Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita0b76dc

Browse files
committed
Create a separate grantable privilege for TRUNCATE, rather than having it be
always owner-only. The TRUNCATE privilege works identically to the DELETEprivilege so far as interactions with the rest of the system go.Robert Haas
1 parenta26c7e3 commita0b76dc

File tree

22 files changed

+153
-65
lines changed

22 files changed

+153
-65
lines changed

‎doc/src/sgml/ddl.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.82 2008/05/09 23:32:03 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.83 2008/09/08 00:47:40 tgl Exp $ -->
22

33
<chapter id="ddl">
44
<title>Data Definition</title>
@@ -1356,7 +1356,7 @@ ALTER TABLE products RENAME TO items;
13561356
<para>
13571357
There are several different privileges: <literal>SELECT</>,
13581358
<literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
1359-
<literal>REFERENCES</>, <literal>TRIGGER</>,
1359+
<literal>TRUNCATE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
13601360
<literal>CREATE</>, <literal>CONNECT</>, <literal>TEMPORARY</>,
13611361
<literal>EXECUTE</>, and <literal>USAGE</>.
13621362
The privileges applicable to a particular

‎doc/src/sgml/func.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.445 2008/09/07 01:29:36 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.446 2008/09/08 00:47:40 tgl Exp $ -->
22

33
<chapter id="functions">
44
<title>Functions and Operators</title>
@@ -11369,7 +11369,7 @@ SELECT has_function_privilege('joeuser', 'myfunc(int, text)', 'execute');
1136911369
The desired access privilege type
1137011370
is specified by a text string, which must evaluate to one of the
1137111371
values <literal>SELECT</literal>, <literal>INSERT</literal>,
11372-
<literal>UPDATE</literal>, <literal>DELETE</literal>,
11372+
<literal>UPDATE</literal>, <literal>DELETE</literal>, <literal>TRUNCATE</>,
1137311373
<literal>REFERENCES</literal>, or <literal>TRIGGER</literal>.
1137411374
(Case of the string is not significant, however.)
1137511375
An example is:

‎doc/src/sgml/information_schema.sgml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/information_schema.sgml,v 1.33 2007/02/20 23:14:19 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/information_schema.sgml,v 1.34 2008/09/08 00:47:40 tgl Exp $ -->
22

33
<chapter id="information-schema">
44
<title>The Information Schema</title>
@@ -2820,9 +2820,9 @@ ORDER BY c.ordinal_position;
28202820
<entry><type>character_data</type></entry>
28212821
<entry>
28222822
Type of the privilege: <literal>SELECT</literal>,
2823-
<literal>DELETE</literal>, <literal>INSERT</literal>,
2824-
<literal>UPDATE</literal>, <literal>REFERENCES</literal>,
2825-
or <literal>TRIGGER</literal>
2823+
<literal>INSERT</literal>, <literal>UPDATE</literal>,
2824+
<literal>DELETE</literal>, <literal>TRUNCATE</literal>,
2825+
<literal>REFERENCES</literal>,or <literal>TRIGGER</literal>
28262826
</entry>
28272827
</row>
28282828

@@ -4406,9 +4406,9 @@ ORDER BY c.ordinal_position;
44064406
<entry><type>character_data</type></entry>
44074407
<entry>
44084408
Type of the privilege: <literal>SELECT</literal>,
4409-
<literal>DELETE</literal>, <literal>INSERT</literal>,
4410-
<literal>UPDATE</literal>, <literal>REFERENCES</literal>,
4411-
or <literal>TRIGGER</literal>
4409+
<literal>INSERT</literal>, <literal>UPDATE</literal>,
4410+
<literal>DELETE</literal>, <literal>TRUNCATE</literal>,
4411+
<literal>REFERENCES</literal>,or <literal>TRIGGER</literal>
44124412
</entry>
44134413
</row>
44144414

‎doc/src/sgml/ref/grant.sgml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.70 2008/07/03 15:59:55 petere Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.71 2008/09/08 00:47:40 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -20,7 +20,7 @@ PostgreSQL documentation
2020

2121
<refsynopsisdiv>
2222
<synopsis>
23-
GRANT { { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
23+
GRANT { { SELECT | INSERT | UPDATE | DELETE |TRUNCATE |REFERENCES | TRIGGER }
2424
[,...] | ALL [ PRIVILEGES ] }
2525
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
2626
TO { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
@@ -192,6 +192,16 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...] TO <replaceable
192192
</listitem>
193193
</varlistentry>
194194

195+
<varlistentry>
196+
<term>TRUNCATE</term>
197+
<listitem>
198+
<para>
199+
Allows <xref linkend="sql-truncate" endterm="sql-truncate-title"> on
200+
the specified table.
201+
</para>
202+
</listitem>
203+
</varlistentry>
204+
195205
<varlistentry>
196206
<term>REFERENCES</term>
197207
<listitem>
@@ -421,8 +431,8 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...] TO <replaceable
421431
=&gt; \z mytable
422432
Access privileges
423433
Schema | Name | Type | Access privileges
424-
--------+---------+-------+----------------------
425-
public | mytable | table | miriam=arwdxt/miriam
434+
--------+---------+-------+-----------------------
435+
public | mytable | table | miriam=arwdDxt/miriam
426436
: =r/miriam
427437
: admin=arw/miriam
428438
(1 row)
@@ -436,14 +446,15 @@ GRANT <replaceable class="PARAMETER">role</replaceable> [, ...] TO <replaceable
436446
w -- UPDATE ("write")
437447
a -- INSERT ("append")
438448
d -- DELETE
449+
D -- TRUNCATE
439450
x -- REFERENCES
440451
t -- TRIGGER
441452
X -- EXECUTE
442453
U -- USAGE
443454
C -- CREATE
444455
c -- CONNECT
445456
T -- TEMPORARY
446-
arwdxt -- ALL PRIVILEGES (for tables)
457+
arwdDxt -- ALL PRIVILEGES (for tables)
447458
* -- grant option for preceding privilege
448459

449460
/yyyy -- role that granted this privilege
@@ -466,7 +477,7 @@ GRANT SELECT, UPDATE, INSERT ON mytable TO admin;
466477
object type, as explained above. The first <command>GRANT</> or
467478
<command>REVOKE</> on an object
468479
will instantiate the default privileges (producing, for example,
469-
<literal>{miriam=arwdxt/miriam}</>) and then modify them per the
480+
<literal>{miriam=arwdDxt/miriam}</>) and then modify them per the
470481
specified request.
471482
</para>
472483

@@ -524,7 +535,8 @@ GRANT admins TO joe;
524535
<para>
525536
<productname>PostgreSQL</productname> allows an object owner to revoke his
526537
own ordinary privileges: for example, a table owner can make the table
527-
read-only to himself by revoking his own INSERT, UPDATE, and DELETE
538+
read-only to himself by revoking his own <literal>INSERT</>,
539+
<literal>UPDATE</>, <literal>DELETE</>, and <literal>TRUNCATE</>
528540
privileges. This is not possible according to the SQL standard. The
529541
reason is that <productname>PostgreSQL</productname> treats the owner's
530542
privileges as having been granted by the owner to himself; therefore he

‎doc/src/sgml/ref/lock.sgml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/lock.sgml,v 1.48 2006/09/16 00:30:19 momjian Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/lock.sgml,v 1.49 2008/09/08 00:47:40 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -155,7 +155,8 @@ where <replaceable class="PARAMETER">lockmode</replaceable> is one of:
155155
<para>
156156
<literal>LOCK TABLE ... IN ACCESS SHARE MODE</> requires <literal>SELECT</>
157157
privileges on the target table. All other forms of <command>LOCK</>
158-
require <literal>UPDATE</> and/or <literal>DELETE</> privileges.
158+
require at least one of <literal>UPDATE</>, <literal>DELETE</>, or
159+
<literal>TRUNCATE</> privileges.
159160
</para>
160161

161162
<para>

‎doc/src/sgml/ref/revoke.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.47 2008/03/03 19:17:27 momjian Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.48 2008/09/08 00:47:40 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -21,7 +21,7 @@ PostgreSQL documentation
2121
<refsynopsisdiv>
2222
<synopsis>
2323
REVOKE [ GRANT OPTION FOR ]
24-
{ { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
24+
{ { SELECT | INSERT | UPDATE | DELETE |TRUNCATE |REFERENCES | TRIGGER }
2525
[,...] | ALL [ PRIVILEGES ] }
2626
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
2727
FROM { [ GROUP ] <replaceable class="PARAMETER">rolename</replaceable> | PUBLIC } [, ...]

‎doc/src/sgml/ref/truncate.sgml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$PostgreSQL: pgsql/doc/src/sgml/ref/truncate.sgml,v 1.27 2008/05/17 23:36:27 tgl Exp $
2+
$PostgreSQL: pgsql/doc/src/sgml/ref/truncate.sgml,v 1.28 2008/09/08 00:47:40 tgl Exp $
33
PostgreSQL documentation
44
-->
55

@@ -97,7 +97,8 @@ TRUNCATE [ TABLE ] <replaceable class="PARAMETER">name</replaceable> [, ... ]
9797
<title>Notes</title>
9898

9999
<para>
100-
Only the owner of a table can <command>TRUNCATE</> it.
100+
You must have the <literal>TRUNCATE</literal> privilege on a table
101+
to truncate it.
101102
</para>
102103

103104
<para>

‎doc/src/sgml/user-manag.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.39 2007/02/01 00:28:18 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/user-manag.sgml,v 1.40 2008/09/08 00:47:40 tgl Exp $ -->
22

33
<chapter id="user-manag">
44
<title>Database Roles and Privileges</title>
@@ -293,7 +293,7 @@ ALTER ROLE myname SET enable_indexscan TO off;
293293
granted.
294294
There are several different kinds of privilege: <literal>SELECT</>,
295295
<literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
296-
<literal>REFERENCES</>, <literal>TRIGGER</>,
296+
<literal>TRUNCATE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
297297
<literal>CREATE</>, <literal>CONNECT</>, <literal>TEMPORARY</>,
298298
<literal>EXECUTE</>, and <literal>USAGE</>.
299299
For more information on the different types of privileges supported by

‎src/backend/catalog/aclchk.c

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.147 2008/06/19 00:46:03 alvherre Exp $
11+
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.148 2008/09/08 00:47:40 tgl Exp $
1212
*
1313
* NOTES
1414
* See acl.h.
@@ -1331,6 +1331,8 @@ string_to_privilege(const char *privname)
13311331
returnACL_UPDATE;
13321332
if (strcmp(privname,"delete")==0)
13331333
returnACL_DELETE;
1334+
if (strcmp(privname,"truncate")==0)
1335+
returnACL_TRUNCATE;
13341336
if (strcmp(privname,"references")==0)
13351337
returnACL_REFERENCES;
13361338
if (strcmp(privname,"trigger")==0)
@@ -1368,6 +1370,8 @@ privilege_to_string(AclMode privilege)
13681370
return"UPDATE";
13691371
caseACL_DELETE:
13701372
return"DELETE";
1373+
caseACL_TRUNCATE:
1374+
return"TRUNCATE";
13711375
caseACL_REFERENCES:
13721376
return"REFERENCES";
13731377
caseACL_TRIGGER:
@@ -1582,7 +1586,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
15821586
* protected in this way. Assume the view rules can take care of
15831587
* themselves.ACL_USAGE is if we ever have system sequences.
15841588
*/
1585-
if ((mask& (ACL_INSERT |ACL_UPDATE |ACL_DELETE |ACL_USAGE))&&
1589+
if ((mask& (ACL_INSERT |ACL_UPDATE |ACL_DELETE |ACL_TRUNCATE |ACL_USAGE))&&
15861590
IsSystemClass(classForm)&&
15871591
classForm->relkind!=RELKIND_VIEW&&
15881592
!has_rolcatupdate(roleid)&&
@@ -1591,7 +1595,7 @@ pg_class_aclmask(Oid table_oid, Oid roleid,
15911595
#ifdefACLDEBUG
15921596
elog(DEBUG2,"permission denied for system catalog update");
15931597
#endif
1594-
mask &= ~(ACL_INSERT |ACL_UPDATE |ACL_DELETE |ACL_USAGE);
1598+
mask &= ~(ACL_INSERT |ACL_UPDATE |ACL_DELETE |ACL_TRUNCATE |ACL_USAGE);
15951599
}
15961600

15971601
/*

‎src/backend/catalog/information_schema.sql

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*
55
* Copyright (c) 2003-2008, PostgreSQL Global Development Group
66
*
7-
* $PostgreSQL: pgsql/src/backend/catalog/information_schema.sql,v 1.45 2008/07/18 03:32:52 tgl Exp $
7+
* $PostgreSQL: pgsql/src/backend/catalog/information_schema.sql,v 1.46 2008/09/08 00:47:40 tgl Exp $
88
*/
99

1010
/*
@@ -1214,9 +1214,10 @@ CREATE VIEW role_table_grants AS
12141214
pg_authid u_grantor,
12151215
pg_authid g_grantee,
12161216
(SELECT'SELECT'UNION ALL
1217-
SELECT'DELETE'UNION ALL
12181217
SELECT'INSERT'UNION ALL
12191218
SELECT'UPDATE'UNION ALL
1219+
SELECT'DELETE'UNION ALL
1220+
SELECT'TRUNCATE'UNION ALL
12201221
SELECT'REFERENCES'UNION ALL
12211222
SELECT'TRIGGER')AS pr (type)
12221223

@@ -1728,6 +1729,7 @@ CREATE VIEW table_constraints AS
17281729
OR has_table_privilege(r.oid,'INSERT')
17291730
OR has_table_privilege(r.oid,'UPDATE')
17301731
OR has_table_privilege(r.oid,'DELETE')
1732+
OR has_table_privilege(r.oid,'TRUNCATE')
17311733
OR has_table_privilege(r.oid,'REFERENCES')
17321734
OR has_table_privilege(r.oid,'TRIGGER') )
17331735

