88 *
99 *
1010 * IDENTIFICATION
11- * $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.88 2003/09/04 15:53:04 tgl Exp $
11+ * $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.89 2003/10/05 21:49:12 petere Exp $
1212 *
1313 * NOTES
1414 * See acl.h.
@@ -78,7 +78,8 @@ dumpacl(Acl *acl)
7878static Acl *
7979merge_acl_with_grant (Acl * old_acl ,bool is_grant ,
8080List * grantees ,AclMode privileges ,
81- bool grant_option ,DropBehavior behavior )
81+ bool grant_option ,DropBehavior behavior ,
82+ AclId owner_uid )
8283{
8384unsigned modechg ;
8485List * j ;
@@ -97,12 +98,15 @@ merge_acl_with_grant(Acl *old_acl, bool is_grant,
9798AclItem aclitem ;
9899uint32 idtype ;
99100Acl * newer_acl ;
101+ bool grantee_is_owner = false;
100102
101103if (grantee -> username )
102104{
103105aclitem .ai_grantee = get_usesysid (grantee -> username );
104106
105107idtype = ACL_IDTYPE_UID ;
108+
109+ grantee_is_owner = (aclitem .ai_grantee == owner_uid && owner_uid != InvalidOid );
106110}
107111else if (grantee -> groupname )
108112{
@@ -129,11 +133,16 @@ merge_acl_with_grant(Acl *old_acl, bool is_grant,
129133(errcode (ERRCODE_INVALID_GRANT_OPERATION ),
130134errmsg ("grant options can only be granted to individual users" )));
131135
136+ if (!is_grant && grant_option && grantee_is_owner )
137+ ereport (ERROR ,
138+ (errcode (ERRCODE_INVALID_GRANT_OPERATION ),
139+ errmsg ("cannot revoke grant options from owner" )));
140+
132141aclitem .ai_grantor = GetUserId ();
133142
134143ACLITEM_SET_PRIVS_IDTYPE (aclitem ,
135- (is_grant || !grant_option ) ?privileges :ACL_NO_RIGHTS ,
136- (grant_option || !is_grant ) ?privileges :ACL_NO_RIGHTS ,
144+ is_grant || !grant_option ) ?privileges :ACL_NO_RIGHTS ,
145+ grant_option || ( !is_grant && ! grantee_is_owner ) ) ?privileges :ACL_NO_RIGHTS ,
137146idtype );
138147
139148newer_acl = aclinsert3 (new_acl ,& aclitem ,modechg ,behavior );
@@ -257,7 +266,8 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
257266
258267new_acl = merge_acl_with_grant (old_acl ,stmt -> is_grant ,
259268stmt -> grantees ,privileges ,
260- stmt -> grant_option ,stmt -> behavior );
269+ stmt -> grant_option ,stmt -> behavior ,
270+ pg_class_tuple -> relowner );
261271
262272/* finished building new ACL value, now insert it */
263273MemSet (values ,0 ,sizeof (values ));
@@ -355,7 +365,8 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
355365
356366new_acl = merge_acl_with_grant (old_acl ,stmt -> is_grant ,
357367stmt -> grantees ,privileges ,
358- stmt -> grant_option ,stmt -> behavior );
368+ stmt -> grant_option ,stmt -> behavior ,
369+ pg_database_tuple -> datdba );
359370
360371/* finished building new ACL value, now insert it */
361372MemSet (values ,0 ,sizeof (values ));
@@ -451,7 +462,8 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
451462
452463new_acl = merge_acl_with_grant (old_acl ,stmt -> is_grant ,
453464stmt -> grantees ,privileges ,
454- stmt -> grant_option ,stmt -> behavior );
465+ stmt -> grant_option ,stmt -> behavior ,
466+ pg_proc_tuple -> proowner );
455467
456468/* finished building new ACL value, now insert it */
457469MemSet (values ,0 ,sizeof (values ));
@@ -550,7 +562,8 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
550562
551563new_acl = merge_acl_with_grant (old_acl ,stmt -> is_grant ,
552564stmt -> grantees ,privileges ,
553- stmt -> grant_option ,stmt -> behavior );
565+ stmt -> grant_option ,stmt -> behavior ,
566+ InvalidOid );
554567
555568/* finished building new ACL value, now insert it */
556569MemSet (values ,0 ,sizeof (values ));
@@ -646,7 +659,8 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
646659
647660new_acl = merge_acl_with_grant (old_acl ,stmt -> is_grant ,
648661stmt -> grantees ,privileges ,
649- stmt -> grant_option ,stmt -> behavior );
662+ stmt -> grant_option ,stmt -> behavior ,
663+ pg_namespace_tuple -> nspowner );
650664
651665/* finished building new ACL value, now insert it */
652666MemSet (values ,0 ,sizeof (values ));