mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Replace AclObjectKind with ObjectType
AclObjectKind was basically just another enumeration for object types, and we already have a preferred one for that. It's only used in aclcheck_error. By using ObjectType instead, we can also give some more precise error messages, for example "index" instead of "relation". Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
This commit is contained in:
Peter Eisentraut
@ -30,14 +30,14 @@ SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- OK
|
||||
SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified'; -- fail
|
||||
ERROR: security label provider "unknown_seclabel" is not loaded
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified'; -- fail (not owner)
|
||||
ERROR: must be owner of relation dummy_seclabel_tbl2
|
||||
ERROR: must be owner of table dummy_seclabel_tbl2
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret'; -- fail (not superuser)
|
||||
ERROR: only superuser can set 'secret' label
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified'; -- fail (not found)
|
||||
ERROR: relation "dummy_seclabel_tbl3" does not exist
|
||||
SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'unclassified'; -- fail
|
||||
ERROR: must be owner of relation dummy_seclabel_tbl1
|
||||
ERROR: must be owner of table dummy_seclabel_tbl1
|
||||
SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified'; -- OK
|
||||
--
|
||||
-- Test for shared database object
|
||||
|
||||
@ -1,5 +1,12 @@
|
||||
--
|
||||
-- ALTER_TABLE
|
||||
--
|
||||
-- Clean up in case a prior regression run failed
|
||||
SET client_min_messages TO 'warning';
|
||||
DROP ROLE IF EXISTS regress_alter_user1;
|
||||
RESET client_min_messages;
|
||||
CREATE USER regress_alter_user1;
|
||||
--
|
||||
-- add attribute
|
||||
--
|
||||
CREATE TABLE tmp (initial int4);
|
||||
@ -209,9 +216,17 @@ ALTER INDEX IF EXISTS __tmp_onek_unique1 RENAME TO onek_unique1;
|
||||
NOTICE: relation "__tmp_onek_unique1" does not exist, skipping
|
||||
ALTER INDEX onek_unique1 RENAME TO tmp_onek_unique1;
|
||||
ALTER INDEX tmp_onek_unique1 RENAME TO onek_unique1;
|
||||
SET ROLE regress_alter_user1;
|
||||
ALTER INDEX onek_unique1 RENAME TO fail; -- permission denied
|
||||
ERROR: must be owner of index onek_unique1
|
||||
RESET ROLE;
|
||||
-- renaming views
|
||||
CREATE VIEW tmp_view (unique1) AS SELECT unique1 FROM tenk1;
|
||||
ALTER TABLE tmp_view RENAME TO tmp_view_new;
|
||||
SET ROLE regress_alter_user1;
|
||||
ALTER VIEW tmp_view_new RENAME TO fail; -- permission denied
|
||||
ERROR: must be owner of view tmp_view_new
|
||||
RESET ROLE;
|
||||
-- hack to ensure we get an indexscan here
|
||||
set enable_seqscan to off;
|
||||
set enable_bitmapscan to off;
|
||||
@ -3364,7 +3379,7 @@ CREATE TABLE owned_by_me (
|
||||
a int
|
||||
) PARTITION BY LIST (a);
|
||||
ALTER TABLE owned_by_me ATTACH PARTITION not_owned_by_me FOR VALUES IN (1);
|
||||
ERROR: must be owner of relation not_owned_by_me
|
||||
ERROR: must be owner of table not_owned_by_me
|
||||
RESET SESSION AUTHORIZATION;
|
||||
DROP TABLE owned_by_me, not_owned_by_me;
|
||||
DROP ROLE regress_test_not_me;
|
||||
@ -3883,3 +3898,4 @@ ALTER TABLE tmp ALTER COLUMN i SET (n_distinct = 1, n_distinct_inherited = 2);
|
||||
ALTER TABLE tmp ALTER COLUMN i RESET (n_distinct_inherited);
|
||||
ANALYZE tmp;
|
||||
DROP TABLE tmp;
|
||||
DROP USER regress_alter_user1;
|
||||
|
||||
@ -521,12 +521,12 @@ RESET SESSION AUTHORIZATION;
|
||||
SET SESSION AUTHORIZATION regress_rls_copy_user_colperms;
|
||||
-- attempt all columns (should fail)
|
||||
COPY rls_t1 TO stdout;
|
||||
ERROR: permission denied for relation rls_t1
|
||||
ERROR: permission denied for table rls_t1
|
||||
COPY rls_t1 (a, b, c) TO stdout;
|
||||
ERROR: permission denied for relation rls_t1
|
||||
ERROR: permission denied for table rls_t1
|
||||
-- try to copy column with no privileges (should fail)
|
||||
COPY rls_t1 (c) TO stdout;
|
||||
ERROR: permission denied for relation rls_t1
|
||||
ERROR: permission denied for table rls_t1
|
||||
-- subset of columns (should succeed)
|
||||
COPY rls_t1 (a) TO stdout;
|
||||
2
|
||||
|
||||
@ -82,7 +82,7 @@ GRANT INSERT ON cp_test TO regress_user1;
|
||||
REVOKE EXECUTE ON PROCEDURE ptest1(text) FROM PUBLIC;
|
||||
SET ROLE regress_user1;
|
||||
CALL ptest1('a'); -- error
|
||||
ERROR: permission denied for function ptest1
|
||||
ERROR: permission denied for procedure ptest1
|
||||
RESET ROLE;
|
||||
GRANT EXECUTE ON PROCEDURE ptest1(text) TO regress_user1;
|
||||
SET ROLE regress_user1;
|
||||
|
||||
@ -45,7 +45,7 @@ GRANT UPDATE ON TABLE lock_tbl1 TO regress_rol_lock1;
|
||||
SET ROLE regress_rol_lock1;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_tbl1 * IN ACCESS EXCLUSIVE MODE;
|
||||
ERROR: permission denied for relation lock_tbl2
|
||||
ERROR: permission denied for table lock_tbl2
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE ONLY lock_tbl1;
|
||||
|
||||
@ -92,11 +92,11 @@ SELECT * FROM atest2; -- ok
|
||||
|
||||
INSERT INTO atest1 VALUES (2, 'two'); -- ok
|
||||
INSERT INTO atest2 VALUES ('foo', true); -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
INSERT INTO atest1 SELECT 1, b FROM atest1; -- ok
|
||||
UPDATE atest1 SET a = 1 WHERE a = 2; -- ok
|
||||
UPDATE atest2 SET col2 = NOT col2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
SELECT * FROM atest1 FOR UPDATE; -- ok
|
||||
a | b
|
||||
---+-----
|
||||
@ -105,17 +105,17 @@ SELECT * FROM atest1 FOR UPDATE; -- ok
|
||||
(2 rows)
|
||||
|
||||
SELECT * FROM atest2 FOR UPDATE; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
DELETE FROM atest2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
TRUNCATE atest2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
BEGIN;
|
||||
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
COMMIT;
|
||||
COPY atest2 FROM stdin; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
GRANT ALL ON atest1 TO PUBLIC; -- fail
|
||||
WARNING: no privileges were granted for "atest1"
|
||||
-- checks in subquery, both ok
|
||||
@ -144,37 +144,37 @@ SELECT * FROM atest1; -- ok
|
||||
(2 rows)
|
||||
|
||||
SELECT * FROM atest2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
INSERT INTO atest1 VALUES (2, 'two'); -- fail
|
||||
ERROR: permission denied for relation atest1
|
||||
ERROR: permission denied for table atest1
|
||||
INSERT INTO atest2 VALUES ('foo', true); -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
INSERT INTO atest1 SELECT 1, b FROM atest1; -- fail
|
||||
ERROR: permission denied for relation atest1
|
||||
ERROR: permission denied for table atest1
|
||||
UPDATE atest1 SET a = 1 WHERE a = 2; -- fail
|
||||
ERROR: permission denied for relation atest1
|
||||
ERROR: permission denied for table atest1
|
||||
UPDATE atest2 SET col2 = NULL; -- ok
|
||||
UPDATE atest2 SET col2 = NOT col2; -- fails; requires SELECT on atest2
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
UPDATE atest2 SET col2 = true FROM atest1 WHERE atest1.a = 5; -- ok
|
||||
SELECT * FROM atest1 FOR UPDATE; -- fail
|
||||
ERROR: permission denied for relation atest1
|
||||
ERROR: permission denied for table atest1
|
||||
SELECT * FROM atest2 FOR UPDATE; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
DELETE FROM atest2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
TRUNCATE atest2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
BEGIN;
|
||||
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- ok
|
||||
COMMIT;
|
||||
COPY atest2 FROM stdin; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
-- checks in subquery, both fail
|
||||
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) );
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
COPY atest2 FROM stdin; -- ok
|
||||
SELECT * FROM atest1; -- ok
|
||||
@ -234,7 +234,7 @@ CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer,
|
||||
restrict = scalargtsel);
|
||||
-- This should not show any "leak" notices before failing.
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0;
|
||||
ERROR: permission denied for relation atest12
|
||||
ERROR: permission denied for table atest12
|
||||
-- This plan should use hashjoin, as it will expect many rows to be selected.
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;
|
||||
QUERY PLAN
|
||||
@ -287,7 +287,7 @@ CREATE TABLE atest3 (one int, two int, three int);
|
||||
GRANT DELETE ON atest3 TO GROUP regress_group2;
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
SELECT * FROM atest3; -- fail
|
||||
ERROR: permission denied for relation atest3
|
||||
ERROR: permission denied for table atest3
|
||||
DELETE FROM atest3; -- ok
|
||||
-- views
|
||||
SET SESSION AUTHORIZATION regress_user3;
|
||||
@ -305,7 +305,7 @@ SELECT * FROM atestv1; -- ok
|
||||
(2 rows)
|
||||
|
||||
SELECT * FROM atestv2; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
GRANT SELECT ON atestv1, atestv3 TO regress_user4;
|
||||
GRANT SELECT ON atestv2 TO regress_user2;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
@ -317,28 +317,28 @@ SELECT * FROM atestv1; -- ok
|
||||
(2 rows)
|
||||
|
||||
SELECT * FROM atestv2; -- fail
|
||||
ERROR: permission denied for relation atestv2
|
||||
ERROR: permission denied for view atestv2
|
||||
SELECT * FROM atestv3; -- ok
|
||||
one | two | three
|
||||
-----+-----+-------
|
||||
(0 rows)
|
||||
|
||||
SELECT * FROM atestv0; -- fail
|
||||
ERROR: permission denied for relation atestv0
|
||||
ERROR: permission denied for view atestv0
|
||||
-- Appendrels excluded by constraints failed to check permissions in 8.4-9.2.
|
||||
select * from
|
||||
((select a.q1 as x from int8_tbl a offset 0)
|
||||
union all
|
||||
(select b.q2 as x from int8_tbl b offset 0)) ss
|
||||
where false;
|
||||
ERROR: permission denied for relation int8_tbl
|
||||
ERROR: permission denied for table int8_tbl
|
||||
set constraint_exclusion = on;
|
||||
select * from
|
||||
((select a.q1 as x, random() from int8_tbl a where q1 > 0)
|
||||
union all
|
||||
(select b.q2 as x, random() from int8_tbl b where q2 > 0)) ss
|
||||
where x < 0;
|
||||
ERROR: permission denied for relation int8_tbl
|
||||
ERROR: permission denied for table int8_tbl
|
||||
reset constraint_exclusion;
|
||||
CREATE VIEW atestv4 AS SELECT * FROM atestv3; -- nested view
|
||||
SELECT * FROM atestv4; -- ok
|
||||
@ -350,7 +350,7 @@ GRANT SELECT ON atestv4 TO regress_user2;
|
||||
SET SESSION AUTHORIZATION regress_user2;
|
||||
-- Two complex cases:
|
||||
SELECT * FROM atestv3; -- fail
|
||||
ERROR: permission denied for relation atestv3
|
||||
ERROR: permission denied for view atestv3
|
||||
SELECT * FROM atestv4; -- ok (even though regress_user2 cannot access underlying atestv3)
|
||||
one | two | three
|
||||
-----+-----+-------
|
||||
@ -363,7 +363,7 @@ SELECT * FROM atest2; -- ok
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM atestv2; -- fail (even though regress_user2 can access underlying atest2)
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
-- Test column level permissions
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
CREATE TABLE atest5 (one int, two int unique, three int, four int unique);
|
||||
@ -373,7 +373,7 @@ GRANT ALL (one) ON atest5 TO regress_user3;
|
||||
INSERT INTO atest5 VALUES (1,2,3);
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
SELECT * FROM atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT one FROM atest5; -- ok
|
||||
one
|
||||
-----
|
||||
@ -383,13 +383,13 @@ SELECT one FROM atest5; -- ok
|
||||
COPY atest5 (one) TO stdout; -- ok
|
||||
1
|
||||
SELECT two FROM atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
COPY atest5 (two) TO stdout; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT atest5 FROM atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
COPY atest5 (one,two) TO stdout; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT 1 FROM atest5; -- ok
|
||||
?column?
