Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitff122d3

Browse files
committed
Fix cascading privilege revoke to notice when privileges are still held.
If we revoke a grant option from some role X, but X still holds the optionvia another grant, we should not recursively revoke the privilege fromrole(s) Y that X had granted it to. This was supposedly fixed as oneaspect of commit4b2dafc, but I must nothave tested it, because in fact that code never worked: it forgot to shiftthe grant-option bits back over when masking the bits being revoked.Per bug #6728 from Daniel German. Back-patch to all active branches,since this has been wrong since 8.0.
1 parent874d97c commitff122d3

File tree

3 files changed

+76
-2
lines changed

3 files changed

+76
-2
lines changed

‎src/backend/utils/adt/acl.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1165,11 +1165,11 @@ recursive_revoke(Acl *acl,
11651165
if (grantee==ownerId)
11661166
returnacl;
11671167

1168-
/* The grantee might still havethe privileges via another grantor */
1168+
/* The grantee might still havesome grant options via another grantor */
11691169
still_has=aclmask(acl,grantee,ownerId,
11701170
ACL_GRANT_OPTION_FOR(revoke_privs),
11711171
ACLMASK_ALL);
1172-
revoke_privs &= ~still_has;
1172+
revoke_privs &= ~ACL_OPTION_TO_PRIVS(still_has);
11731173
if (revoke_privs==ACL_NO_RIGHTS)
11741174
returnacl;
11751175

‎src/test/regress/expected/privileges.out

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1216,6 +1216,56 @@ SELECT has_function_privilege('regressuser1', 'testns.testfunc(int)', 'EXECUTE')
12161216
SET client_min_messages TO 'warning';
12171217
DROP SCHEMA testns CASCADE;
12181218
RESET client_min_messages;
1219+
-- test that dependent privileges are revoked (or not) properly
1220+
\c -
1221+
set session role regressuser1;
1222+
create table dep_priv_test (a int);
1223+
grant select on dep_priv_test to regressuser2 with grant option;
1224+
grant select on dep_priv_test to regressuser3 with grant option;
1225+
set session role regressuser2;
1226+
grant select on dep_priv_test to regressuser4 with grant option;
1227+
set session role regressuser3;
1228+
grant select on dep_priv_test to regressuser4 with grant option;
1229+
set session role regressuser4;
1230+
grant select on dep_priv_test to regressuser5;
1231+
\dp dep_priv_test
1232+
Access privileges
1233+
Schema | Name | Type | Access privileges | Column access privileges
1234+
--------+---------------+-------+-----------------------------------+--------------------------
1235+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1236+
| | | regressuser2=r*/regressuser1 +|
1237+
| | | regressuser3=r*/regressuser1 +|
1238+
| | | regressuser4=r*/regressuser2 +|
1239+
| | | regressuser4=r*/regressuser3 +|
1240+
| | | regressuser5=r/regressuser4 |
1241+
(1 row)
1242+
1243+
set session role regressuser2;
1244+
revoke select on dep_priv_test from regressuser4 cascade;
1245+
\dp dep_priv_test
1246+
Access privileges
1247+
Schema | Name | Type | Access privileges | Column access privileges
1248+
--------+---------------+-------+-----------------------------------+--------------------------
1249+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1250+
| | | regressuser2=r*/regressuser1 +|
1251+
| | | regressuser3=r*/regressuser1 +|
1252+
| | | regressuser4=r*/regressuser3 +|
1253+
| | | regressuser5=r/regressuser4 |
1254+
(1 row)
1255+
1256+
set session role regressuser3;
1257+
revoke select on dep_priv_test from regressuser4 cascade;
1258+
\dp dep_priv_test
1259+
Access privileges
1260+
Schema | Name | Type | Access privileges | Column access privileges
1261+
--------+---------------+-------+-----------------------------------+--------------------------
1262+
public | dep_priv_test | table | regressuser1=arwdDxt/regressuser1+|
1263+
| | | regressuser2=r*/regressuser1 +|
1264+
| | | regressuser3=r*/regressuser1 |
1265+
(1 row)
1266+
1267+
set session role regressuser1;
1268+
drop table dep_priv_test;
12191269
-- clean up
12201270
\c
12211271
drop sequence x_seq;

‎src/test/regress/sql/privileges.sql

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -671,6 +671,30 @@ DROP SCHEMA testns CASCADE;
671671
RESET client_min_messages;
672672

673673

674+
-- test that dependent privileges are revoked (or not) properly
675+
\c-
676+
677+
set session role regressuser1;
678+
createtabledep_priv_test (aint);
679+
grantselecton dep_priv_test to regressuser2 withgrant option;
680+
grantselecton dep_priv_test to regressuser3 withgrant option;
681+
set session role regressuser2;
682+
grantselecton dep_priv_test to regressuser4 withgrant option;
683+
set session role regressuser3;
684+
grantselecton dep_priv_test to regressuser4 withgrant option;
685+
set session role regressuser4;
686+
grantselecton dep_priv_test to regressuser5;
687+
\dp dep_priv_test
688+
set session role regressuser2;
689+
revokeselecton dep_priv_testfrom regressuser4 cascade;
690+
\dp dep_priv_test
691+
set session role regressuser3;
692+
revokeselecton dep_priv_testfrom regressuser4 cascade;
693+
\dp dep_priv_test
694+
set session role regressuser1;
695+
droptable dep_priv_test;
696+
697+
674698
-- clean up
675699

676700
\c

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp