NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitefa415d

committed

Refactor seclabel.c to use the new check_object_ownership function.

This avoids duplicate (and not-quite-matching) code, and makes the logicfor SECURITY LABEL match COMMENT and ALTER EXTENSION ADD/DROP.

1 parentb9cff97 commitefa415dCopy full SHA for efa415d

File tree

1 file changed

+18

-72

lines changed

src/backend/commands
- seclabel.c

1 file changed

+18

-72

lines changed

`‎src/backend/commands/seclabel.c`

Lines changed: 18 additions & 72 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,13 +26,6 @@`
`26`	`26`	`#include"utils/memutils.h"`
`27`	`27`	`#include"utils/tqual.h"`
`28`	`28`
`29`		`-/*`
`30`		`- * For most object types, the permissions-checking logic is simple enough`
`31`		`- * that it makes sense to just include it in CommentObject(). However,`
`32`		`- * attributes require a bit more checking.`
`33`		`- */`
`34`		`-staticvoidCheckAttributeSecLabel(Relationrelation);`
`35`		`-`
`36`	`29`	`typedefstruct`
`37`	`30`	`{`
`38`	`31`	`constchar*provider_name;`
`@@ -98,52 +91,30 @@ ExecSecLabelStmt(SecLabelStmt *stmt)`
`98`	`91`	`address=get_object_address(stmt->objtype,stmt->objname,stmt->objargs,`
`99`	`92`	`&relation,ShareUpdateExclusiveLock);`
`100`	`93`
`101`		`-/* Privilege and integrity checks. */`
	`94`	`+/* Require ownership of the target object. */`
	`95`	`+check_object_ownership(GetUserId(),stmt->objtype,address,`
	`96`	`+stmt->objname,stmt->objargs,relation);`
	`97`	`+`
	`98`	`+/* Perform other integrity checks as needed. */`
`102`	`99`	`switch (stmt->objtype)`
`103`	`100`	`{`
`104`		`-caseOBJECT_SEQUENCE:`
`105`		`-caseOBJECT_TABLE:`
`106`		`-caseOBJECT_VIEW:`
`107`		`-caseOBJECT_FOREIGN_TABLE:`
`108`		`-if (!pg_class_ownercheck(RelationGetRelid(relation),GetUserId()))`
`109`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_CLASS,`
`110`		`-RelationGetRelationName(relation));`
`111`		`-break;`
`112`	`101`	`caseOBJECT_COLUMN:`
`113`		`-CheckAttributeSecLabel(relation);`
`114`		`-break;`
`115`		`-caseOBJECT_TYPE:`
`116`		`-if (!pg_type_ownercheck(address.objectId,GetUserId()))`
`117`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_TYPE,`
`118`		`-format_type_be(address.objectId));`
`119`		`-break;`
`120`		`-caseOBJECT_AGGREGATE:`
`121`		`-caseOBJECT_FUNCTION:`
`122`		`-if (!pg_proc_ownercheck(address.objectId,GetUserId()))`
`123`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_PROC,`
`124`		`-NameListToString(stmt->objname));`
`125`		`-break;`
`126`		`-caseOBJECT_SCHEMA:`
`127`		`-if (!pg_namespace_ownercheck(address.objectId,GetUserId()))`
`128`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_NAMESPACE,`
`129`		`-strVal(linitial(stmt->objname)));`
`130`		`-break;`
`131`		`-caseOBJECT_LANGUAGE:`
`132`		`-if (!superuser())`
`133`		`-ereport(ERROR,`
`134`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`135`		`-errmsg("must be superuser to comment on procedural language")));`
`136`		`-break;`
`137`		`-caseOBJECT_LARGEOBJECT:`
`138`		`-if (!pg_largeobject_ownercheck(address.objectId,GetUserId()))`
	`102`	`+/*`
	`103`	`+ * Allow security labels only on columns of tables, views,`
	`104`	`+ * composite types, and foreign tables (which are the only`
	`105`	`+ * relkinds for which pg_dump will dump labels).`
	`106`	`+ */`
	`107`	`+if (relation->rd_rel->relkind!=RELKIND_RELATION&&`
	`108`	`+relation->rd_rel->relkind!=RELKIND_VIEW&&`
	`109`	`+relation->rd_rel->relkind!=RELKIND_COMPOSITE_TYPE&&`
	`110`	`+relation->rd_rel->relkind!=RELKIND_FOREIGN_TABLE)`
`139`	`111`	`ereport(ERROR,`
`140`		`-(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
`141`		`-errmsg("must be owner of large object %u",`
`142`		`-address.objectId)));`
	`112`	`+(errcode(ERRCODE_WRONG_OBJECT_TYPE),`
	`113`	`+errmsg("\"%s\" is not a table, view, composite type, or foreign table",`
	`114`	`+RelationGetRelationName(relation))));`
`143`	`115`	`break;`
`144`	`116`	`default:`
`145`		`-elog(ERROR,"unrecognized object type: %d",`
`146`		`- (int)stmt->objtype);`
	`117`	`+break;`
`147`	`118`	`}`
`148`	`119`
`149`	`120`	`/* Provider gets control here, may throw ERROR to veto new label. */`
`@@ -352,31 +323,6 @@ DeleteSecurityLabel(const ObjectAddress *object)`
`352`	`323`	`heap_close(pg_seclabel,RowExclusiveLock);`
`353`	`324`	`}`
`354`	`325`
`355`		`-/*`
`356`		`- * Check whether the user is allowed to comment on an attribute of the`
`357`		`- * specified relation.`
`358`		`- */`
`359`		`-staticvoid`
`360`		`-CheckAttributeSecLabel(Relationrelation)`
`361`		`-{`
`362`		`-if (!pg_class_ownercheck(RelationGetRelid(relation),GetUserId()))`
`363`		`-aclcheck_error(ACLCHECK_NOT_OWNER,ACL_KIND_CLASS,`
`364`		`-RelationGetRelationName(relation));`
`365`		`-`
`366`		`-/*`
`367`		`- * Allow security labels only on columns of tables, views, and composite`
`368`		`- * types (which are the only relkinds for which pg_dump will dump labels).`
`369`		`- */`
`370`		`-if (relation->rd_rel->relkind!=RELKIND_RELATION&&`
`371`		`-relation->rd_rel->relkind!=RELKIND_VIEW&&`
`372`		`-relation->rd_rel->relkind!=RELKIND_COMPOSITE_TYPE&&`
`373`		`-relation->rd_rel->relkind!=RELKIND_FOREIGN_TABLE)`
`374`		`-ereport(ERROR,`
`375`		`-(errcode(ERRCODE_WRONG_OBJECT_TYPE),`
`376`		`-errmsg("\"%s\" is not a table, view, composite type, or foreign table",`
`377`		`-RelationGetRelationName(relation))));`
`378`		`-}`
`379`		`-`
`380`	`326`	`void`
`381`	`327`	`register_label_provider(constchar*provider_name,check_object_relabel_typehook)`
`382`	`328`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitefa415d

File tree

1 file changed

1 file changed

`‎src/backend/commands/seclabel.c`

0 commit comments