From 7967d10c5b49ccb82f67a0b80678a1a932bccdee Mon Sep 17 00:00:00 2001 From: Nathan Bossart Date: Mon, 1 Jul 2024 11:47:40 -0500 Subject: [PATCH] Remove redundant privilege check from pg_sequences system view. This commit adjusts pg_sequence_last_value() to return NULL instead of ERROR-ing for sequences for which the current user lacks privileges. This allows us to remove the call to has_sequence_privilege() in the definition of the pg_sequences system view. Bumps catversion. Suggested-by: Michael Paquier Reviewed-by: Michael Paquier, Tom Lane Discussion: https://postgr.es/m/20240501005730.GA594666%40nathanxps13 --- src/backend/catalog/system_views.sql | 6 +----- src/backend/commands/sequence.c | 12 ++++-------- src/include/catalog/catversion.h | 2 +- src/test/regress/expected/rules.out | 5 +---- 4 files changed, 7 insertions(+), 18 deletions(-) diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index efb29adeb39..19cabc9a47f 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -176,11 +176,7 @@ CREATE VIEW pg_sequences AS S.seqincrement AS increment_by, S.seqcycle AS cycle, S.seqcache AS cache_size, - CASE - WHEN has_sequence_privilege(C.oid, 'SELECT,USAGE'::text) - THEN pg_sequence_last_value(C.oid) - ELSE NULL - END AS last_value + pg_sequence_last_value(C.oid) AS last_value FROM pg_sequence S JOIN pg_class C ON (C.oid = S.seqrelid) LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace) WHERE NOT pg_is_other_temp_schema(N.oid) diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c index b4ad19c0539..9f28d40466b 100644 --- a/src/backend/commands/sequence.c +++ b/src/backend/commands/sequence.c @@ -1790,21 +1790,17 @@ pg_sequence_last_value(PG_FUNCTION_ARGS) /* open and lock sequence */ init_sequence(relid, &elm, &seqrel); - if (pg_class_aclcheck(relid, GetUserId(), ACL_SELECT | ACL_USAGE) != ACLCHECK_OK) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied for sequence %s", - RelationGetRelationName(seqrel)))); - /* * We return NULL for other sessions' temporary sequences. The * pg_sequences system view already filters those out, but this offers a * defense against ERRORs in case someone invokes this function directly. * * Also, for the benefit of the pg_sequences view, we return NULL for - * unlogged sequences on standbys instead of throwing an error. + * unlogged sequences on standbys and for sequences for which the current + * user lacks privileges instead of throwing an error. */ - if (!RELATION_IS_OTHER_TEMP(seqrel) && + if (pg_class_aclcheck(relid, GetUserId(), ACL_SELECT | ACL_USAGE) == ACLCHECK_OK && + !RELATION_IS_OTHER_TEMP(seqrel) && (RelationIsPermanent(seqrel) || !RecoveryInProgress())) { Buffer buf; diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index 7363a445fc4..969980afd69 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202407011 +#define CATALOG_VERSION_NO 202407012 #endif diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index e12ef4336a2..4c789279e5e 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1700,10 +1700,7 @@ pg_sequences| SELECT n.nspname AS schemaname, s.seqincrement AS increment_by, s.seqcycle AS cycle, s.seqcache AS cache_size, - CASE - WHEN has_sequence_privilege(c.oid, 'SELECT,USAGE'::text) THEN pg_sequence_last_value((c.oid)::regclass) - ELSE NULL::bigint - END AS last_value + pg_sequence_last_value((c.oid)::regclass) AS last_value FROM ((pg_sequence s JOIN pg_class c ON ((c.oid = s.seqrelid))) LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace)))