NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitfa26424

committed

Allow LOCK TABLE .. ROW EXCLUSIVE MODE with INSERT

INSERT acquires RowExclusiveLock during normal operation and thereforeit makes sense to allow LOCK TABLE .. ROW EXCLUSIVE MODE to be executedby users who have INSERT rights on a table (even if they don't haveUPDATE or DELETE).Not back-patching this as it's a behavior change which, strictlyspeaking, loosens security restrictions.Per discussion with Tom and Robert (circa 2013).

1 parent9d15292 commitfa26424Copy full SHA for fa26424

File tree

2 files changed

+13

-7

lines changed

doc/src/sgml/ref
- lock.sgml
src/backend/commands
- lockcmds.c

2 files changed

+13

-7

lines changed

`‎doc/src/sgml/ref/lock.sgml`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -161,9 +161,11 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="PARAMETER">name</replaceable> [ * ]`
`161`	`161`
`162`	`162`	`<para>`
`163`	`163`	`<literal>LOCK TABLE ... IN ACCESS SHARE MODE</> requires <literal>SELECT</>`
`164`		`- privileges on the target table. All other forms of <command>LOCK</>`
`165`		`- require table-level <literal>UPDATE</>, <literal>DELETE</>, or`
`166`		`- <literal>TRUNCATE</> privileges.`
	`164`	`+ privileges on the target table. <literal>LOCK TABLE ... IN ROW EXCLUSIVE`
	`165`	`+ MODE</> requires <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,`
	`166`	`+ or <literal>TRUNCATE</> privileges on the target table. All other forms of`
	`167`	`+ <command>LOCK</> require table-level <literal>UPDATE</>, <literal>DELETE</>,`
	`168`	`+ or <literal>TRUNCATE</> privileges.`
`167`	`169`	`</para>`
`168`	`170`
`169`	`171`	`<para>`

`‎src/backend/commands/lockcmds.c`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -169,13 +169,17 @@ static AclResult`
`169`	`169`	`LockTableAclCheck(Oidreloid,LOCKMODElockmode)`
`170`	`170`	`{`
`171`	`171`	`AclResultaclresult;`
	`172`	`+AclModeaclmask;`
`172`	`173`
`173`	`174`	`/* Verify adequate privilege */`
`174`	`175`	`if (lockmode==AccessShareLock)`
`175`		`-aclresult=pg_class_aclcheck(reloid,GetUserId(),`
`176`		`-ACL_SELECT);`
	`176`	`+aclmask=ACL_SELECT;`
	`177`	`+elseif (lockmode==RowExclusiveLock)`
	`178`	`+aclmask=ACL_INSERT \|ACL_UPDATE \|ACL_DELETE \|ACL_TRUNCATE;`
`177`	`179`	`else`
`178`		`-aclresult=pg_class_aclcheck(reloid,GetUserId(),`
`179`		`-ACL_UPDATE \|ACL_DELETE \|ACL_TRUNCATE);`
	`180`	`+aclmask=ACL_UPDATE \|ACL_DELETE \|ACL_TRUNCATE;`
	`181`	`+`
	`182`	`+aclresult=pg_class_aclcheck(reloid,GetUserId(),aclmask);`
	`183`	`+`
`180`	`184`	`returnaclresult;`
`181`	`185`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfa26424

File tree

2 files changed

2 files changed

`‎doc/src/sgml/ref/lock.sgml`

`‎src/backend/commands/lockcmds.c`

0 commit comments