NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit76d8883

committed

When querying a table with child tables, do not check permissions on the

child tables. This was found to be useless and confusing in virtually allcases, and also contrary to the SQL standard.

1 parentab61df9 commit76d8883Copy full SHA for 76d8883

File tree

4 files changed

+33

-20

lines changed

doc/src/sgml
- ddl.sgml
src
- backend/optimizer/prep
  - prepunion.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

4 files changed

+33

-20

lines changed

`‎doc/src/sgml/ddl.sgml`

Lines changed: 11 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.87 2009/06/17 21:58:49 tgl Exp $ -->`
	`1`	`+<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.88 2009/10/23 05:24:52 petere Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="ddl">`
`4`	`4`	`<title>Data Definition</title>`
`@@ -2124,20 +2124,20 @@ VALUES ('New York', NULL, NULL, 'NY');`
`2124`	`2124`	`and rejection that apply during <command>CREATE TABLE</command>.`
`2125`	`2125`	`</para>`
`2126`	`2126`
`2127`		`- <sect2 id="ddl-inherit-caveats">`
`2128`		`- <title>Caveats</title>`
`2129`		`-`
`2130`	`2127`	`<para>`
`2131`		`-Tableaccess permissions arenot automatically inherited. Therefore,`
`2132`		`-a user attempting toaccessa parent table must either have permissions`
`2133`		`-to do the same operation on all its child tables as well, or must use the`
`2134`		`-<literal>ONLY</literal> notation. When adding a new child table to`
`2135`		`-an existing inheritance hierarchy, be careful to grant all the needed`
`2136`		`-permissions on it.`
	`2128`	`+Note how tableaccess permissions arehandled. Querying a parent`
	`2129`	`+table can automaticallyaccessdata in child tables without further`
	`2130`	`+access privilege checking. This preserves the appearance that the`
	`2131`	`+data is (also) in the parent table. Accessing the child tables`
	`2132`	`+directly is, however, not automatically allowed and would require`
	`2133`	`+further privileges to be granted.`
`2137`	`2134`	`</para>`
`2138`	`2135`
	`2136`	`+ <sect2 id="ddl-inherit-caveats">`
	`2137`	`+ <title>Caveats</title>`
	`2138`	`+`
`2139`	`2139`	`<para>`
`2140`		`-More generally, note that not all SQL commands are able to work on`
	`2140`	`+Note that not all SQL commands are able to work on`
`2141`	`2141`	`inheritance hierarchies. Commands that are used for data querying,`
`2142`	`2142`	`data modification, or schema modification`
`2143`	`2143`	`(e.g., <literal>SELECT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,`

`‎src/backend/optimizer/prep/prepunion.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`*`
`23`	`23`	`*`
`24`	`24`	`* IDENTIFICATION`
`25`		`- * $PostgreSQL: pgsql/src/backend/optimizer/prep/prepunion.c,v 1.176 2009/10/12 18:10:48 tgl Exp $`
	`25`	`+ * $PostgreSQL: pgsql/src/backend/optimizer/prep/prepunion.c,v 1.177 2009/10/23 05:24:52 petere Exp $`
`26`	`26`	`*`
`27`	`27`	`*-------------------------------------------------------------------------`
`28`	`28`	`*/`
`@@ -1244,6 +1244,7 @@ expand_inherited_rtentry(PlannerInfo root, RangeTblEntry rte, Index rti)`
`1244`	`1244`	`childrte=copyObject(rte);`
`1245`	`1245`	`childrte->relid=childOID;`
`1246`	`1246`	`childrte->inh= false;`
	`1247`	`+childrte->requiredPerms=0;/* do not require permissions on child tables */`
`1247`	`1248`	`parse->rtable=lappend(parse->rtable,childrte);`
`1248`	`1249`	`childRTindex=list_length(parse->rtable);`
`1249`	`1250`

`‎src/test/regress/expected/privileges.out`

Lines changed: 16 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -406,11 +406,22 @@ SELECT fx FROM atestp2; -- ok`
`406`	`406`	`----`
`407`	`407`	`(0 rows)`
`408`	`408`
`409`		`-SELECT fy FROM atestp2; -- fail, no privilege on atestc.fy`
`410`		`-ERROR: permission denied for relation atestc`
`411`		`-SELECT atestp2 FROM atestp2; -- fail, no privilege on atestc.fy`
`412`		`-ERROR: permission denied for relation atestc`
`413`		`-SELECT oid FROM atestp2; -- fail, no privilege on atestc.oid`
	`409`	`+SELECT fy FROM atestp2; -- ok`
	`410`	`+ fy`
	`411`	`+----`
	`412`	`+(0 rows)`
	`413`	`+`
	`414`	`+SELECT atestp2 FROM atestp2; -- ok`
	`415`	`+ atestp2`
	`416`	`+---------`
	`417`	`+(0 rows)`
	`418`	`+`
	`419`	`+SELECT oid FROM atestp2; -- ok`
	`420`	`+ oid`
	`421`	`+-----`
	`422`	`+(0 rows)`
	`423`	`+`
	`424`	`+SELECT fy FROM atestc; -- fail`
`414`	`425`	`ERROR: permission denied for relation atestc`
`415`	`426`	`SET SESSION AUTHORIZATION regressuser1;`
`416`	`427`	`GRANT SELECT(fy,oid) ON atestc TO regressuser2;`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -277,9 +277,10 @@ GRANT SELECT(fx) ON atestc TO regressuser2;`
`277`	`277`
`278`	`278`	`SET SESSION AUTHORIZATION regressuser2;`
`279`	`279`	`SELECT fxFROM atestp2;-- ok`
`280`		`-SELECT fyFROM atestp2;-- fail, no privilege on atestc.fy`
`281`		`-SELECT atestp2FROM atestp2;-- fail, no privilege on atestc.fy`
`282`		`-SELECToidFROM atestp2;-- fail, no privilege on atestc.oid`
	`280`	`+SELECT fyFROM atestp2;-- ok`
	`281`	`+SELECT atestp2FROM atestp2;-- ok`
	`282`	`+SELECToidFROM atestp2;-- ok`
	`283`	`+SELECT fyFROM atestc;-- fail`
`283`	`284`
`284`	`285`	`SET SESSION AUTHORIZATION regressuser1;`
`285`	`286`	`GRANTSELECT(fy,oid)ON atestc TO regressuser2;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit76d8883

File tree

4 files changed

4 files changed

`‎doc/src/sgml/ddl.sgml`

`‎src/backend/optimizer/prep/prepunion.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments