Skip to content

Commit 0eaa36a

Browse files
tglsfdctglsfdc
committed
Bring syntax of role-related commands into SQL compliance. To avoid
syntactic conflicts, both privilege and role GRANT/REVOKE commands have to use the same production for scanning the list of tokens that might eventually turn out to be privileges or role names. So, change the existing GRANT/REVOKE code to expect a list of strings not pre-reduced AclMode values. Fix a couple other minor issues while at it, such as InitializeAcl function name conflicting with a Windows system function.
1 parent 88b49cd commit 0eaa36a

File tree

11 files changed

+344
-316
lines changed

11 files changed

+344
-316
lines changed

src/backend/catalog/aclchk.c

Lines changed: 53 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.113 2005/06/28 05:08:52 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/catalog/aclchk.c,v 1.114 2005/06/28 19:51:21 tgl Exp $
1212
*
1313
* NOTES
1414
* See acl.h.
@@ -47,6 +47,7 @@ static void ExecuteGrantStmt_Language(GrantStmt *stmt);
4747
static void ExecuteGrantStmt_Namespace(GrantStmt *stmt);
4848
static void ExecuteGrantStmt_Tablespace(GrantStmt *stmt);
4949

50+
static AclMode string_to_privilege(const char *privname);
5051
static const char *privilege_to_string(AclMode privilege);
5152

5253

@@ -209,7 +210,7 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
209210
bool all_privs;
210211
ListCell *i;
211212

212-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
213+
if (stmt->privileges == NIL)
213214
{
214215
all_privs = true;
215216
privileges = ACL_ALL_RIGHTS_RELATION;
@@ -220,7 +221,8 @@ ExecuteGrantStmt_Relation(GrantStmt *stmt)
220221
privileges = ACL_NO_RIGHTS;
221222
foreach(i, stmt->privileges)
222223
{
223-
AclMode priv = lfirst_int(i);
224+
char *privname = strVal(lfirst(i));
225+
AclMode priv = string_to_privilege(privname);
224226

225227
if (priv & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
226228
ereport(ERROR,
@@ -377,7 +379,7 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
377379
bool all_privs;
378380
ListCell *i;
379381

380-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
382+
if (stmt->privileges == NIL)
381383
{
382384
all_privs = true;
383385
privileges = ACL_ALL_RIGHTS_DATABASE;
@@ -388,7 +390,8 @@ ExecuteGrantStmt_Database(GrantStmt *stmt)
388390
privileges = ACL_NO_RIGHTS;
389391
foreach(i, stmt->privileges)
390392
{
391-
AclMode priv = lfirst_int(i);
393+
char *privname = strVal(lfirst(i));
394+
AclMode priv = string_to_privilege(privname);
392395

393396
if (priv & ~((AclMode) ACL_ALL_RIGHTS_DATABASE))
394397
ereport(ERROR,
@@ -535,7 +538,7 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
535538
bool all_privs;
536539
ListCell *i;
537540

538-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
541+
if (stmt->privileges == NIL)
539542
{
540543
all_privs = true;
541544
privileges = ACL_ALL_RIGHTS_FUNCTION;
@@ -546,7 +549,8 @@ ExecuteGrantStmt_Function(GrantStmt *stmt)
546549
privileges = ACL_NO_RIGHTS;
547550
foreach(i, stmt->privileges)
548551
{
549-
AclMode priv = lfirst_int(i);
552+
char *privname = strVal(lfirst(i));
553+
AclMode priv = string_to_privilege(privname);
550554

551555
if (priv & ~((AclMode) ACL_ALL_RIGHTS_FUNCTION))
552556
ereport(ERROR,
@@ -689,7 +693,7 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
689693
bool all_privs;
690694
ListCell *i;
691695

692-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
696+
if (stmt->privileges == NIL)
693697
{
694698
all_privs = true;
695699
privileges = ACL_ALL_RIGHTS_LANGUAGE;
@@ -700,7 +704,8 @@ ExecuteGrantStmt_Language(GrantStmt *stmt)
700704
privileges = ACL_NO_RIGHTS;
701705
foreach(i, stmt->privileges)
702706
{
703-
AclMode priv = lfirst_int(i);
707+
char *privname = strVal(lfirst(i));
708+
AclMode priv = string_to_privilege(privname);
704709

705710
if (priv & ~((AclMode) ACL_ALL_RIGHTS_LANGUAGE))
706711
ereport(ERROR,
@@ -852,7 +857,7 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
852857
bool all_privs;
853858
ListCell *i;
854859

855-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
860+
if (stmt->privileges == NIL)
856861
{
857862
all_privs = true;
858863
privileges = ACL_ALL_RIGHTS_NAMESPACE;
@@ -863,7 +868,8 @@ ExecuteGrantStmt_Namespace(GrantStmt *stmt)
863868
privileges = ACL_NO_RIGHTS;
864869
foreach(i, stmt->privileges)
865870
{
866-
AclMode priv = lfirst_int(i);
871+
char *privname = strVal(lfirst(i));
872+
AclMode priv = string_to_privilege(privname);
867873

868874
if (priv & ~((AclMode) ACL_ALL_RIGHTS_NAMESPACE))
869875
ereport(ERROR,
@@ -1006,7 +1012,7 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
10061012
bool all_privs;
10071013
ListCell *i;
10081014

1009-
if (linitial_int(stmt->privileges) == ACL_ALL_RIGHTS)
1015+
if (stmt->privileges == NIL)
10101016
{
10111017
all_privs = true;
10121018
privileges = ACL_ALL_RIGHTS_TABLESPACE;
@@ -1017,7 +1023,8 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
10171023
privileges = ACL_NO_RIGHTS;
10181024
foreach(i, stmt->privileges)
10191025
{
1020-
AclMode priv = lfirst_int(i);
1026+
char *privname = strVal(lfirst(i));
1027+
AclMode priv = string_to_privilege(privname);
10211028

10221029
if (priv & ~((AclMode) ACL_ALL_RIGHTS_TABLESPACE))
10231030
ereport(ERROR,
@@ -1157,6 +1164,39 @@ ExecuteGrantStmt_Tablespace(GrantStmt *stmt)
11571164
}
11581165

11591166

1167+
static AclMode
1168+
string_to_privilege(const char *privname)
1169+
{
1170+
if (strcmp(privname, "insert") == 0)
1171+
return ACL_INSERT;
1172+
if (strcmp(privname, "select") == 0)
1173+
return ACL_SELECT;
1174+
if (strcmp(privname, "update") == 0)
1175+
return ACL_UPDATE;
1176+
if (strcmp(privname, "delete") == 0)
1177+
return ACL_DELETE;
1178+
if (strcmp(privname, "rule") == 0)
1179+
return ACL_RULE;
1180+
if (strcmp(privname, "references") == 0)
1181+
return ACL_REFERENCES;
1182+
if (strcmp(privname, "trigger") == 0)
1183+
return ACL_TRIGGER;
1184+
if (strcmp(privname, "execute") == 0)
1185+
return ACL_EXECUTE;
1186+
if (strcmp(privname, "usage") == 0)
1187+
return ACL_USAGE;
1188+
if (strcmp(privname, "create") == 0)
1189+
return ACL_CREATE;
1190+
if (strcmp(privname, "temporary") == 0)
1191+
return ACL_CREATE_TEMP;
1192+
if (strcmp(privname, "temp") == 0)
1193+
return ACL_CREATE_TEMP;
1194+
ereport(ERROR,
1195+
(errcode(ERRCODE_SYNTAX_ERROR),
1196+
errmsg("unrecognized privilege type \"%s\"", privname)));
1197+
return 0; /* appease compiler */
1198+
}
1199+
11601200
static const char *
11611201
privilege_to_string(AclMode privilege)
11621202
{

src/backend/catalog/pg_proc.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/catalog/pg_proc.c,v 1.130 2005/06/28 05:08:52 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/catalog/pg_proc.c,v 1.131 2005/06/28 19:51:21 tgl Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -266,7 +266,7 @@ ProcedureCreate(const char *procedureName,
266266
(errcode(ERRCODE_DUPLICATE_FUNCTION),
267267
errmsg("function \"%s\" already exists with same argument types",
268268
procedureName)));
269-
if (GetUserId() != oldproc->proowner && !superuser())
269+
if (!pg_proc_ownercheck(HeapTupleGetOid(oldtup), GetUserId()))
270270
aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
271271
procedureName);
272272

