diff --git a/src/test/regress/expected/view_perms.out b/src/test/regress/expected/view_perms.out new file mode 100644 index 00000000000..b2632c8dfdf --- /dev/null +++ b/src/test/regress/expected/view_perms.out @@ -0,0 +1,101 @@ +QUERY: CREATE FUNCTION viewperms_nextid () RETURNS int4 AS ' + SELECT max(usesysid) + 1 AS ret FROM pg_user; + ' LANGUAGE 'sql'; +QUERY: CREATE FUNCTION viewperms_testid () RETURNS oid AS ' + SELECT oid(textin(int4out(usesysid))) FROM pg_user + WHERE usename = ''viewperms_testuser''; + ' LANGUAGE 'sql'; +QUERY: INSERT INTO pg_shadow VALUES ( + 'viewperms_testuser', + viewperms_nextid(), + false, true, false, true, + NULL, NULL + ); +QUERY: CREATE TABLE viewperms_t1 ( + a int4, + b text + ); +QUERY: CREATE TABLE viewperms_t2 ( + a int4, + b text + ); +QUERY: INSERT INTO viewperms_t1 VALUES (1, 'one'); +QUERY: INSERT INTO viewperms_t1 VALUES (2, 'two'); +QUERY: INSERT INTO viewperms_t1 VALUES (3, 'three'); +QUERY: INSERT INTO viewperms_t2 VALUES (1, 'one'); +QUERY: INSERT INTO viewperms_t2 VALUES (2, 'two'); +QUERY: INSERT INTO viewperms_t2 VALUES (3, 'three'); +QUERY: CREATE VIEW viewperms_v1 AS SELECT * FROM viewperms_t1; +QUERY: CREATE VIEW viewperms_v2 AS SELECT * FROM viewperms_t2; +QUERY: CREATE VIEW viewperms_v3 AS SELECT * FROM viewperms_t1; +QUERY: CREATE VIEW viewperms_v4 AS SELECT * FROM viewperms_t2; +QUERY: CREATE VIEW viewperms_v5 AS SELECT * FROM viewperms_v1; +QUERY: CREATE VIEW viewperms_v6 AS SELECT * FROM viewperms_v4; +QUERY: CREATE VIEW viewperms_v7 AS SELECT * FROM viewperms_v2; +QUERY: UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_t1'; +QUERY: UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v3'; +QUERY: UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v4'; +QUERY: UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v7'; +QUERY: SELECT * FROM viewperms_v1; +a|b +-+----- +1|one +2|two +3|three +(3 rows) + +QUERY: SELECT * FROM viewperms_v2; +a|b +-+----- +1|one +2|two +3|three +(3 rows) + +QUERY: SELECT * FROM viewperms_v3; +a|b +-+----- +1|one +2|two +3|three +(3 rows) + +QUERY: SELECT * FROM viewperms_v4; +ERROR: viewperms_t2: Permission denied. +QUERY: SELECT * FROM viewperms_v5; +a|b +-+----- +1|one +2|two +3|three +(3 rows) + +QUERY: SELECT * FROM viewperms_v6; +ERROR: viewperms_t2: Permission denied. +QUERY: SELECT * FROM viewperms_v7; +ERROR: viewperms_v2: Permission denied. +QUERY: GRANT SELECT ON viewperms_v2 TO PUBLIC; +QUERY: SELECT * FROM viewperms_v7; +a|b +-+----- +1|one +2|two +3|three +(3 rows) + +QUERY: DROP VIEW viewperms_v1; +QUERY: DROP VIEW viewperms_v2; +QUERY: DROP VIEW viewperms_v3; +QUERY: DROP VIEW viewperms_v4; +QUERY: DROP VIEW viewperms_v5; +QUERY: DROP VIEW viewperms_v6; +QUERY: DROP VIEW viewperms_v7; +QUERY: DROP TABLE viewperms_t1; +QUERY: DROP TABLE viewperms_t2; +QUERY: DROP FUNCTION viewperms_nextid (); +QUERY: DROP FUNCTION viewperms_testid (); +QUERY: DELETE FROM pg_shadow WHERE usename = 'viewperms_testuser'; diff --git a/src/test/regress/sql/view_perms.sql b/src/test/regress/sql/view_perms.sql new file mode 100644 index 00000000000..5a72e88a3a1 --- /dev/null +++ b/src/test/regress/sql/view_perms.sql @@ -0,0 +1,121 @@ +-- +-- Create a new user with the next unused usesysid +-- +CREATE FUNCTION viewperms_nextid () RETURNS int4 AS ' + SELECT max(usesysid) + 1 AS ret FROM pg_user; + ' LANGUAGE 'sql'; + +CREATE FUNCTION viewperms_testid () RETURNS oid AS ' + SELECT oid(textin(int4out(usesysid))) FROM pg_user + WHERE usename = ''viewperms_testuser''; + ' LANGUAGE 'sql'; + +INSERT INTO pg_shadow VALUES ( + 'viewperms_testuser', + viewperms_nextid(), + false, true, false, true, + NULL, NULL + ); + +-- +-- Create tables and views +-- +CREATE TABLE viewperms_t1 ( + a int4, + b text + ); + +CREATE TABLE viewperms_t2 ( + a int4, + b text + ); + +INSERT INTO viewperms_t1 VALUES (1, 'one'); +INSERT INTO viewperms_t1 VALUES (2, 'two'); +INSERT INTO viewperms_t1 VALUES (3, 'three'); + +INSERT INTO viewperms_t2 VALUES (1, 'one'); +INSERT INTO viewperms_t2 VALUES (2, 'two'); +INSERT INTO viewperms_t2 VALUES (3, 'three'); + +CREATE VIEW viewperms_v1 AS SELECT * FROM viewperms_t1; +CREATE VIEW viewperms_v2 AS SELECT * FROM viewperms_t2; +CREATE VIEW viewperms_v3 AS SELECT * FROM viewperms_t1; +CREATE VIEW viewperms_v4 AS SELECT * FROM viewperms_t2; +CREATE VIEW viewperms_v5 AS SELECT * FROM viewperms_v1; +CREATE VIEW viewperms_v6 AS SELECT * FROM viewperms_v4; +CREATE VIEW viewperms_v7 AS SELECT * FROM viewperms_v2; + +-- +-- Change ownership +-- t1 tuser +-- t2 pgslq +-- v1 pgslq +-- v2 pgslq +-- v3 tuser +-- v4 tuser +-- v5 pgsql +-- v6 pgsql +-- v7 tuser +-- +UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_t1'; +UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v3'; +UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v4'; +UPDATE pg_class SET relowner = viewperms_testid() + WHERE relname = 'viewperms_v7'; + +-- +-- Now for the tests. +-- + +-- View v1 owner pgsql has access to t1 owned by tuser +SELECT * FROM viewperms_v1; + +-- View v2 owner pgsql has access to t2 owned by pgsql (of cause) +SELECT * FROM viewperms_v2; + +-- View v3 owner tuser has access to t1 owned by tuser +SELECT * FROM viewperms_v3; + +-- View v4 owner tuser has NO access to t2 owned by pgsql +-- MUST fail with permission denied +SELECT * FROM viewperms_v4; + +-- v5 (pgsql) can access v2 (pgsql) can access t1 (tuser) +SELECT * FROM viewperms_v5; + +-- v6 (pgsql) can access v4 (tuser) CANNOT access t2 (pgsql) +SELECT * FROM viewperms_v6; + +-- v7 (tuser) CANNOT access v2 (pgsql) wanna access t2 (pgslq) +SELECT * FROM viewperms_v7; + +GRANT SELECT ON viewperms_v2 TO PUBLIC; +-- but now +-- v7 (tuser) can access v2 (pgsql via grant) can access t2 (pgsql) +SELECT * FROM viewperms_v7; + +-- +-- Tidy up - we remove the testuser below and we don't let +-- objects lay around with bad owner reference +-- +DROP VIEW viewperms_v1; +DROP VIEW viewperms_v2; +DROP VIEW viewperms_v3; +DROP VIEW viewperms_v4; +DROP VIEW viewperms_v5; +DROP VIEW viewperms_v6; +DROP VIEW viewperms_v7; +DROP TABLE viewperms_t1; +DROP TABLE viewperms_t2; +DROP FUNCTION viewperms_nextid (); +DROP FUNCTION viewperms_testid (); + +-- +-- Remove the testuser +-- +DELETE FROM pg_shadow WHERE usename = 'viewperms_testuser'; +