database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

Simplify permissions for LOCK TABLE.

Browse Source 
The prior behavior was confusing and hard to document. For instance,
if you had UPDATE privileges, you could lock a table in any lock mode
except ACCESS SHARE mode.

Now, if granted a privilege to lock at a given mode, one also has
privileges to lock at a less-conflicting mode. MAINTAIN, UPDATE,
DELETE, and TRUNCATE privileges allow any lock mode. INSERT privileges
allow ROW EXCLUSIVE (or below). SELECT privileges allow ACCESS SHARE.

Reviewed-by: Nathan Bossart
Discussion: https://postgr.es/m/9550c76535404a83156252b25a11babb4792ea1e.camel%40j-davis.com
This commit is contained in:
Jeff Davis
2023-01-13 14:14:54 -08:00
parent b7ae039536
commit c44f6334ca
4 changed files with 81 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
doc/src/sgml/ref/lock.sgml
View File

@ -165,18 +165,19 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="parameter">name</replaceable> [ * ]
<title>Notes</title>
<para>
To lock a table, one must ordinarily have the <literal>MAINTAIN</literal>
privilege on the table or be the table's owner, a superuser, or a role
with privileges of the
<link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
role. <literal>LOCK TABLE ... IN ACCESS SHARE MODE</literal> is allowed
with <literal>SELECT</literal> privileges on the target
table. <literal>LOCK TABLE ... IN ROW EXCLUSIVE MODE</literal> is allowed
with <literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,
or <literal>TRUNCATE</literal> privileges on the target table. All other
forms of <command>LOCK</command> are allowed with
table-level <literal>UPDATE</literal>, <literal>DELETE</literal>,
or <literal>TRUNCATE</literal> privileges.
To lock a table, the user must have the right privilege for the specified
<replaceable class="parameter">lockmode</replaceable>, or be the table's
owner, a superuser, or a role with privileges of the <link
linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
role. If the user has <literal>MAINTAIN</literal>,
<literal>UPDATE</literal>, <literal>DELETE</literal>, or
<literal>TRUNCATE</literal> privileges on the table, any <replaceable
class="parameter">lockmode</replaceable> is permitted. If the user has
<literal>INSERT</literal> privileges on the table, <literal>ROW EXCLUSIVE
MODE</literal> (or a less-conflicting mode as described in <xref
linkend="explicit-locking"/>) is permitted. If a user has
<literal>SELECT</literal> privileges on the table, <literal>ACCESS SHARE
MODE</literal> is permitted.
</para>
<para>