NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitc559f61

committed

Fix an ALTER GROUP ... DROP USER error message.

This error message stated the privileges required to add a memberto a group even if the user was trying to drop a member:postgres=> alter group a drop user b;ERROR: permission denied to alter roleDETAIL: Only roles with the ADMIN option on role "a" may add members.Since the required privileges for both operations are the same, wecan fix this by modifying the message to mention both adding anddropping members:postgres=> alter group a drop user b;ERROR: permission denied to alter roleDETAIL: Only roles with the ADMIN option on role "a" may add or drop members.Author: ChangAo ChenReviewed-by: Tom LaneDiscussion:https://postgr.es/m/tencent_FAA0D00E3514AAF0BBB6322542A6094FEF05%40qq.comBackpatch-through: 16

1 parentffd9b81 commitc559f61Copy full SHA for c559f61

File tree

3 files changed

+12

-2

lines changed

src
- backend/commands
  - user.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+12

-2

lines changed

`‎src/backend/commands/user.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -817,12 +817,12 @@ AlterRole(ParseState pstate, AlterRoleStmt stmt)`
`817`	`817`	`"BYPASSRLS","BYPASSRLS")));`
`818`	`818`	`}`
`819`	`819`
`820`		`-/* To addmembers to a role, you need ADMIN OPTION. */`
	`820`	`+/* To addor drop members, you need ADMIN OPTION. */`
`821`	`821`	`if (drolemembers&& !is_admin_of_role(currentUserId,roleid))`
`822`	`822`	`ereport(ERROR,`
`823`	`823`	`(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`824`	`824`	`errmsg("permission denied to alter role"),`
`825`		`-errdetail("Only roles with the %s option on role \"%s\" may add members.",`
	`825`	`+errdetail("Only roles with the %s option on role \"%s\" may addor dropmembers.",`
`826`	`826`	`"ADMIN",rolename)));`
`827`	`827`
`828`	`828`	`/* Convert validuntil to internal form */`

`‎src/test/regress/expected/privileges.out`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,13 @@ CREATE GROUP regress_priv_group1;`
`216`	`216`	`CREATE GROUP regress_priv_group2 WITH ADMIN regress_priv_user1 USER regress_priv_user2;`
`217`	`217`	`ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;`
`218`	`218`	`GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;`
	`219`	`+SET SESSION AUTHORIZATION regress_priv_user3;`
	`220`	`+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;-- fail`
	`221`	`+ERROR: permission denied to alter role`
	`222`	`+DETAIL: Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.`
	`223`	`+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2;-- fail`
	`224`	`+ERROR: permission denied to alter role`
	`225`	`+DETAIL: Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.`
`219`	`226`	`SET SESSION AUTHORIZATION regress_priv_user1;`
`220`	`227`	`ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;`
`221`	`228`	`NOTICE: role "regress_priv_user2" has already been granted membership in role "regress_priv_group2" by role "regress_priv_user1"`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,9 @@ CREATE GROUP regress_priv_group2 WITH ADMIN regress_priv_user1 USER regress_priv`
`169`	`169`	`ALTERGROUP regress_priv_group1 ADD USER regress_priv_user4;`
`170`	`170`
`171`	`171`	`GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;`
	`172`	`+SET SESSION AUTHORIZATION regress_priv_user3;`
	`173`	`+ALTERGROUP regress_priv_group2 ADD USER regress_priv_user2;-- fail`
	`174`	`+ALTERGROUP regress_priv_group2 DROP USER regress_priv_user2;-- fail`
`172`	`175`	`SET SESSION AUTHORIZATION regress_priv_user1;`
`173`	`176`	`ALTERGROUP regress_priv_group2 ADD USER regress_priv_user2;`
`174`	`177`	`ALTERGROUP regress_priv_group2 ADD USER regress_priv_user2;-- duplicate`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc559f61

File tree

3 files changed

3 files changed

`‎src/backend/commands/user.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments