Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf7a2002

Browse files
committed
Add object TRUNCATE hook
All operations with acl permissions checks should have a corresponding hookso that, for example, mandatory access control (MAC) may be enforced by anextension. The command TRUNCATE is missing this hook, so add it. Patch byYuli Khodorkovskiy with some editorialization by me. Based on the discussionnot back-patched. A separate patch will exercise the hook in the sepgsqlextension.Author: Yuli KhodorkovskiyReviewed-by: Joe ConwayDiscussion:https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com
1 parentd1c866e commitf7a2002

File tree

3 files changed

+32
-1
lines changed

3 files changed

+32
-1
lines changed

‎src/backend/catalog/objectaccess.c

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
#include"postgres.h"
1212

1313
#include"catalog/objectaccess.h"
14+
#include"catalog/pg_class.h"
1415
#include"catalog/pg_namespace.h"
1516
#include"catalog/pg_proc.h"
1617

@@ -64,6 +65,22 @@ RunObjectDropHook(Oid classId, Oid objectId, int subId,
6465
(void*)&drop_arg);
6566
}
6667

68+
/*
69+
* RunObjectTruncateHook
70+
*
71+
* It is the entrypoint of OAT_TRUNCATE event
72+
*/
73+
void
74+
RunObjectTruncateHook(OidobjectId)
75+
{
76+
/* caller should check, but just in case... */
77+
Assert(object_access_hook!=NULL);
78+
79+
(*object_access_hook) (OAT_TRUNCATE,
80+
RelationRelationId,objectId,0,
81+
NULL);
82+
}
83+
6784
/*
6885
* RunObjectPostAlterHook
6986
*

‎src/backend/commands/tablecmds.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1937,6 +1937,8 @@ truncate_check_rel(Oid relid, Form_pg_class reltuple)
19371937
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
19381938
errmsg("permission denied: \"%s\" is a system catalog",
19391939
relname)));
1940+
1941+
InvokeObjectTruncateHook(relid);
19401942
}
19411943

19421944
/*

‎src/include/catalog/objectaccess.h

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,10 @@
3737
* creation or altering, because OAT_POST_CREATE or OAT_POST_ALTER are
3838
* sufficient for extensions to track these kind of checks.
3939
*
40+
* OAT_TRUNCATE should be invoked just before truncation of objects. This
41+
* event is equivalent to truncate permission on a relation under the
42+
* default access control mechanism.
43+
*
4044
* Other types may be added in the future.
4145
*/
4246
typedefenumObjectAccessType
@@ -45,7 +49,8 @@ typedef enum ObjectAccessType
4549
OAT_DROP,
4650
OAT_POST_ALTER,
4751
OAT_NAMESPACE_SEARCH,
48-
OAT_FUNCTION_EXECUTE
52+
OAT_FUNCTION_EXECUTE,
53+
OAT_TRUNCATE
4954
}ObjectAccessType;
5055

5156
/*
@@ -131,6 +136,7 @@ extern void RunObjectPostCreateHook(Oid classId, Oid objectId, int subId,
131136
boolis_internal);
132137
externvoidRunObjectDropHook(OidclassId,OidobjectId,intsubId,
133138
intdropflags);
139+
externvoidRunObjectTruncateHook(OidobjectId);
134140
externvoidRunObjectPostAlterHook(OidclassId,OidobjectId,intsubId,
135141
OidauxiliaryId,boolis_internal);
136142
externboolRunNamespaceSearchHook(OidobjectId,boolereport_on_violation);
@@ -160,6 +166,12 @@ extern void RunFunctionExecuteHook(Oid objectId);
160166
(dropflags));\
161167
} while(0)
162168

169+
#defineInvokeObjectTruncateHook(objectId)\
170+
do {\
171+
if (object_access_hook)\
172+
RunObjectTruncateHook(objectId);\
173+
} while(0)
174+
163175
#defineInvokeObjectPostAlterHook(classId,objectId,subId)\
164176
InvokeObjectPostAlterHookArg((classId),(objectId),(subId),\
165177
InvalidOid,false)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp