Do not treat a superuser as a member of every role for HBA purposes.

This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas.
2025-07-28 23:42:10 +03:00 · 2011-11-03 12:45:02 -04:00
parent 3b06105c7d
commit 94cd0f1ad8
2 changed files with 11 additions and 3 deletions
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
 	if (!OidIsValid(roleid))
 		return false;			/* if target role not exist, say "no" */

-	/* See if user is directly or indirectly a member of role */
-	return is_member_of_role(userid, roleid);
+	/* 
+	 * See if user is directly or indirectly a member of role.
+	 * For this purpose, a superuser is not considered to be automatically
+	 * a member of the role, so group auth only applies to explicit
+	 * membership.
+	 */
+	return is_member_of_role_nosuper(userid, roleid);
 }

 /*