|
||||
----------
|
||||
@ -403,15 +403,15 @@ SELECT 1 FROM atest5 a JOIN atest5 b USING (one); -- ok
|
||||
(1 row)
|
||||
|
||||
SELECT 1 FROM atest5 a JOIN atest5 b USING (two); -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT 1 FROM atest5 a NATURAL JOIN atest5 b; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT (j.*) IS NULL FROM (atest5 a JOIN atest5 b USING (one)) j; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT 1 FROM atest5 WHERE two = 2; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT * FROM atest1, atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT atest1.* FROM atest1, atest5; -- ok
|
||||
a | b
|
||||
---+-----
|
||||
@ -427,7 +427,7 @@ SELECT atest1.*,atest5.one FROM atest1, atest5; -- ok
|
||||
(2 rows)
|
||||
|
||||
SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.two); -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.one); -- ok
|
||||
a | b | one
|
||||
---+-----+-----
|
||||
@ -436,12 +436,12 @@ SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.one); -
|
||||
(2 rows)
|
||||
|
||||
SELECT one, two FROM atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
GRANT SELECT (one,two) ON atest6 TO regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
SELECT one, two FROM atest5 NATURAL JOIN atest6; -- fail still
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
GRANT SELECT (two) ON atest5 TO regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
@ -453,23 +453,23 @@ SELECT one, two FROM atest5 NATURAL JOIN atest6; -- ok now
|
||||
-- test column-level privileges for INSERT and UPDATE
|
||||
INSERT INTO atest5 (two) VALUES (3); -- ok
|
||||
COPY atest5 FROM stdin; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
COPY atest5 (two) FROM stdin; -- ok
|
||||
INSERT INTO atest5 (three) VALUES (4); -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
INSERT INTO atest5 VALUES (5,5,5); -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
UPDATE atest5 SET three = 10; -- ok
|
||||
UPDATE atest5 SET one = 8; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
UPDATE atest5 SET three = 5, one = 2; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
-- Check that column level privs are enforced in RETURNING
|
||||
-- Ok.
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10;
|
||||
-- Error. No SELECT on column three.
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RETURNING atest5.three;
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
-- Ok. May SELECT on column "one":
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RETURNING atest5.one;
|
||||
one
|
||||
@ -482,21 +482,21 @@ INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = 10 RE
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = EXCLUDED.one;
|
||||
-- Error. No select rights on three
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set three = EXCLUDED.three;
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
INSERT INTO atest5(two) VALUES (6) ON CONFLICT (two) DO UPDATE set one = 8; -- fails (due to UPDATE)
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
INSERT INTO atest5(three) VALUES (4) ON CONFLICT (two) DO UPDATE set three = 10; -- fails (due to INSERT)
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
-- Check that the columns in the inference require select privileges
|
||||
INSERT INTO atest5(four) VALUES (4); -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
GRANT INSERT (four) ON atest5 TO regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
INSERT INTO atest5(four) VALUES (4) ON CONFLICT (four) DO UPDATE set three = 3; -- fails (due to SELECT)
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
INSERT INTO atest5(four) VALUES (4) ON CONFLICT ON CONSTRAINT atest5_four_key DO UPDATE set three = 3; -- fails (due to SELECT)
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
INSERT INTO atest5(four) VALUES (4); -- ok
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
GRANT SELECT (four) ON atest5 TO regress_user4;
|
||||
@ -508,9 +508,9 @@ REVOKE ALL (one) ON atest5 FROM regress_user4;
|
||||
GRANT SELECT (one,two,blue) ON atest6 TO regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
SELECT one FROM atest5; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
UPDATE atest5 SET one = 1; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SELECT atest6 FROM atest6; -- ok
|
||||
atest6
|
||||
--------
|
||||
@ -557,9 +557,9 @@ REVOKE ALL (one) ON atest5 FROM regress_user3;
|
||||
GRANT SELECT (one) ON atest5 TO regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
SELECT atest6 FROM atest6; -- fail
|
||||
ERROR: permission denied for relation atest6
|
||||
ERROR: permission denied for table atest6
|
||||
SELECT one FROM atest5 NATURAL JOIN atest6; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
ALTER TABLE atest6 DROP COLUMN three;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
@ -578,12 +578,12 @@ ALTER TABLE atest6 DROP COLUMN two;
|
||||
REVOKE SELECT (one,blue) ON atest6 FROM regress_user4;
|
||||
SET SESSION AUTHORIZATION regress_user4;
|
||||
SELECT * FROM atest6; -- fail
|
||||
ERROR: permission denied for relation atest6
|
||||
ERROR: permission denied for table atest6
|
||||
SELECT 1 FROM atest6; -- fail
|
||||
ERROR: permission denied for relation atest6
|
||||
ERROR: permission denied for table atest6
|
||||
SET SESSION AUTHORIZATION regress_user3;
|
||||
DELETE FROM atest5 WHERE one = 1; -- fail
|
||||
ERROR: permission denied for relation atest5
|
||||
ERROR: permission denied for table atest5
|
||||
DELETE FROM atest5 WHERE two = 2; -- ok
|
||||
-- check inheritance cases
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
@ -614,7 +614,7 @@ SELECT oid FROM atestp2; -- ok
|
||||
(0 rows)
|
||||
|
||||
SELECT fy FROM atestc; -- fail
|
||||
ERROR: permission denied for relation atestc
|
||||
ERROR: permission denied for table atestc
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
GRANT SELECT(fy,oid) ON atestc TO regress_user2;
|
||||
SET SESSION AUTHORIZATION regress_user2;
|
||||
@ -694,11 +694,11 @@ SET SESSION AUTHORIZATION regress_user3;
|
||||
SELECT testfunc1(5); -- fail
|
||||
ERROR: permission denied for function testfunc1
|
||||
SELECT testagg1(x) FROM (VALUES (1), (2), (3)) _(x); -- fail
|
||||
ERROR: permission denied for function testagg1
|
||||
ERROR: permission denied for aggregate testagg1
|
||||
CALL testproc1(6); -- fail
|
||||
ERROR: permission denied for function testproc1
|
||||
ERROR: permission denied for procedure testproc1
|
||||
SELECT col1 FROM atest2 WHERE col2 = true; -- fail
|
||||
ERROR: permission denied for relation atest2
|
||||
ERROR: permission denied for table atest2
|
||||
SELECT testfunc4(true); -- ok
|
||||
testfunc4
|
||||
-----------
|
||||
@ -722,9 +722,9 @@ CALL testproc1(6); -- ok
|
||||
DROP FUNCTION testfunc1(int); -- fail
|
||||
ERROR: must be owner of function testfunc1
|
||||
DROP AGGREGATE testagg1(int); -- fail
|
||||
ERROR: must be owner of function testagg1
|
||||
ERROR: must be owner of aggregate testagg1
|
||||
DROP PROCEDURE testproc1(int); -- fail
|
||||
ERROR: must be owner of function testproc1
|
||||
ERROR: must be owner of procedure testproc1
|
||||
\c -
|
||||
DROP FUNCTION testfunc1(int); -- ok
|
||||
-- restore to sanity
|
||||
@ -849,7 +849,7 @@ DROP DOMAIN testdomain1; -- ok
|
||||
SET SESSION AUTHORIZATION regress_user5;
|
||||
TRUNCATE atest2; -- ok
|
||||
TRUNCATE atest3; -- fail
|
||||
ERROR: permission denied for relation atest3
|
||||
ERROR: permission denied for table atest3
|
||||
-- has_table_privilege function
|
||||
-- bad-input checks
|
||||
select has_table_privilege(NULL,'pg_authid','select');
|
||||
@ -1435,7 +1435,7 @@ SELECT * FROM pg_largeobject LIMIT 0;
|
||||
|
||||
SET SESSION AUTHORIZATION regress_user1;
|
||||
SELECT * FROM pg_largeobject LIMIT 0; -- to be denied
|
||||
ERROR: permission denied for relation pg_largeobject
|
||||
ERROR: permission denied for table pg_largeobject
|
||||
-- test default ACLs
|
||||
\c -
|
||||
CREATE SCHEMA testns;
|
||||
@ -1899,14 +1899,14 @@ GRANT SELECT ON lock_table TO regress_locktable_user;
|
||||
SET SESSION AUTHORIZATION regress_locktable_user;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should pass
|
||||
