Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitec8a013

Browse files
committed
Fix cascading privilege revoke to notice when privileges are still held.
If we revoke a grant option from some role X, but X still holds the optionvia another grant, we should not recursively revoke the privilege fromrole(s) Y that X had granted it to. This was supposedly fixed as oneaspect of commit4b2dafc, but I must nothave tested it, because in fact that code never worked: it forgot to shiftthe grant-option bits back over when masking the bits being revoked.Per bug #6728 from Daniel German. Back-patch to all active branches,since this has been wrong since 8.0.
1 parent8b6b50a commitec8a013

File tree

3 files changed

+76
-2
lines changed

3 files changed

+76
-2
lines changed

‎src/backend/utils/adt/acl.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1230,11 +1230,11 @@ recursive_revoke(Acl *acl,
12301230
if (grantee==ownerId)
12311231
returnacl;
12321232

1233-
/* The grantee might still havethe privileges via another grantor */
1233+
/* The grantee might still havesome grant options via another grantor */
12341234
still_has=aclmask(acl,grantee,ownerId,
12351235
ACL_GRANT_OPTION_FOR(revoke_privs),
12361236
ACLMASK_ALL);
1237-
revoke_privs &= ~still_has;
1237+
revoke_privs &= ~ACL_OPTION_TO_PRIVS(still_has);
12381238
if (revoke_privs==ACL_NO_RIGHTS)
12391239
returnacl;
12401240

‎src/test/regress/expected/privileges.out

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1331,6 +1331,56 @@ SELECT has_function_privilege('regressuser1', 'testns.testfunc(int)', 'EXECUTE')
13311331
SET client_min_messages TO 'warning';
13321332
DROP SCHEMA testns CASCADE;
13331333
RESET client_min_messages;
1334+
-- test that dependent privileges are revoked (or not) properly
1335+
\c -
1336+
set session role regressuser1;
1337+
create table dep_priv_test (a int);
1338+
grant select on dep_priv_test to regressuser2 with grant option;
1339+
grant select on dep_priv_test to regressuser3 with grant option;
1340+
set session role regressuser2;
1341+
grant select on dep_priv_test to regressuser4 with grant option;
1342+
set session role regressuser3;
1343+
grant select on dep_priv_test to regressuser4 with grant option;
1344+
set session role regressuser4;
1345+
grant select on dep_priv_test to regressuser5;
1346+
\dp dep_priv_test
1347+
Access privileges
1348+
Schema | Name | Type | Access privileges | Column access privileges
1349+
--------+---------------+-------+-----------------------------------+--------------------------
1350+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1351+
| | | regressuser2=r*/regressuser1 +|
1352+
| | | regressuser3=r*/regressuser1 +|
1353+
| | | regressuser4=r*/regressuser2 +|
1354+
| | | regressuser4=r*/regressuser3 +|
1355+
| | | regressuser5=r/regressuser4 |
1356+
(1 row)
1357+
1358+
set session role regressuser2;
1359+
revoke select on dep_priv_test from regressuser4 cascade;
1360+
\dp dep_priv_test
1361+
Access privileges
1362+
Schema | Name | Type | Access privileges | Column access privileges
1363+
--------+---------------+-------+-----------------------------------+--------------------------
1364+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1365+
| | | regressuser2=r*/regressuser1 +|
1366+
| | | regressuser3=r*/regressuser1 +|
1367+
| | | regressuser4=r*/regressuser3 +|
1368+
| | | regressuser5=r/regressuser4 |
1369+
(1 row)
1370+
1371+
set session role regressuser3;
1372+
revoke select on dep_priv_test from regressuser4 cascade;
1373+
\dp dep_priv_test
1374+
Access privileges
1375+
Schema | Name | Type | Access privileges | Column access privileges
1376+
--------+---------------+-------+-----------------------------------+--------------------------
1377+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1378+
| | | regressuser2=r*/regressuser1 +|
1379+
| | | regressuser3=r*/regressuser1 |
1380+
(1 row)
1381+
1382+
set session role regressuser1;
1383+
drop table dep_priv_test;
13341384
-- clean up
13351385
\c
13361386
drop sequence x_seq;

‎src/test/regress/sql/privileges.sql

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -795,6 +795,30 @@ DROP SCHEMA testns CASCADE;
795795
RESET client_min_messages;
796796

797797

798+
-- test that dependent privileges are revoked (or not) properly
799+
\c-
800+
801+
set session role regressuser1;
802+
createtabledep_priv_test (aint);
803+
grantselecton dep_priv_test to regressuser2 withgrant option;
804+
grantselecton dep_priv_test to regressuser3 withgrant option;
805+
set session role regressuser2;
806+
grantselecton dep_priv_test to regressuser4 withgrant option;
807+
set session role regressuser3;
808+
grantselecton dep_priv_test to regressuser4 withgrant option;
809+
set session role regressuser4;
810+
grantselecton dep_priv_test to regressuser5;
811+
\dp dep_priv_test
812+
set session role regressuser2;
813+
revokeselecton dep_priv_testfrom regressuser4 cascade;
814+
\dp dep_priv_test
815+
set session role regressuser3;
816+
revokeselecton dep_priv_testfrom regressuser4 cascade;
817+
\dp dep_priv_test
818+
set session role regressuser1;
819+
droptable dep_priv_test;
820+
821+
798822
-- clean up
799823

800824
\c

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp