From 857661ba2eeb7ccde7dfc11659cb4c67748cb980 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 29 Apr 2002 22:28:19 +0000
Subject: [PATCH] Enforce EXECUTE privilege for aggregate functions.

---
 doc/src/sgml/ref/grant.sgml    |  3 ++-
 src/backend/executor/nodeAgg.c | 11 ++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 13e19042f50..1697f91929a 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.23 2002/04/22 19:17:40 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.24 2002/04/29 22:28:19 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -182,6 +182,7 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
        Allows the use of the specified function and the use of any
        operators that are implemented on top of the function.  This is
        the only type of privilege that is applicable to functions.
+       (This syntax works for aggregate functions, as well.)
       </para>
      </listitem>
     </varlistentry>
diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c
index 6ded8c5604a..60174546812 100644
--- a/src/backend/executor/nodeAgg.c
+++ b/src/backend/executor/nodeAgg.c
@@ -46,7 +46,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/executor/nodeAgg.c,v 1.82 2002/04/16 23:08:10 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/executor/nodeAgg.c,v 1.83 2002/04/29 22:28:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -58,11 +58,13 @@
 #include "catalog/pg_operator.h"
 #include "executor/executor.h"
 #include "executor/nodeAgg.h"
+#include "miscadmin.h"
 #include "optimizer/clauses.h"
 #include "parser/parse_coerce.h"
 #include "parser/parse_expr.h"
 #include "parser/parse_oper.h"
 #include "parser/parse_type.h"
+#include "utils/acl.h"
 #include "utils/builtins.h"
 #include "utils/lsyscache.h"
 #include "utils/syscache.h"
@@ -843,6 +845,7 @@ ExecInitAgg(Agg *node, EState *estate, Plan *parent)
 		AggStatePerAgg peraggstate = &peragg[++aggno];
 		HeapTuple	aggTuple;
 		Form_pg_aggregate aggform;
+		AclResult	aclresult;
 		Oid			transfn_oid,
 					finalfn_oid;
 		Datum		textInitVal;
@@ -861,6 +864,12 @@ ExecInitAgg(Agg *node, EState *estate, Plan *parent)
 				 aggref->aggfnoid);
 		aggform = (Form_pg_aggregate) GETSTRUCT(aggTuple);
 
+		/* Check permission to call aggregate function */
+		aclresult = pg_proc_aclcheck(aggref->aggfnoid, GetUserId(),
+									 ACL_EXECUTE);
+		if (aclresult != ACLCHECK_OK)
+			aclcheck_error(aclresult, get_func_name(aggref->aggfnoid));
+
 		get_typlenbyval(aggref->aggtype,
 						&peraggstate->resulttypeLen,
 						&peraggstate->resulttypeByVal);