COMMIT;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
\c
|
||||
REVOKE SELECT ON lock_table FROM regress_locktable_user;
|
||||
@ -1918,11 +1918,11 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
|
||||
COMMIT;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
\c
|
||||
REVOKE INSERT ON lock_table FROM regress_locktable_user;
|
||||
@ -1934,7 +1934,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
|
||||
COMMIT;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
|
||||
@ -1949,7 +1949,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
|
||||
COMMIT;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
|
||||
@ -1964,7 +1964,7 @@ LOCK TABLE lock_table IN ROW EXCLUSIVE MODE; -- should pass
|
||||
COMMIT;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS SHARE MODE; -- should fail
|
||||
ERROR: permission denied for relation lock_table
|
||||
ERROR: permission denied for table lock_table
|
||||
ROLLBACK;
|
||||
BEGIN;
|
||||
LOCK TABLE lock_table IN ACCESS EXCLUSIVE MODE; -- should pass
|
||||
|
||||
@ -198,7 +198,7 @@ GRANT CREATE ON DATABASE regression TO regress_publication_user2;
|
||||
SET ROLE regress_publication_user2;
|
||||
CREATE PUBLICATION testpub2; -- ok
|
||||
ALTER PUBLICATION testpub2 ADD TABLE testpub_tbl1; -- fail
|
||||
ERROR: must be owner of relation testpub_tbl1
|
||||
ERROR: must be owner of table testpub_tbl1
|
||||
SET ROLE regress_publication_user;
|
||||
GRANT regress_publication_user TO regress_publication_user2;
|
||||
SET ROLE regress_publication_user2;
|
||||
|
||||
@ -361,7 +361,7 @@ INSERT INTO document VALUES (100, 55, 1, 'regress_rls_dave', 'testing sorting of
|
||||
ERROR: new row violates row-level security policy "p2r" for table "document"
|
||||
-- only owner can change policies
|
||||
ALTER POLICY p1 ON document USING (true); --fail
|
||||
ERROR: must be owner of relation document
|
||||
ERROR: must be owner of table document
|
||||
DROP POLICY p1 ON document; --fail
|
||||
ERROR: must be owner of relation document
|
||||
SET SESSION AUTHORIZATION regress_rls_alice;
|
||||
@ -1192,7 +1192,7 @@ EXPLAIN (COSTS OFF) SELECT * FROM part_document WHERE f_leak(dtitle);
|
||||
|
||||
-- only owner can change policies
|
||||
ALTER POLICY pp1 ON part_document USING (true); --fail
|
||||
ERROR: must be owner of relation part_document
|
||||
ERROR: must be owner of table part_document
|
||||
DROP POLICY pp1 ON part_document; --fail
|
||||
ERROR: must be owner of relation part_document
|
||||
SET SESSION AUTHORIZATION regress_rls_alice;
|
||||
@ -2446,9 +2446,9 @@ EXPLAIN (COSTS OFF) SELECT * FROM rls_view;
|
||||
-- Query as role that is not the owner of the table or view without permissions.
|
||||
SET SESSION AUTHORIZATION regress_rls_carol;
|
||||
SELECT * FROM rls_view; --fail - permission denied.
|
||||
ERROR: permission denied for relation rls_view
|
||||
ERROR: permission denied for view rls_view
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM rls_view; --fail - permission denied.
|
||||
ERROR: permission denied for relation rls_view
|
||||
ERROR: permission denied for view rls_view
|
||||
-- Query as role that is not the owner of the table or view with permissions.
|
||||
SET SESSION AUTHORIZATION regress_rls_bob;
|
||||
GRANT SELECT ON rls_view TO regress_rls_carol;
|
||||
@ -3235,7 +3235,7 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail
|
||||
ERROR: query would be affected by row-level security policy for table "copy_t"
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_t
|
||||
ERROR: permission denied for table copy_t
|
||||
-- Check COPY relation TO; keep it just one row to avoid reordering issues
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO ON;
|
||||
@ -3271,10 +3271,10 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET SESSION AUTHORIZATION regress_rls_carol;
|
||||
SET row_security TO OFF;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_rel_to
|
||||
ERROR: permission denied for table copy_rel_to
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_rel_to
|
||||
ERROR: permission denied for table copy_rel_to
|
||||
-- Check COPY FROM as Superuser/owner.
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO OFF;
|
||||
@ -3298,10 +3298,10 @@ COPY copy_t FROM STDIN; --ok
|
||||
SET SESSION AUTHORIZATION regress_rls_carol;
|
||||
SET row_security TO OFF;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
ERROR: permission denied for relation copy_t
|
||||
ERROR: permission denied for table copy_t
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
ERROR: permission denied for relation copy_t
|
||||
ERROR: permission denied for table copy_t
|
||||
RESET SESSION AUTHORIZATION;
|
||||
DROP TABLE copy_t;
|
||||
DROP TABLE copy_rel_to CASCADE;
|
||||
|
||||
@ -22,15 +22,15 @@ GRANT ALL ON SCHEMA selinto_schema TO public;
|
||||
SET SESSION AUTHORIZATION regress_selinto_user;
|
||||
SELECT * INTO TABLE selinto_schema.tmp1
|
||||
FROM pg_class WHERE relname like '%a%'; -- Error
|
||||
ERROR: permission denied for relation tmp1
|
||||
ERROR: permission denied for table tmp1
|
||||
SELECT oid AS clsoid, relname, relnatts + 10 AS x
|
||||
INTO selinto_schema.tmp2
|
||||
FROM pg_class WHERE relname like '%b%'; -- Error
|
||||
ERROR: permission denied for relation tmp2
|
||||
ERROR: permission denied for table tmp2
|
||||
CREATE TABLE selinto_schema.tmp3 (a,b,c)
|
||||
AS SELECT oid,relname,relacl FROM pg_class
|
||||
WHERE relname like '%c%'; -- Error
|
||||
ERROR: permission denied for relation tmp3
|
||||
ERROR: permission denied for table tmp3
|
||||
RESET SESSION AUTHORIZATION;
|
||||
ALTER DEFAULT PRIVILEGES FOR ROLE regress_selinto_user
|
||||
GRANT INSERT ON TABLES TO regress_selinto_user;
|
||||
|
||||
@ -785,7 +785,7 @@ ROLLBACK;
|
||||
BEGIN;
|
||||
SET LOCAL SESSION AUTHORIZATION regress_seq_user;
|
||||
ALTER SEQUENCE sequence_test2 START WITH 1;
|
||||
ERROR: must be owner of relation sequence_test2
|
||||
ERROR: must be owner of sequence sequence_test2
|
||||
ROLLBACK;
|
||||
-- Sequences should get wiped out as well:
|
||||
DROP TABLE serialTest1, serialTest2;
|
||||
|
||||
@ -990,26 +990,26 @@ SELECT * FROM rw_view2; -- ok
|
||||
(2 rows)
|
||||
|
||||
INSERT INTO base_tbl VALUES (3, 'Row 3', 3.0); -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
INSERT INTO rw_view1 VALUES ('Row 3', 3.0, 3); -- not allowed
|
||||
ERROR: permission denied for relation rw_view1
|
||||
ERROR: permission denied for view rw_view1
|
||||
INSERT INTO rw_view2 VALUES ('Row 3', 3.0, 3); -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
UPDATE base_tbl SET a=a, c=c; -- ok
|
||||
UPDATE base_tbl SET b=b; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
UPDATE rw_view1 SET bb=bb, cc=cc; -- ok
|
||||
UPDATE rw_view1 SET aa=aa; -- not allowed
|
||||
ERROR: permission denied for relation rw_view1
|
||||
ERROR: permission denied for view rw_view1
|
||||
UPDATE rw_view2 SET aa=aa, cc=cc; -- ok
|
||||
UPDATE rw_view2 SET bb=bb; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
DELETE FROM base_tbl; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
DELETE FROM rw_view1; -- not allowed
|
||||
ERROR: permission denied for relation rw_view1
|
||||
ERROR: permission denied for view rw_view1
|
||||
DELETE FROM rw_view2; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET SESSION AUTHORIZATION regress_view_user1;
|
||||
GRANT INSERT, DELETE ON base_tbl TO regress_view_user2;
|
||||
@ -1017,11 +1017,11 @@ RESET SESSION AUTHORIZATION;
|
||||
SET SESSION AUTHORIZATION regress_view_user2;
|
||||
INSERT INTO base_tbl VALUES (3, 'Row 3', 3.0); -- ok
|
||||
INSERT INTO rw_view1 VALUES ('Row 4', 4.0, 4); -- not allowed
|
||||
ERROR: permission denied for relation rw_view1
|
||||
ERROR: permission denied for view rw_view1
|
||||
INSERT INTO rw_view2 VALUES ('Row 4', 4.0, 4); -- ok
|
||||
DELETE FROM base_tbl WHERE a=1; -- ok
|
||||
DELETE FROM rw_view1 WHERE aa=2; -- not allowed
|
||||
ERROR: permission denied for relation rw_view1
|
||||
ERROR: permission denied for view rw_view1
|
||||
DELETE FROM rw_view2 WHERE aa=2; -- ok
|
||||
SELECT * FROM base_tbl;
|
||||
a | b | c
|
||||
@ -1037,15 +1037,15 @@ GRANT INSERT, DELETE ON rw_view1 TO regress_view_user2;
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET SESSION AUTHORIZATION regress_view_user2;
|
||||
INSERT INTO base_tbl VALUES (5, 'Row 5', 5.0); -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
INSERT INTO rw_view1 VALUES ('Row 5', 5.0, 5); -- ok
|
||||
INSERT INTO rw_view2 VALUES ('Row 6', 6.0, 6); -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
DELETE FROM base_tbl WHERE a=3; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
DELETE FROM rw_view1 WHERE aa=3; -- ok
|
||||
DELETE FROM rw_view2 WHERE aa=4; -- not allowed
|
||||
ERROR: permission denied for relation base_tbl
|
||||
ERROR: permission denied for table base_tbl
|
||||
SELECT * FROM base_tbl;
|
||||
a | b | c
|
||||
---+-------+---
|
||||
|
||||
@ -1,5 +1,15 @@
|
||||
--
|
||||
-- ALTER_TABLE
|
||||
--
|
||||
|
||||
-- Clean up in case a prior regression run failed
|
||||
SET client_min_messages TO 'warning';
|
||||
DROP ROLE IF EXISTS regress_alter_user1;
|
||||
RESET client_min_messages;
|
||||
|
||||
CREATE USER regress_alter_user1;
|
||||
|
||||
--
|
||||
-- add attribute
|
||||
--
|
||||
|
||||
@ -209,10 +219,19 @@ ALTER INDEX IF EXISTS __tmp_onek_unique1 RENAME TO onek_unique1;
|
||||
|
||||
ALTER INDEX onek_unique1 RENAME TO tmp_onek_unique1;
|
||||
ALTER INDEX tmp_onek_unique1 RENAME TO onek_unique1;
|
||||
|
||||
SET ROLE regress_alter_user1;
|
||||
ALTER INDEX onek_unique1 RENAME TO fail; -- permission denied
|
||||
RESET ROLE;
|
||||
|
||||
-- renaming views
|
||||
CREATE VIEW tmp_view (unique1) AS SELECT unique1 FROM tenk1;
|
||||
ALTER TABLE tmp_view RENAME TO tmp_view_new;
|
||||
|
||||
SET ROLE regress_alter_user1;
|
||||
ALTER VIEW tmp_view_new RENAME TO fail; -- permission denied
|
||||
RESET ROLE;
|
||||
|
||||
-- hack to ensure we get an indexscan here
|
||||
set enable_seqscan to off;
|
||||
set enable_bitmapscan to off;
|
||||
@ -2546,3 +2565,5 @@ ALTER TABLE tmp ALTER COLUMN i SET (n_distinct = 1, n_distinct_inherited = 2);
|
||||
ALTER TABLE tmp ALTER COLUMN i RESET (n_distinct_inherited);
|
||||
ANALYZE tmp;
|
||||
DROP TABLE tmp;
|
||||
|
||||
DROP USER regress_alter_user1;
|
||||
|
||||
Reference in New Issue
Block a user