Do not force Postgresql user to be admin

[tramuntanal]

This is a Discussion

🎩 Description

When some module requires Postgresql extensions like trigram (pg_trgm) or unaccent, a migration is added that adds this extension by executing CREATE EXTENSION IF NOT EXISTS "pg_trgm".

When a developer/sysadmin finds that this migration crashes she has 2 options:

1. Grant admin permissions to Decidim's user
2. Comment the content of the migration

Both are bad workarounds because

• For 1, giving admin permissions to an application's user is a bad security practice that opens a big security whole to the system. Still worse, this is the preferred workaround because it is what the migration is asking for! "I want to create the trigram extension".
• Even if the trigram extension is already installed in the postgresql instance, the sentence crashes.

Feature proposal:

As this kind of migrations, although not frequent, appear more than once in the Decidim ecosystem (I mean non core/main modules) it would be great to replace them for SELECT * FROM pg_available_extensions and then check if the extension is already installed from the ruby code. If it is already installed, then keep running the following migrations, if not raise an exception asking the sysadmin to enable the given extension with the admin user but not with the current application user.

📋 Additional Data

• 20180227165525 EnablePgExtensions

[mrcasals]

It'd be cool to have this, but we (@decidim/lot-core) can prioritize this right now.

PRs are welcome, though! 😄

[deivid-rodriguez]

Yes, I like the idea too. Are you looking for something similar to this?

[tramuntanal]

Yes, this is exactly what I meant.

@deivid-rodriguez are you volunteering for the PR? otherwise I'll be doing it!

[deivid-rodriguez]

No, please, go ahead! ☺

[tramuntanal]

Done in PR #3053