@@ -1761,6 +1763,7 @@ CREATE VIEW table_constraints AS
17611763
OR has_table_privilege(r.oid,'INSERT')
17621764
OR has_table_privilege(r.oid,'UPDATE')
17631765
OR has_table_privilege(r.oid,'DELETE')
1766+
OR has_table_privilege(r.oid,'TRUNCATE')
17641767
OR has_table_privilege(r.oid,'REFERENCES')
17651768
OR has_table_privilege(r.oid,'TRIGGER') );
17661769

@@ -1802,9 +1805,10 @@ CREATE VIEW table_privileges AS
18021805
SELECT0::oid,'PUBLIC'
18031806
)AS grantee (oid, rolname),
18041807
(SELECT'SELECT'UNION ALL
1805-
SELECT'DELETE'UNION ALL
18061808
SELECT'INSERT'UNION ALL
18071809
SELECT'UPDATE'UNION ALL
1810+
SELECT'DELETE'UNION ALL
1811+
SELECT'TRUNCATE'UNION ALL
18081812
SELECT'REFERENCES'UNION ALL
18091813
SELECT'TRIGGER')AS pr (type)
18101814

@@ -1861,6 +1865,7 @@ CREATE VIEW tables AS
18611865
OR has_table_privilege(c.oid,'INSERT')
18621866
OR has_table_privilege(c.oid,'UPDATE')
18631867
OR has_table_privilege(c.oid,'DELETE')
1868+
OR has_table_privilege(c.oid,'TRUNCATE')
18641869
OR has_table_privilege(c.oid,'REFERENCES')
18651870
OR has_table_privilege(c.oid,'TRIGGER') );
18661871

@@ -1982,6 +1987,7 @@ CREATE VIEW triggers AS
19821987
OR has_table_privilege(c.oid,'INSERT')
19831988
OR has_table_privilege(c.oid,'UPDATE')
19841989
OR has_table_privilege(c.oid,'DELETE')
1990+
OR has_table_privilege(c.oid,'TRUNCATE')
19851991
OR has_table_privilege(c.oid,'REFERENCES')
19861992
OR has_table_privilege(c.oid,'TRIGGER') );
19871993

@@ -2180,6 +2186,7 @@ CREATE VIEW views AS
21802186
OR has_table_privilege(c.oid,'INSERT')
21812187
OR has_table_privilege(c.oid,'UPDATE')
21822188
OR has_table_privilege(c.oid,'DELETE')
2189+
OR has_table_privilege(c.oid,'TRUNCATE')
21832190
OR has_table_privilege(c.oid,'REFERENCES')
21842191
OR has_table_privilege(c.oid,'TRIGGER') );
21852192

‎src/backend/commands/lockcmds.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/commands/lockcmds.c,v 1.18 2008/06/19 00:46:04 alvherre Exp $
11+
* $PostgreSQL: pgsql/src/backend/commands/lockcmds.c,v 1.19 2008/09/08 00:47:40 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -54,7 +54,7 @@ LockTableCommand(LockStmt *lockstmt)
5454
ACL_SELECT);
5555
else
5656
aclresult=pg_class_aclcheck(reloid,GetUserId(),
57-
ACL_UPDATE |ACL_DELETE);
57+
ACL_UPDATE |ACL_DELETE |ACL_TRUNCATE);
5858

5959
if (aclresult!=ACLCHECK_OK)
6060
aclcheck_error(aclresult,ACL_KIND_CLASS,

‎src/backend/commands/tablecmds.c

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.265 2008/09/01 20:42:44 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/commands/tablecmds.c,v 1.266 2008/09/08 00:47:40 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -989,6 +989,8 @@ ExecuteTruncate(TruncateStmt *stmt)
989989
staticvoid
990990
truncate_check_rel(Relationrel)
991991
{
992+
AclResultaclresult;
993+
992994
/* Only allow truncate on regular tables */
993995
if (rel->rd_rel->relkind!=RELKIND_RELATION)
994996
ereport(ERROR,
@@ -997,8 +999,10 @@ truncate_check_rel(Relation rel)
997999
RelationGetRelationName(rel))));
9981000

9991001
/* Permissions checks */
1000-
if (!pg_class_ownercheck(RelationGetRelid(rel),GetUserId()))
1001-
aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_CLASS,
1002+
aclresult=pg_class_aclcheck(RelationGetRelid(rel),GetUserId(),
1003+
ACL_TRUNCATE);
1004+
if (aclresult!=ACLCHECK_OK)
1005+
aclcheck_error(aclresult,ACL_KIND_CLASS,
10021006
RelationGetRelationName(rel));
10031007

10041008
if (!allowSystemTableMods&&IsSystemRelation(rel))

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp