Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0101f77

Browse files
committed
Fix a bug in roles_is_member_of.
Commite3ce2de rearranged thisfunction to be able to identify which inherited role had admin optionon the target role, but it got the order of operations wrong, causingthe function to return wrong answers in the presence of non-inheritedgrants.Fix that, and add a test case that verifies the correct behavior.Patch by me, reviewed by Nathan BossartDiscussion:http://postgr.es/m/CA+TgmoYamnu-xt-u7CqjYWnRiJ6BQaSpYOHXP=r4QGTfd1N_EA@mail.gmail.com
1 parentc7892c2 commit0101f77

File tree

3 files changed

+61
-4
lines changed

3 files changed

+61
-4
lines changed

‎src/backend/utils/adt/acl.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4852,10 +4852,6 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
48524852
Form_pg_auth_membersform= (Form_pg_auth_members)GETSTRUCT(tup);
48534853
Oidotherid=form->roleid;
48544854

4855-
/* If we're supposed to ignore non-heritable grants, do so. */
4856-
if (type==ROLERECURSE_PRIVS&& !form->inherit_option)
4857-
continue;
4858-
48594855
/*
48604856
* While otherid==InvalidOid shouldn't appear in the catalog, the
48614857
* OidIsValid() avoids crashing if that arises.
@@ -4864,6 +4860,10 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
48644860
OidIsValid(admin_of)&& !OidIsValid(*admin_role))
48654861
*admin_role=memberid;
48664862

4863+
/* If we're supposed to ignore non-heritable grants, do so. */
4864+
if (type==ROLERECURSE_PRIVS&& !form->inherit_option)
4865+
continue;
4866+
48674867
/*
48684868
* Even though there shouldn't be any loops in the membership
48694869
* graph, we must test for having already seen this role. It is

‎src/test/regress/expected/privileges.out

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2777,3 +2777,35 @@ SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations;
27772777
RESET ROLE;
27782778
-- clean up
27792779
DROP ROLE regress_readallstats;
2780+
-- test role grantor machinery
2781+
CREATE ROLE regress_group;
2782+
CREATE ROLE regress_group_direct_manager;
2783+
CREATE ROLE regress_group_indirect_manager;
2784+
CREATE ROLE regress_group_member;
2785+
GRANT regress_group TO regress_group_direct_manager WITH INHERIT FALSE, ADMIN TRUE;
2786+
GRANT regress_group_direct_manager TO regress_group_indirect_manager;
2787+
SET SESSION AUTHORIZATION regress_group_direct_manager;
2788+
GRANT regress_group TO regress_group_member;
2789+
SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2;
2790+
member | grantor
2791+
------------------------------+------------------------------
2792+
regress_group_direct_manager | BOOTSTRAP SUPERUSER
2793+
regress_group_member | regress_group_direct_manager
2794+
(2 rows)
2795+
2796+
REVOKE regress_group FROM regress_group_member;
2797+
SET SESSION AUTHORIZATION regress_group_indirect_manager;
2798+
GRANT regress_group TO regress_group_member;
2799+
SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2;
2800+
member | grantor
2801+
------------------------------+------------------------------
2802+
regress_group_direct_manager | BOOTSTRAP SUPERUSER
2803+
regress_group_member | regress_group_direct_manager
2804+
(2 rows)
2805+
2806+
REVOKE regress_group FROM regress_group_member;
2807+
RESET SESSION AUTHORIZATION;
2808+
DROP ROLE regress_group;
2809+
DROP ROLE regress_group_direct_manager;
2810+
DROP ROLE regress_group_indirect_manager;
2811+
DROP ROLE regress_group_member;

‎src/test/regress/sql/privileges.sql

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1788,3 +1788,28 @@ RESET ROLE;
17881788

17891789
-- clean up
17901790
DROP ROLE regress_readallstats;
1791+
1792+
-- test role grantor machinery
1793+
CREATE ROLE regress_group;
1794+
CREATE ROLE regress_group_direct_manager;
1795+
CREATE ROLE regress_group_indirect_manager;
1796+
CREATE ROLE regress_group_member;
1797+
1798+
GRANT regress_group TO regress_group_direct_manager WITH INHERIT FALSE, ADMIN TRUE;
1799+
GRANT regress_group_direct_manager TO regress_group_indirect_manager;
1800+
1801+
SET SESSION AUTHORIZATION regress_group_direct_manager;
1802+
GRANT regress_group TO regress_group_member;
1803+
SELECT member::regrole::text, CASE WHEN grantor=10 THEN'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text ENDFROM pg_auth_membersWHERE roleid='regress_group'::regroleORDER BY1,2;
1804+
REVOKE regress_groupFROM regress_group_member;
1805+
1806+
SET SESSION AUTHORIZATION regress_group_indirect_manager;
1807+
GRANT regress_group TO regress_group_member;
1808+
SELECT member::regrole::text, CASE WHEN grantor=10 THEN'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text ENDFROM pg_auth_membersWHERE roleid='regress_group'::regroleORDER BY1,2;
1809+
REVOKE regress_groupFROM regress_group_member;
1810+
1811+
RESET SESSION AUTHORIZATION;
1812+
DROP ROLE regress_group;
1813+
DROP ROLE regress_group_direct_manager;
1814+
DROP ROLE regress_group_indirect_manager;
1815+
DROP ROLE regress_group_member;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp