NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit4cfc948

committed

Refine rules for altering publication owner

Previously, the new owner had to be a superuser. The new rules are morerefined similar to other objects.Reviewed-by: Petr Jelinek <petr.jelinek@2ndquadrant.com>

1 parent96a7128 commit4cfc948Copy full SHA for 4cfc948

File tree

4 files changed

+41

-12

lines changed

doc/src/sgml/ref
- alter_publication.sgml
src
- backend/commands
  - publicationcmds.c
- test/regress
  - expected
    - publication.out
  - sql
    - publication.sql

4 files changed

+41

-12

lines changed

`‎doc/src/sgml/ref/alter_publication.sgml`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -48,8 +48,11 @@ ALTER PUBLICATION <replaceable class="PARAMETER">name</replaceable> DROP TABLE <`
`48`	`48`	`</para>`
`49`	`49`
`50`	`50`	`<para>`
`51`		`- To alter the owner, you must also be a direct or indirect member of the`
`52`		`- new owning role. The new owner has to be a superuser`
	`51`	`+ To alter the owner, you must also be a direct or indirect member of the new`
	`52`	`+ owning role. The new owner must have <literal>CREATE</literal> privilege on`
	`53`	`+ the database. Also, the new owner of a <literal>FOR ALL TABLES</literal>`
	`54`	`+ publication must be a superuser. However, a superuser can change the`
	`55`	`+ ownership of a publication while circumventing these restrictions.`
`53`	`56`	`</para>`
`54`	`57`
`55`	`58`	`<para>`

`‎src/backend/commands/publicationcmds.c`

Lines changed: 24 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -670,17 +670,31 @@ AlterPublicationOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)`
`670`	`670`	`if (form->pubowner==newOwnerId)`
`671`	`671`	`return;`
`672`	`672`
`673`		`-if (!pg_publication_ownercheck(HeapTupleGetOid(tup),GetUserId()))`
`674`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PUBLICATION,`
`675`		`-NameStr(form->pubname));`
	`673`	`+if (!superuser())`
	`674`	`+{`
	`675`	`+AclResultaclresult;`
`676`	`676`
`677`		`-/* New owner must be a superuser */`
`678`		`-if (!superuser_arg(newOwnerId))`
`679`		`-ereport(ERROR,`
`680`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`681`		`-errmsg("permission denied to change owner of publication \"%s\"",`
`682`		`-NameStr(form->pubname)),`
`683`		`-errhint("The owner of a publication must be a superuser.")));`
	`677`	`+/* Must be owner */`
	`678`	`+if (!pg_publication_ownercheck(HeapTupleGetOid(tup),GetUserId()))`
	`679`	`+aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PUBLICATION,`
	`680`	`+NameStr(form->pubname));`
	`681`	`+`
	`682`	`+/* Must be able to become new owner */`
	`683`	`+check_is_member_of_role(GetUserId(),newOwnerId);`
	`684`	`+`
	`685`	`+/* New owner must have CREATE privilege on database */`
	`686`	`+aclresult=pg_database_aclcheck(MyDatabaseId,newOwnerId,ACL_CREATE);`
	`687`	`+if (aclresult!=ACLCHECK_OK)`
	`688`	`+aclcheck_error(aclresult,ACL_KIND_DATABASE,`
	`689`	`+get_database_name(MyDatabaseId));`
	`690`	`+`
	`691`	`+if (form->puballtables&& !superuser_arg(newOwnerId))`
	`692`	`+ereport(ERROR,`
	`693`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`694`	`+errmsg("permission denied to change owner of publication \"%s\"",`
	`695`	`+NameStr(form->pubname)),`
	`696`	`+errhint("The owner of a FOR ALL TABLES publication must be a superuser.")));`
	`697`	`+}`
`684`	`698`
`685`	`699`	`form->pubowner=newOwnerId;`
`686`	`700`	`CatalogTupleUpdate(rel,&tup->t_self,tup);`

`‎src/test/regress/expected/publication.out`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -182,6 +182,14 @@ ALTER PUBLICATION testpub_default RENAME TO testpub_foo;`
`182`	`182`
`183`	`183`	`-- rename back to keep the rest simple`
`184`	`184`	`ALTER PUBLICATION testpub_foo RENAME TO testpub_default;`
	`185`	`+ALTER PUBLICATION testpub_default OWNER TO regress_publication_user2;`
	`186`	`+\dRp testpub_default`
	`187`	`+ List of publications`
	`188`	`+ Name \| Owner \| Inserts \| Updates \| Deletes`
	`189`	`+-----------------+---------------------------+---------+---------+---------`
	`190`	`+ testpub_default \| regress_publication_user2 \| t \| t \| t`
	`191`	`+(1 row)`
	`192`	`+`
`185`	`193`	`DROP PUBLICATION testpub_default;`
`186`	`194`	`DROP PUBLICATION testpib_ins_trunct;`
`187`	`195`	`DROP PUBLICATION testpub_fortbl;`

`‎src/test/regress/sql/publication.sql`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,10 @@ ALTER PUBLICATION testpub_default RENAME TO testpub_foo;`
`108`	`108`	`-- rename back to keep the rest simple`
`109`	`109`	`ALTER PUBLICATION testpub_foo RENAME TO testpub_default;`
`110`	`110`
	`111`	`+ALTER PUBLICATION testpub_default OWNER TO regress_publication_user2;`
	`112`	`+`
	`113`	`+\dRp testpub_default`
	`114`	`+`
`111`	`115`	`DROP PUBLICATION testpub_default;`
`112`	`116`	`DROP PUBLICATION testpib_ins_trunct;`
`113`	`117`	`DROP PUBLICATION testpub_fortbl;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4cfc948

File tree

4 files changed

4 files changed

`‎doc/src/sgml/ref/alter_publication.sgml`

`‎src/backend/commands/publicationcmds.c`

`‎src/test/regress/expected/publication.out`

`‎src/test/regress/sql/publication.sql`

0 commit comments