Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb2a459e

Browse files
Fix GRANTED BY support in REVOKE ROLE statements
Commit6aaaa76 added support for the GRANTED BY clause in GRANT andREVOKE statements, but missed adding support for checking the role inthe REVOKE ROLE case. Fix by checking that the parsed role matches theCURRENT_ROLE/CURRENT_USER requirement, and also add some tests for it.Backpatch to v14 where GRANTED BY support was introduced.Discussion:https://postgr.es/m/B7F6699A-A984-4943-B9BF-CEB84C003527@yesql.seBackpatch-through: 14
1 parent36cb5e7 commitb2a459e

File tree

4 files changed

+30
-0
lines changed

4 files changed

+30
-0
lines changed

‎src/backend/commands/user.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1259,7 +1259,18 @@ GrantRole(GrantRoleStmt *stmt)
12591259
ListCell*item;
12601260

12611261
if (stmt->grantor)
1262+
{
12621263
grantor=get_rolespec_oid(stmt->grantor, false);
1264+
1265+
/*
1266+
* Currently, this clause is only for SQL compatibility, not very
1267+
* interesting otherwise.
1268+
*/
1269+
if (grantor!=GetUserId())
1270+
ereport(ERROR,
1271+
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1272+
errmsg("grantor must be current user")));
1273+
}
12631274
else
12641275
grantor=GetUserId();
12651276

‎src/backend/parser/gram.y

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7196,6 +7196,7 @@ RevokeRoleStmt:
71967196
n->admin_opt =false;
71977197
n->granted_roles =$2;
71987198
n->grantee_roles =$4;
7199+
n->grantor =$5;
71997200
n->behavior =$6;
72007201
$$ = (Node*)n;
72017202
}
@@ -7206,6 +7207,7 @@ RevokeRoleStmt:
72067207
n->admin_opt =true;
72077208
n->granted_roles =$5;
72087209
n->grantee_roles =$7;
7210+
n->grantor =$8;
72097211
n->behavior =$9;
72107212
$$ = (Node*)n;
72117213
}

‎src/test/regress/expected/privileges.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ CREATE USER regress_priv_user5;-- duplicate
2929
ERROR: role "regress_priv_user5" already exists
3030
CREATE USER regress_priv_user6;
3131
CREATE USER regress_priv_user7;
32+
CREATE ROLE regress_priv_role;
3233
GRANT pg_read_all_data TO regress_priv_user6;
3334
GRANT pg_write_all_data TO regress_priv_user7;
3435
CREATE GROUP regress_priv_group1;
@@ -44,6 +45,14 @@ CREATE FUNCTION leak(integer,integer) RETURNS boolean
4445
LANGUAGE internal IMMUTABLE STRICT; -- but deliberately not LEAKPROOF
4546
ALTER FUNCTION leak(integer,integer) OWNER TO regress_priv_user1;
4647
-- test owner privileges
48+
GRANT regress_priv_role TO regress_priv_user1 WITH ADMIN OPTION GRANTED BY CURRENT_ROLE;
49+
REVOKE ADMIN OPTION FOR regress_priv_role FROM regress_priv_user1 GRANTED BY foo; -- error
50+
ERROR: role "foo" does not exist
51+
REVOKE ADMIN OPTION FOR regress_priv_role FROM regress_priv_user1 GRANTED BY regress_priv_user2; -- error
52+
ERROR: grantor must be current user
53+
REVOKE ADMIN OPTION FOR regress_priv_role FROM regress_priv_user1 GRANTED BY CURRENT_USER;
54+
REVOKE regress_priv_role FROM regress_priv_user1 GRANTED BY CURRENT_ROLE;
55+
DROP ROLE regress_priv_role;
4756
SET SESSION AUTHORIZATION regress_priv_user1;
4857
SELECT session_user, current_user;
4958
session_user | current_user

‎src/test/regress/sql/privileges.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ CREATE USER regress_priv_user5;
3232
CREATEUSERregress_priv_user5;-- duplicate
3333
CREATEUSERregress_priv_user6;
3434
CREATEUSERregress_priv_user7;
35+
CREATE ROLE regress_priv_role;
3536

3637
GRANT pg_read_all_data TO regress_priv_user6;
3738
GRANT pg_write_all_data TO regress_priv_user7;
@@ -53,6 +54,13 @@ ALTER FUNCTION leak(integer,integer) OWNER TO regress_priv_user1;
5354

5455
-- test owner privileges
5556

57+
GRANT regress_priv_role TO regress_priv_user1 WITH ADMIN OPTION GRANTED BY CURRENT_ROLE;
58+
REVOKE ADMIN OPTION FOR regress_priv_roleFROM regress_priv_user1 GRANTED BY foo;-- error
59+
REVOKE ADMIN OPTION FOR regress_priv_roleFROM regress_priv_user1 GRANTED BY regress_priv_user2;-- error
60+
REVOKE ADMIN OPTION FOR regress_priv_roleFROM regress_priv_user1 GRANTED BYCURRENT_USER;
61+
REVOKE regress_priv_roleFROM regress_priv_user1 GRANTED BY CURRENT_ROLE;
62+
DROP ROLE regress_priv_role;
63+
5664
SET SESSION AUTHORIZATION regress_priv_user1;
5765
SELECTsession_user,current_user;
5866

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp