diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2006-09-05 21:08:36 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2006-09-05 21:08:36 +0000 |
| commit | 7bae5a289c8fbe33aceb56f04e273eee2c1e7c39 (patch) | |
| tree | 6a682bb192d1966cc86ece22d51963fb86951f5d /src/include/utils/acl.h | |
| parent | d5eb52a511bda6a975cc59ec69dca1da38675bf4 (diff) | |
| download | postgresql-7bae5a289c8fbe33aceb56f04e273eee2c1e7c39.tar.gz | |
Get rid of the separate RULE privilege for tables: now only a table's owner
can create or modify rules for the table. Do setRuleCheckAsUser() while
loading rules into the relcache, rather than when defining a rule. This
ensures that permission checks for tables referenced in a rule are done with
respect to the current owner of the rule's table, whereas formerly ALTER TABLE
OWNER would fail to update the permission checking for associated rules.
Removal of separate RULE privilege is needed to prevent various scenarios
in which a grantee of RULE privilege could effectively have any privilege
of the table owner. For backwards compatibility, GRANT/REVOKE RULE is still
accepted, but it doesn't do anything. Per discussion here:
http://archives.postgresql.org/pgsql-hackers/2006-04/msg01138.php
Diffstat (limited to 'src/include/utils/acl.h')
| -rw-r--r-- | src/include/utils/acl.h | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index 27aaf0dfbf..56226b4216 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.96 2006/05/03 22:45:26 tgl Exp $ + * $PostgreSQL: pgsql/src/include/utils/acl.h,v 1.97 2006/09/05 21:08:36 tgl Exp $ * * NOTES * An ACL array is simply an array of AclItems, representing the union @@ -128,7 +128,6 @@ typedef ArrayType Acl; #define ACL_SELECT_CHR 'r' /* formerly known as "read" */ #define ACL_UPDATE_CHR 'w' /* formerly known as "write" */ #define ACL_DELETE_CHR 'd' -#define ACL_RULE_CHR 'R' #define ACL_REFERENCES_CHR 'x' #define ACL_TRIGGER_CHR 't' #define ACL_EXECUTE_CHR 'X' @@ -143,7 +142,7 @@ typedef ArrayType Acl; /* * Bitmasks defining "all rights" for each supported object type */ -#define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_RULE|ACL_REFERENCES|ACL_TRIGGER) +#define ACL_ALL_RIGHTS_RELATION (ACL_INSERT|ACL_SELECT|ACL_UPDATE|ACL_DELETE|ACL_REFERENCES|ACL_TRIGGER) #define ACL_ALL_RIGHTS_SEQUENCE (ACL_USAGE|ACL_SELECT|ACL_UPDATE) #define ACL_ALL_RIGHTS_DATABASE (ACL_CREATE|ACL_CREATE_TEMP|ACL_CONNECT) #define ACL_ALL_RIGHTS_FUNCTION (ACL_EXECUTE) |