On Tuesday, October 27, 2015 at 6:38:46 PM UTC-7, Jeremy Swartwood wrote:
>
> Ah, it wasn't clear from that page (I did read it), that :read_only was a
> pre-built already designed construct. I thought it was just an example
> name for a server.
>
> If I am understanding your reply, you are implying that by default
> everything uses "write", and then the sequel gem automatically uses
> ":read_only" connection/server if it exists for all SELECT queries?
>
Basically. If you haven't specified a server/shard and you call a method
that returns rows (something going through Dataset#each), it will use the
:read_only connection if it exists. Otherwise it will use the :default
connection.
>
> *I changed my connection to the below and it appears to work *(I tested
> by revoking permissions for all tables but 1):
>
> read_options = { user: config.reader.username,
>
> password: config.reader.password,
>
> compress: config.compress,
>
> max_connection: config.max_connections }
>
>
> options = { user: config.writer.username,
>
> password: config.writer.password,
>
> compress: config.compress,
>
> max_connection: config.max_connections,
>
> servers: { read_only: read_options } }
>
>
> Sequel.default_timezone = :utc
>
>
> connector.connect(config.reader.connection_string, options)
>
>
>
> Does this really add a security benefit? It feels like an auto switch by
> type of call, instead of a white-list of connection type based on intended
> call. Meaning, if I'm doing a select (.all, .first), and I accidently left
> something open for SQL injection or some other vulnerability, I don't want
> the sequel gem to magically just use the "Write" connection. Or is this a
> moot point and I've over-worried? *How would I make sure that intended
> connection type is being used?*
>
No, it doesn't add a security benefit. This is designed to make it simple
to use writable master/read-only slave database configurations, it doesn't
affect security.
If you use Dataset#all or Dataset#first, it will automatically use the
:read_only server, not the :default server.
If you want to force what server a particular dataset uses, you specify it
using Dataset#server.
Thanks,
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sequel-talk.
For more options, visit https://groups.google.com/d/optout.
