Commitdf7fe9e

committed

Disallow dropping rules on system tables by default

This was previously not covered by allow_system_table_mods, but now itis. The impact in practice is probably low, but this makes itconsistent with most other DDL commands.Reviewed-by: Robert Haas <robertmhaas@gmail.com>Discussion:https://www.postgresql.org/message-id/flat/ee9df1af-c0d8-7c82-5be7-39ce4e3b0a9d%402ndquadrant.com

1 parent8c6d30f commitdf7fe9eCopy full SHA for df7fe9e

File tree

+27

-2

lines changed

+27

-2

lines changed

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`#include"access/htup_details.h"`
`19`	`19`	`#include"access/sysattr.h"`
`20`	`20`	`#include"access/table.h"`
	`21`	`+#include"catalog/catalog.h"`
`21`	`22`	`#include"catalog/dependency.h"`
`22`	`23`	`#include"catalog/indexing.h"`
`23`	`24`	`#include"catalog/namespace.h"`
`@@ -28,6 +29,7 @@`
`28`	`29`	`#include"utils/fmgroids.h"`
`29`	`30`	`#include"utils/inval.h"`
`30`	`31`	`#include"utils/lsyscache.h"`
	`32`	`+#include"utils/rel.h"`
`31`	`33`	`#include"utils/syscache.h"`
`32`	`34`
`33`	`35`	`/*`
`@@ -72,6 +74,12 @@ RemoveRewriteRuleById(Oid ruleOid)`
`72`	`74`	`eventRelationOid= ((Form_pg_rewrite)GETSTRUCT(tuple))->ev_class;`
`73`	`75`	`event_relation=table_open(eventRelationOid,AccessExclusiveLock);`
`74`	`76`
	`77`	`+if (!allowSystemTableMods&&IsSystemRelation(event_relation))`
	`78`	`+ereport(ERROR,`
	`79`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`80`	`+errmsg("permission denied: \"%s\" is a system catalog",`
	`81`	`+RelationGetRelationName(event_relation))));`
	`82`	`+`
`75`	`83`	`/*`
`76`	`84`	`* Now delete the pg_rewrite tuple for the rule`
`77`	`85`	`*/`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,16 @@ CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;`
`81`	`81`	`ERROR: permission denied: "pg_description" is a system catalog`
`82`	`82`	`ALTER RULE r1 ON pg_description RENAME TO r2;`
`83`	`83`	`ERROR: permission denied: "pg_description" is a system catalog`
`84`		`---DROP RULE r2 ON pg_description;`
	`84`	`+-- now make one to test dropping:`
	`85`	`+SET allow_system_table_mods TO on;`
	`86`	`+CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;`
	`87`	`+RESET allow_system_table_mods;`
	`88`	`+DROP RULE r2 ON pg_description;`
	`89`	`+ERROR: permission denied: "pg_description" is a system catalog`
	`90`	`+-- cleanup:`
	`91`	`+SET allow_system_table_mods TO on;`
	`92`	`+DROP RULE r2 ON pg_description;`
	`93`	`+RESET allow_system_table_mods;`
`85`	`94`	`SET allow_system_table_mods = on;`
`86`	`95`	`-- create new table in pg_catalog`
`87`	`96`	`BEGIN;`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,15 @@ ALTER TRIGGER t1 ON pg_description RENAME TO t2;`
`79`	`79`	`-- rules`
`80`	`80`	`CREATERULEr1ASON INSERT TO pg_description DO INSTEAD NOTHING;`
`81`	`81`	`ALTERRULE r1ON pg_description RENAME TO r2;`
`82`		`---DROP RULE r2 ON pg_description;`
	`82`	`+-- now make one to test dropping:`
	`83`	`+SET allow_system_table_mods TOon;`
	`84`	`+CREATERULEr2ASON INSERT TO pg_description DO INSTEAD NOTHING;`
	`85`	`+RESET allow_system_table_mods;`
	`86`	`+DROPRULE r2ON pg_description;`
	`87`	`+-- cleanup:`
	`88`	`+SET allow_system_table_mods TOon;`
	`89`	`+DROPRULE r2ON pg_description;`
	`90`	`+RESET allow_system_table_mods;`
`83`	`91`
`84`	`92`
`85`	`93`	`SET allow_system_table_mods=on;`

Comments

(0)