Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitfa5f3a4

Browse files
committed
Fix handling of COMMENT for domain constraints
For a non-superuser, changing a comment on a domain constraint wasleading to a cache lookup failure as the code tried to perform theownership lookup on the constraint OID itself, thinking that it was atype, but this check needs to happen on the type the domain constraintrelies on. As the type a domain constraint relies on can be guesseddirectly based on the constraint OID, first fetch its type OID andperform the ownership on it.This is broken since7eca575, which has split the handling of commentsfor table constraints and domain constraints, so back-patch down to9.5.Reported-by: Clemens LadischAuthor: Daniel Gustafsson, Michael PaquierReviewed-by: Álvaro HerreraDiscussion:https://postgr.es/m/15833-808e11904835d26f@postgresql.orgBackpatch-through: 9.5
1 parent936b5e5 commitfa5f3a4

File tree

3 files changed

+52
-1
lines changed

3 files changed

+52
-1
lines changed

‎src/backend/catalog/objectaddress.c

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2255,10 +2255,32 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
22552255
caseOBJECT_TYPE:
22562256
caseOBJECT_DOMAIN:
22572257
caseOBJECT_ATTRIBUTE:
2258-
caseOBJECT_DOMCONSTRAINT:
22592258
if (!pg_type_ownercheck(address.objectId,roleid))
22602259
aclcheck_error_type(ACLCHECK_NOT_OWNER,address.objectId);
22612260
break;
2261+
caseOBJECT_DOMCONSTRAINT:
2262+
{
2263+
HeapTupletuple;
2264+
Oidcontypid;
2265+
2266+
tuple=SearchSysCache1(CONSTROID,
2267+
ObjectIdGetDatum(address.objectId));
2268+
if (!HeapTupleIsValid(tuple))
2269+
elog(ERROR,"constraint with OID %u does not exist",
2270+
address.objectId);
2271+
2272+
contypid= ((Form_pg_constraint)GETSTRUCT(tuple))->contypid;
2273+
2274+
ReleaseSysCache(tuple);
2275+
2276+
/*
2277+
* Fallback to type ownership check in this case as this is
2278+
* what domain constraints rely on.
2279+
*/
2280+
if (!pg_type_ownercheck(contypid,roleid))
2281+
aclcheck_error_type(ACLCHECK_NOT_OWNER,contypid);
2282+
}
2283+
break;
22622284
caseOBJECT_AGGREGATE:
22632285
caseOBJECT_FUNCTION:
22642286
caseOBJECT_PROCEDURE:

‎src/test/regress/input/constraints.source

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -518,6 +518,10 @@ ALTER TABLE deferred_excl ADD EXCLUDE (f1 WITH =);
518518
DROP TABLE deferred_excl;
519519

520520
-- Comments
521+
-- Setup a low-level role to enforce non-superuser checks.
522+
CREATE ROLE regress_constraint_comments;
523+
SET SESSION AUTHORIZATION regress_constraint_comments;
524+
521525
CREATE TABLE constraint_comments_tbl (a int CONSTRAINT the_constraint CHECK (a > 0));
522526
CREATE DOMAIN constraint_comments_dom AS int CONSTRAINT the_constraint CHECK (value > 0);
523527

@@ -535,5 +539,16 @@ COMMENT ON CONSTRAINT the_constraint ON DOMAIN no_comments_dom IS 'another bad c
535539
COMMENT ON CONSTRAINT the_constraint ON constraint_comments_tbl IS NULL;
536540
COMMENT ON CONSTRAINT the_constraint ON DOMAIN constraint_comments_dom IS NULL;
537541

542+
-- unauthorized user
543+
RESET SESSION AUTHORIZATION;
544+
CREATE ROLE regress_constraint_comments_noaccess;
545+
SET SESSION AUTHORIZATION regress_constraint_comments_noaccess;
546+
COMMENT ON CONSTRAINT the_constraint ON constraint_comments_tbl IS 'no, the comment';
547+
COMMENT ON CONSTRAINT the_constraint ON DOMAIN constraint_comments_dom IS 'no, another comment';
548+
RESET SESSION AUTHORIZATION;
549+
538550
DROP TABLE constraint_comments_tbl;
539551
DROP DOMAIN constraint_comments_dom;
552+
553+
DROP ROLE regress_constraint_comments;
554+
DROP ROLE regress_constraint_comments_noaccess;

‎src/test/regress/output/constraints.source

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -702,6 +702,9 @@ ERROR: could not create exclusion constraint "deferred_excl_f1_excl"
702702
DETAIL: Key (f1)=(3) conflicts with key (f1)=(3).
703703
DROP TABLE deferred_excl;
704704
-- Comments
705+
-- Setup a low-level role to enforce non-superuser checks.
706+
CREATE ROLE regress_constraint_comments;
707+
SET SESSION AUTHORIZATION regress_constraint_comments;
705708
CREATE TABLE constraint_comments_tbl (a int CONSTRAINT the_constraint CHECK (a > 0));
706709
CREATE DOMAIN constraint_comments_dom AS int CONSTRAINT the_constraint CHECK (value > 0);
707710
COMMENT ON CONSTRAINT the_constraint ON constraint_comments_tbl IS 'yes, the comment';
@@ -718,5 +721,16 @@ COMMENT ON CONSTRAINT the_constraint ON DOMAIN no_comments_dom IS 'another bad c
718721
ERROR: type "no_comments_dom" does not exist
719722
COMMENT ON CONSTRAINT the_constraint ON constraint_comments_tbl IS NULL;
720723
COMMENT ON CONSTRAINT the_constraint ON DOMAIN constraint_comments_dom IS NULL;
724+
-- unauthorized user
725+
RESET SESSION AUTHORIZATION;
726+
CREATE ROLE regress_constraint_comments_noaccess;
727+
SET SESSION AUTHORIZATION regress_constraint_comments_noaccess;
728+
COMMENT ON CONSTRAINT the_constraint ON constraint_comments_tbl IS 'no, the comment';
729+
ERROR: must be owner of relation constraint_comments_tbl
730+
COMMENT ON CONSTRAINT the_constraint ON DOMAIN constraint_comments_dom IS 'no, another comment';
731+
ERROR: must be owner of type constraint_comments_dom
732+
RESET SESSION AUTHORIZATION;
721733
DROP TABLE constraint_comments_tbl;
722734
DROP DOMAIN constraint_comments_dom;
735+
DROP ROLE regress_constraint_comments;
736+
DROP ROLE regress_constraint_comments_noaccess;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp