diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index 9202c358475..04095a8f0ee 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -2838,7 +2838,7 @@ get_connect_string(const char *servername) fdw = GetForeignDataWrapper(fdwid); /* Check permissions, user must have usage on the server. */ - aclresult = pg_foreign_server_aclcheck(serverid, userid, ACL_USAGE); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, userid, ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, foreign_server->servername); diff --git a/src/backend/access/common/tupdesc.c b/src/backend/access/common/tupdesc.c index b7f918c877b..7857f55e24a 100644 --- a/src/backend/access/common/tupdesc.c +++ b/src/backend/access/common/tupdesc.c @@ -821,7 +821,7 @@ BuildDescForRelation(List *schema) attname = entry->colname; typenameTypeIdAndMod(NULL, entry->typeName, &atttypid, &atttypmod); - aclresult = pg_type_aclcheck(atttypid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, atttypid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, atttypid); diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 7302f035086..3c9f8e60ad2 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -139,8 +139,26 @@ static AclMode restrict_and_check_grant(bool is_grant, AclMode avail_goptions, Oid objectId, Oid grantorId, ObjectType objtype, const char *objname, AttrNumber att_number, const char *colname); -static AclMode pg_aclmask(ObjectType objtype, Oid table_oid, AttrNumber attnum, +static AclMode pg_aclmask(ObjectType objtype, Oid object_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how); +static AclMode object_aclmask(Oid classid, Oid objectid, Oid roleid, + AclMode mask, AclMaskHow how); +static AclMode pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, + Oid roleid, AclMode mask, AclMaskHow how); +static AclMode pg_attribute_aclmask_ext(Oid table_oid, AttrNumber attnum, + Oid roleid, AclMode mask, + AclMaskHow how, bool *is_missing); +static AclMode pg_class_aclmask_ext(Oid table_oid, Oid roleid, + AclMode mask, AclMaskHow how, + bool *is_missing); +static AclMode pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid, + AclMode mask, AclMaskHow how); +static AclMode pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid, + AclMode mask, AclMaskHow how, Snapshot snapshot); +static AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid, + AclMode mask, AclMaskHow how); +static AclMode pg_type_aclmask(Oid type_oid, Oid roleid, + AclMode mask, AclMaskHow how); static void recordExtensionInitPriv(Oid objoid, Oid classoid, int objsubid, Acl *new_acl); static void recordExtensionInitPrivWorker(Oid objoid, Oid classoid, int objsubid, @@ -3787,47 +3805,47 @@ aclcheck_error_type(AclResult aclerr, Oid typeOid) * Relay for the various pg_*_mask routines depending on object kind */ static AclMode -pg_aclmask(ObjectType objtype, Oid table_oid, AttrNumber attnum, Oid roleid, +pg_aclmask(ObjectType objtype, Oid object_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how) { switch (objtype) { case OBJECT_COLUMN: return - pg_class_aclmask(table_oid, roleid, mask, how) | - pg_attribute_aclmask(table_oid, attnum, roleid, mask, how); + pg_class_aclmask(object_oid, roleid, mask, how) | + pg_attribute_aclmask(object_oid, attnum, roleid, mask, how); case OBJECT_TABLE: case OBJECT_SEQUENCE: - return pg_class_aclmask(table_oid, roleid, mask, how); + return pg_class_aclmask(object_oid, roleid, mask, how); case OBJECT_DATABASE: - return pg_database_aclmask(table_oid, roleid, mask, how); + return object_aclmask(DatabaseRelationId, object_oid, roleid, mask, how); case OBJECT_FUNCTION: - return pg_proc_aclmask(table_oid, roleid, mask, how); + return object_aclmask(ProcedureRelationId, object_oid, roleid, mask, how); case OBJECT_LANGUAGE: - return pg_language_aclmask(table_oid, roleid, mask, how); + return object_aclmask(LanguageRelationId, object_oid, roleid, mask, how); case OBJECT_LARGEOBJECT: - return pg_largeobject_aclmask_snapshot(table_oid, roleid, + return pg_largeobject_aclmask_snapshot(object_oid, roleid, mask, how, NULL); case OBJECT_PARAMETER_ACL: - return pg_parameter_acl_aclmask(table_oid, roleid, mask, how); + return pg_parameter_acl_aclmask(object_oid, roleid, mask, how); case OBJECT_SCHEMA: - return pg_namespace_aclmask(table_oid, roleid, mask, how); + return object_aclmask(NamespaceRelationId, object_oid, roleid, mask, how); case OBJECT_STATISTIC_EXT: elog(ERROR, "grantable rights not supported for statistics objects"); /* not reached, but keep compiler quiet */ return ACL_NO_RIGHTS; case OBJECT_TABLESPACE: - return pg_tablespace_aclmask(table_oid, roleid, mask, how); + return object_aclmask(TableSpaceRelationId, object_oid, roleid, mask, how); case OBJECT_FDW: - return pg_foreign_data_wrapper_aclmask(table_oid, roleid, mask, how); + return