diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2006-09-05 21:08:36 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2006-09-05 21:08:36 +0000 |
| commit | 7bae5a289c8fbe33aceb56f04e273eee2c1e7c39 (patch) | |
| tree | 6a682bb192d1966cc86ece22d51963fb86951f5d /src/test/regress/sql/privileges.sql | |
| parent | d5eb52a511bda6a975cc59ec69dca1da38675bf4 (diff) | |
| download | postgresql-7bae5a289c8fbe33aceb56f04e273eee2c1e7c39.tar.gz | |
Get rid of the separate RULE privilege for tables: now only a table's owner
can create or modify rules for the table. Do setRuleCheckAsUser() while
loading rules into the relcache, rather than when defining a rule. This
ensures that permission checks for tables referenced in a rule are done with
respect to the current owner of the rule's table, whereas formerly ALTER TABLE
OWNER would fail to update the permission checking for associated rules.
Removal of separate RULE privilege is needed to prevent various scenarios
in which a grantee of RULE privilege could effectively have any privilege
of the table owner. For backwards compatibility, GRANT/REVOKE RULE is still
accepted, but it doesn't do anything. Per discussion here:
http://archives.postgresql.org/pgsql-hackers/2006-04/msg01138.php
Diffstat (limited to 'src/test/regress/sql/privileges.sql')
| -rw-r--r-- | src/test/regress/sql/privileges.sql | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql index 3b96abe87e..4c0d9c43f2 100644 --- a/src/test/regress/sql/privileges.sql +++ b/src/test/regress/sql/privileges.sql @@ -214,7 +214,7 @@ select has_table_privilege('pg_shad','select'); select has_table_privilege('nosuchuser','pg_authid','select'); select has_table_privilege('pg_authid','sel'); select has_table_privilege(-999999,'pg_authid','update'); -select has_table_privilege(1,'rule'); +select has_table_privilege(1,'select'); -- superuser \c - @@ -227,6 +227,8 @@ from (select oid from pg_roles where rolname = current_user) as t2; select has_table_privilege(t2.oid,'pg_authid','delete') from (select oid from pg_roles where rolname = current_user) as t2; +-- 'rule' privilege no longer exists, but for backwards compatibility +-- has_table_privilege still recognizes the keyword and says FALSE select has_table_privilege(current_user,t1.oid,'rule') from (select oid from pg_class where relname = 'pg_authid') as t1; select has_table_privilege(current_user,t1.oid,'references') @@ -258,8 +260,6 @@ from (select oid from pg_roles where rolname = current_user) as t2; select has_table_privilege(t2.oid,'pg_class','delete') from (select oid from pg_roles where rolname = current_user) as t2; -select has_table_privilege(current_user,t1.oid,'rule') -from (select oid from pg_class where relname = 'pg_class') as t1; select has_table_privilege(current_user,t1.oid,'references') from (select oid from pg_class where relname = 'pg_class') as t1; @@ -286,8 +286,6 @@ from (select oid from pg_roles where rolname = current_user) as t2; select has_table_privilege(t2.oid,'atest1','delete') from (select oid from pg_roles where rolname = current_user) as t2; -select has_table_privilege(current_user,t1.oid,'rule') -from (select oid from pg_class where relname = 'atest1') as t1; select has_table_privilege(current_user,t1.oid,'references') from (select oid from pg_class where relname = 'atest1') as t1; |