Limit database connection only to users known to that database

src/db/core/addRoleBaseMgmtCore.sql

@@ -309,13 +309,23 @@ BEGIN
                     );
    END IF;
 
-   --give the server role LOGIN capability if it is a user
-   --do not remove LOGIN for a team, because instructors may have their reasons
-   -- to make a LOGIN server role a team
+   --in case a pre-existing server role is now registered, give that role LOGIN
+   -- capability if it is a user (in case that privilege was somehow removed);
+   -- but don'o't remove LOGIN from a team: instr. may have reason to let a team login
    IF NOT($3 OR ClassDB.canLogin($1)) THEN
       EXECUTE FORMAT('ALTER ROLE %s LOGIN', $1);
    END IF;
 
+   --permit the role to connect to this database
+   -- can remove this code segment if db-specific group roles are used (when
+   -- initializing the database) to address Issue #277
+   --this code segment is intentionally not merge/optimize with the preceding
+   -- segment (which grants LOGIN to a user role) for clarity, and to make it
+   -- easier to remove/modify this code when Issue #277 is addressed
+   IF ClassDB.canLogin($1) THEN
+      EXECUTE FORMAT('GRANT CONNECT ON DATABASE %I TO %s', current_database(), $1);
+   END IF;
+
 
    -------- schema management --------------------------------------
 
@@ -426,6 +436,15 @@ BEGIN
    --revoke the specified ClassDB role from the role
    EXECUTE FORMAT('REVOKE %s FROM %s', $2, $1);
 
+   --if rolename revoked has no more ClassDB roles, revoke connection to this DB
+   -- can remove this code segment if db-specific group roles are used (when
+   -- initializing the database) to address Issue #277
+   IF (NOT ClassDB.hasClassDBRole($1)) THEN
+      EXECUTE FORMAT('REVOKE CONNECT ON DATABASE %I FROM %s',
+					       current_database(), $1
+					     );
+   END IF;
+
 END;
 $$ LANGUAGE plpgsql
    SECURITY DEFINER;

src/db/core/initializeDBCore.sql

@@ -78,10 +78,19 @@ BEGIN
    -- Postgres grants CONNECT to all by default
    EXECUTE format('REVOKE CONNECT ON DATABASE %I FROM PUBLIC', currentDB);
 
+
+   --the comment and code segment within lined comments can be reinstated if
+   -- db-specific roles are used to address Issue #277
+   -- at that time also look at related comments and code in functions createRole
+   -- and revokeClassDBRole
+   -- the purpose of the disabled code is to address Issue #278 before Issue #277
+
+--------------------------------------------------------------------------------
    --Let only app-specific roles connect to the DB
    -- no need for ClassDB to connect to the DB
-   EXECUTE format('GRANT CONNECT ON DATABASE %I TO ClassDB_Instructor, '
-                  'ClassDB_Student, ClassDB_DBManager', currentDB);
+   --EXECUTE format('GRANT CONNECT ON DATABASE %I TO ClassDB_Instructor, '
+   --               'ClassDB_Student, ClassDB_DBManager', currentDB);
+--------------------------------------------------------------------------------
 
    --Allow ClassDB and ClassDB users to create schemas on the current database
    EXECUTE format('GRANT CREATE ON DATABASE %I TO ClassDB, ClassDB_Instructor,'