src/backend/commands/user.c

Lines changed: 49 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
77
* Portions Copyright (c) 1994, Regents of the University of California
88
*
9-
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.152 2005/06/28 05:08:55 tgl Exp $
9+
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.153 2005/06/28 19:51:22 tgl Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -61,16 +61,17 @@ CreateRole(CreateRoleStmt *stmt)
6161
bool createrole = false; /* Can this user create roles? */
6262
bool createdb = false; /* Can the user create databases? */
6363
bool canlogin = false; /* Can this user login? */
64-
List *roleElts = NIL; /* roles the user is a member of */
65-
List *rolememElts = NIL; /* roles which will be members of this role */
66-
char *validUntil = NULL; /* The time the login is valid
67-
* until */
64+
List *addroleto = NIL; /* roles to make this a member of */
65+
List *rolemembers = NIL; /* roles to be members of this role */
66+
List *adminmembers = NIL; /* roles to be admins of this role */
67+
char *validUntil = NULL; /* time the login is valid until */
6868
DefElem *dpassword = NULL;
6969
DefElem *dcreatedb = NULL;
7070
DefElem *dcreaterole = NULL;
7171
DefElem *dcanlogin = NULL;
72-
DefElem *droleElts = NULL;
73-
DefElem *drolememElts = NULL;
72+
DefElem *daddroleto = NULL;
73+
DefElem *drolemembers = NULL;
74+
DefElem *dadminmembers = NULL;
7475
DefElem *dvalidUntil = NULL;
7576

7677
/* Extract options from the statement node tree */
@@ -121,21 +122,29 @@ CreateRole(CreateRoleStmt *stmt)
121122
errmsg("conflicting or redundant options")));
122123
dcanlogin = defel;
123124
}
124-
else if (strcmp(defel->defname, "roleElts") == 0)
125+
else if (strcmp(defel->defname, "addroleto") == 0)
125126
{
126-
if (droleElts)
127+
if (daddroleto)
127128
ereport(ERROR,
128129
(errcode(ERRCODE_SYNTAX_ERROR),
129130
errmsg("conflicting or redundant options")));
130-
droleElts = defel;
131+
daddroleto = defel;
131132
}
132-
else if (strcmp(defel->defname, "rolememElts") == 0)
133+
else if (strcmp(defel->defname, "rolemembers") == 0)
133134
{
134-
if (drolememElts)
135+
if (drolemembers)
135136
ereport(ERROR,
136137
(errcode(ERRCODE_SYNTAX_ERROR),
137138
errmsg("conflicting or redundant options")));
138-
drolememElts = defel;
139+
drolemembers = defel;
140+
}
141+
else if (strcmp(defel->defname, "adminmembers") == 0)
142+
{
143+
if (dadminmembers)
144+
ereport(ERROR,
145+
(errcode(ERRCODE_SYNTAX_ERROR),
146+
errmsg("conflicting or redundant options")));
147+
dadminmembers = defel;
139148
}
140149
else if (strcmp(defel->defname, "validUntil") == 0)
141150
{
@@ -164,10 +173,12 @@ CreateRole(CreateRoleStmt *stmt)
164173
validUntil = strVal(dvalidUntil->arg);
165174
if (dpassword)
166175
password = strVal(dpassword->arg);
167-
if (droleElts)
168-
roleElts = (List *) droleElts->arg;
169-
if (drolememElts)
170-
rolememElts = (List *) drolememElts->arg;
176+
if (daddroleto)
177+
addroleto = (List *) daddroleto->arg;
178+
if (drolemembers)
179+
rolemembers = (List *) drolemembers->arg;
180+
if (dadminmembers)
181+
adminmembers = (List *) dadminmembers->arg;
171182

172183
/* Check some permissions first */
173184
if (!superuser())
@@ -257,7 +268,7 @@ CreateRole(CreateRoleStmt *stmt)
257268
/*
258269
* Add the new role to the specified existing roles.
259270
*/
260-
foreach(item, roleElts)
271+
foreach(item, addroleto)
261272
{
262273
char *oldrolename = strVal(lfirst(item));
263274
Oid oldroleid = get_roleid_checked(oldrolename);
@@ -269,10 +280,14 @@ CreateRole(CreateRoleStmt *stmt)
269280
}
270281

271282
/*
272-
* Add the specified members to this new role.
283+
* Add the specified members to this new role. adminmembers get the
284+
* admin option, rolemembers don't.
273285
*/
274286
AddRoleMems(stmt->role, roleid,
275-
rolememElts, roleNamesToIds(rolememElts),
287+
adminmembers, roleNamesToIds(adminmembers),
288+
GetUserId(), true);
289+
AddRoleMems(stmt->role, roleid,
290+
rolemembers, roleNamesToIds(rolemembers),
276291
GetUserId(), false);
277292

278293
/*
@@ -309,17 +324,14 @@ AlterRole(AlterRoleStmt *stmt)
309324
int createrole = -1; /* Can this user create roles? */
310325
int createdb = -1; /* Can the user create databases? */
311326
int canlogin = -1; /* Can this user login? */
312-
int adminopt = 0; /* Can this user grant this role to others? */
313-
List *rolememElts = NIL; /* The roles which will be added/removed to this role */
314-
char *validUntil = NULL; /* The time the login is valid
315-
* until */
327+
List *rolemembers = NIL; /* roles to be added/removed */
328+
char *validUntil = NULL; /* time the login is valid until */
316329
DefElem *dpassword = NULL;
317330
DefElem *dcreatedb = NULL;
318331
DefElem *dcreaterole = NULL;
319332
DefElem *dcanlogin = NULL;
320-
DefElem *dadminopt = NULL;
321333
DefElem *dvalidUntil = NULL;
322-
DefElem *drolememElts = NULL;
334+
DefElem *drolemembers = NULL;
323335
Oid roleid;
324336

325337
/* Extract options from the statement node tree */
@@ -365,14 +377,6 @@ AlterRole(AlterRoleStmt *stmt)
365377
errmsg("conflicting or redundant options")));
366378
dcanlogin = defel;
367379
}
368-
else if (strcmp(defel->defname, "adminopt") == 0)
369-
{
370-
if (dadminopt)
371-
ereport(ERROR,
372-
(errcode(ERRCODE_SYNTAX_ERROR),
373-
errmsg("conflicting or redundant options")));
374-
dadminopt = defel;
375-
}
376380
else if (strcmp(defel->defname, "validUntil") == 0)
377381
{
378382
if (dvalidUntil)
@@ -381,13 +385,14 @@ AlterRole(AlterRoleStmt *stmt)
381385
errmsg("conflicting or redundant options")));
382386
dvalidUntil = defel;
383387
}
384-
else if (strcmp(defel->defname, "rolememElts") == 0 && stmt->action != 0)
388+
else if (strcmp(defel->defname, "rolemembers") == 0 &&
389+
stmt->action != 0)
385390
{
386-
if (drolememElts)
391+
if (drolemembers)
387392
ereport(ERROR,
388393
(errcode(ERRCODE_SYNTAX_ERROR),
389394
errmsg("conflicting or redundant options")));
390-
drolememElts = defel;
395+
drolemembers = defel;
391396
}
392397
else
393398
elog(ERROR, "option \"%s\" not recognized",
@@ -404,14 +409,12 @@ AlterRole(AlterRoleStmt *stmt)
404409
}
405410
if (dcanlogin)
406411
canlogin = intVal(dcanlogin->arg);
407-
if (dadminopt)
408-
adminopt = intVal(dadminopt->arg);
409412
if (dvalidUntil)
410413
validUntil = strVal(dvalidUntil->arg);
411414
if (dpassword)
412415
password = strVal(dpassword->arg);
413-
if (drolememElts)
414-
rolememElts = (List *) drolememElts->arg;
416+
if (drolemembers)
417+
rolemembers = (List *) drolemembers->arg;
415418

416419
/* must be superuser or just want to change your own password */
417420
if (!superuser() &&
@@ -420,8 +423,7 @@ AlterRole(AlterRoleStmt *stmt)
420423
createdb < 0 &&
421424
canlogin < 0 &&
422425
!validUntil &&
423-
!rolememElts &&
424-
!adminopt &&
426+
!rolemembers &&
425427
password &&
426428
strcmp(GetUserNameFromId(GetUserId()), stmt->role) == 0))
427429
ereport(ERROR,
@@ -537,12 +539,12 @@ AlterRole(AlterRoleStmt *stmt)
537539

538540
if (stmt->action == +1) /* add members to role */
539541
AddRoleMems(stmt->role, roleid,
540-
rolememElts, roleNamesToIds(rolememElts),
541-
GetUserId(), adminopt);
542+
rolemembers, roleNamesToIds(rolemembers),
543+
GetUserId(), false);
542544
else if (stmt->action == -1) /* drop members from role */
543545
DelRoleMems(stmt->role, roleid,
544-
rolememElts, roleNamesToIds(rolememElts),
545-
adminopt);
546+
rolemembers, roleNamesToIds(rolemembers),
547+
false);
546548

547549
/*
548550
* Set flag to update flat auth file at commit.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy