definer
 as $$
 begin
   raise notice 'The net.http_collect_response function is deprecated.';
   select net._http_collect_response(request_id, async);
 end;
 $$;
 
-create or replace function net.worker_restart() returns bool as $$
-  select pg_reload_conf();
-  select pg_terminate_backend(pid)
-  from pg_stat_activity
-  where backend_type ilike '%pg_net%';
-$$
-security definer
-language sql;
-
-grant all on schema net to postgres;
-grant all on all tables in schema net to postgres;
+grant usage on schema net to PUBLIC;
+grant all on all sequences in schema net to PUBLIC;
+grant all on all tables in schema net to PUBLIC;

Diff for: test/test_privileges.py

@@ -0,0 +1,69 @@
+import pytest
+from sqlalchemy import text
+
+def test_net_on_postgres_role(sess):
+    """Check that the postgres role can use the net schema by default"""
+
+    role = sess.execute(text("select current_user;")).fetchone()
+
+    assert role[0] == "postgres"
+
+    # Create a request
+    (request_id,) = sess.execute(text(
+        """
+        select net.http_get(
+            'http://localhost:8080/anything'
+        );
+    """
+    )).fetchone()
+
+    # Commit so background worker can start
+    sess.commit()
+
+    # Confirm that the request was retrievable
+    response = sess.execute(
+        text(
+            """
+        select * from net._http_collect_response(:request_id, async:=false);
+    """
+        ),
+        {"request_id": request_id},
+    ).fetchone()
+    assert response[0] == "SUCCESS"
+
+def test_net_on_another_role(sess):
+    """Check that a newly created role can use the net schema"""
+
+    sess.execute(text("""
+        create role another;
+    """))
+
+    # Create a request
+    (request_id,) = sess.execute(text(
+        """
+        set local role to another;
+        select net.http_get(
+            'http://localhost:8080/anything'
+        );
+    """
+    )).fetchone()
+
+    # Commit so background worker can start
+    sess.commit()
+
+    # Confirm that the request was retrievable
+    response = sess.execute(
+        text(
+            """
+        set local role to another;
+        select * from net._http_collect_response(:request_id, async:=false);
+    """
+        ),
+        {"request_id": request_id},
+    ).fetchone()
+    assert response[0] == "SUCCESS"
+
+    sess.execute(text("""
+        set local role postgres;
+        drop role another;
+    """))