object_aclmask(ForeignDataWrapperRelationId, object_oid, roleid, mask, how); case OBJECT_FOREIGN_SERVER: - return pg_foreign_server_aclmask(table_oid, roleid, mask, how); + return object_aclmask(ForeignServerRelationId, object_oid, roleid, mask, how); case OBJECT_EVENT_TRIGGER: elog(ERROR, "grantable rights not supported for event triggers"); /* not reached, but keep compiler quiet */ return ACL_NO_RIGHTS; case OBJECT_TYPE: - return pg_type_aclmask(table_oid, roleid, mask, how); + return object_aclmask(TypeRelationId, object_oid, roleid, mask, how); default: elog(ERROR, "unrecognized object type: %d", (int) objtype); @@ -3849,14 +3867,90 @@ pg_aclmask(ObjectType objtype, Oid table_oid, AttrNumber attnum, Oid roleid, */ /* - * Exported routine for examining a user's privileges for a column + * Generic routine for examining a user's privileges for an object + */ +static AclMode +object_aclmask(Oid classid, Oid objectid, Oid roleid, + AclMode mask, AclMaskHow how) +{ + int cacheid; + AclMode result; + HeapTuple tuple; + Datum aclDatum; + bool isNull; + Acl *acl; + Oid ownerId; + + /* Special cases */ + switch (classid) + { + case NamespaceRelationId: + return pg_namespace_aclmask(objectid, roleid, mask, how); + case TypeRelationId: + return pg_type_aclmask(objectid, roleid, mask, how); + } + + /* Even more special cases */ + Assert(classid != RelationRelationId); /* should use pg_class_acl* */ + Assert(classid != LargeObjectMetadataRelationId); /* should use + * pg_largeobject_acl* */ + + /* Superusers bypass all permission checking. */ + if (superuser_arg(roleid)) + return mask; + + /* + * Get the objects's ACL from its catalog + */ + + cacheid = get_object_catcache_oid(classid); + + tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_DATABASE), + errmsg("%s with OID %u does not exist", get_object_class_descr(classid), objectid))); + + ownerId = DatumGetObjectId(SysCacheGetAttr(cacheid, + tuple, + get_object_attnum_owner(classid), + &isNull)); + Assert(!isNull); + + aclDatum = SysCacheGetAttr(cacheid, tuple, get_object_attnum_acl(classid), + &isNull); + if (isNull) + { + /* No ACL, so build default ACL */ + acl = acldefault(get_object_type(classid, objectid), ownerId); + aclDatum = (Datum) 0; + } + else + { + /* detoast ACL if necessary */ + acl = DatumGetAclP(aclDatum); + } + + result = aclmask(acl, roleid, ownerId, mask, how); + + /* if we have a detoasted copy, free it */ + if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) + pfree(acl); + + ReleaseSysCache(tuple); + + return result; +} + +/* + * Routine for examining a user's privileges for a column * * Note: this considers only privileges granted specifically on the column. * It is caller's responsibility to take relation-level privileges into account * as appropriate. (For the same reason, we have no special case for * superuser-ness here.) */ -AclMode +static AclMode pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how) { @@ -3865,12 +3959,12 @@ pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, Oid roleid, } /* - * Exported routine for examining a user's privileges for a column + * Routine for examining a user's privileges for a column * * Does the bulk of the work for pg_attribute_aclmask(), and allows other * callers to avoid the missing attribute ERROR when is_missing is non-NULL. */ -AclMode +static AclMode pg_attribute_aclmask_ext(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing) { @@ -3983,12 +4077,12 @@ pg_class_aclmask(Oid table_oid, Oid roleid, } /* - * Exported routine for examining a user's privileges for a table + * Routine for examining a user's privileges for a table * * Does the bulk of the work for pg_class_aclmask(), and allows other * callers to avoid the missing relation ERROR when is_missing is non-NULL. */ -AclMode +static AclMode pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing) { @@ -4104,64 +4198,10 @@ pg_class_aclmask_ext(Oid table_oid, Oid roleid, AclMode mask, } /* - * Exported routine for examining a user's privileges for a database - */ -AclMode -pg_database_aclmask(Oid db_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - /* Superusers bypass all permission checking. */ - if (superuser_arg(roleid)) - return mask; - - /* - * Get the database's ACL from pg_database - */ - tuple = SearchSysCache1(DATABASEOID, ObjectIdGetDatum(db_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_DATABASE), - errmsg("database with OID %u does not exist", db_oid))); - - ownerId = ((Form_pg_database) GETSTRUCT(tuple))->datdba; - - aclDatum = SysCacheGetAttr(DATABASEOID, tuple, Anum_pg_database_datacl, - &isNull); - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_DATABASE, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a configuration + * Routine for examining a user's privileges for a configuration * parameter (GUC), identified by GUC name. */ -AclMode +static AclMode pg_parameter_aclmask(const char *name, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; @@ -4222,10 +4262,10 @@ pg_parameter_aclmask(const char *name, Oid roleid, AclMode mask, AclMaskHow how) } /* - * Exported routine for examining a user's privileges for a configuration + * Routine for examining a user's privileges for a configuration * parameter (GUC), identified by the OID of its pg_parameter_acl entry. */ -AclMode +static AclMode pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; @@ -4273,115 +4313,7 @@ pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid, AclMode mask, AclMaskHow how) } /* - * Exported routine for examining a user's privileges for a function - */ -AclMode -pg_proc_aclmask(Oid proc_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - /* Superusers bypass all permission checking. */ - if (superuser_arg(roleid)) - return mask; - - /* - * Get the function's ACL from pg_proc - */ - tuple = SearchSysCache1(PROCOID, ObjectIdGetDatum(proc_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_FUNCTION), - errmsg("function with OID %u does not exist", proc_oid))); - - ownerId = ((Form_pg_proc) GETSTRUCT(tuple))->proowner; - - aclDatum = SysCacheGetAttr(PROCOID, tuple, Anum_pg_proc_proacl, - &isNull); - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_FUNCTION, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a language - */ -AclMode -pg_language_aclmask(Oid lang_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - /* Superusers bypass all permission checking. */ - if (superuser_arg(roleid)) - return mask; - - /* - * Get the language's ACL from pg_language - */ - tuple = SearchSysCache1(LANGOID, ObjectIdGetDatum(lang_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("language with OID %u does not exist", lang_oid))); - - ownerId = ((Form_pg_language) GETSTRUCT(tuple))->lanowner; - - aclDatum = SysCacheGetAttr(LANGOID, tuple, Anum_pg_language_lanacl, - &isNull); - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_LANGUAGE, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a largeobject + * Routine for examining a user's privileges for a largeobject * * When a large object is opened for reading, it is opened relative to the * caller's snapshot, but when it is opened for writing, a current @@ -4392,7 +4324,7 @@ pg_language_aclmask(Oid lang_oid, Oid roleid, * snapshot, since all we do with the snapshot argument is pass it through * to systable_beginscan(). */ -AclMode +static AclMode pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid, AclMode mask, AclMaskHow how, Snapshot snapshot) @@ -4463,9 +4395,9 @@ pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid, } /* - * Exported routine for examining a user's privileges for a namespace + * Routine for examining a user's privileges for a namespace */ -AclMode +static AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid, AclMode mask, AclMaskHow how) { @@ -4501,8 +4433,8 @@ pg_namespace_aclmask(Oid nsp_oid, Oid roleid, */ if (isTempNamespace(nsp_oid)) { - if (pg_database_aclcheck(MyDatabaseId, roleid, - ACL_CREATE_TEMP) == ACLCHECK_OK) + if (object_aclcheck(DatabaseRelationId, MyDatabaseId, roleid, + ACL_CREATE_TEMP) == ACLCHECK_OK) return mask & ACL_ALL_RIGHTS_SCHEMA; else return mask & ACL_USAGE; @@ -4555,189 +4487,9 @@ pg_namespace_aclmask(Oid nsp_oid, Oid roleid, } /* - * Exported routine for examining a user's privileges for a tablespace + * Routine for examining a user's privileges for a type. */ -AclMode -pg_tablespace_aclmask(Oid spc_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - /* Superusers bypass all permission checking. */ - if (superuser_arg(roleid)) - return mask; - - /* - * Get the tablespace's ACL from pg_tablespace - */ - tuple = SearchSysCache1(TABLESPACEOID, ObjectIdGetDatum(spc_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("tablespace with OID %u does not exist", spc_oid))); - - ownerId = ((Form_pg_tablespace) GETSTRUCT(tuple))->spcowner; - - aclDatum = SysCacheGetAttr(TABLESPACEOID, tuple, - Anum_pg_tablespace_spcacl, - &isNull); - - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_TABLESPACE, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a foreign - * data wrapper - */ -AclMode -pg_foreign_data_wrapper_aclmask(Oid fdw_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - Form_pg_foreign_data_wrapper fdwForm; - - /* Bypass permission checks for superusers */ - if (superuser_arg(roleid)) - return mask; - - /* - * Must get the FDW's tuple from pg_foreign_data_wrapper - */ - tuple = SearchSysCache1(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdw_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("foreign-data wrapper with OID %u does not exist", - fdw_oid))); - fdwForm = (Form_pg_foreign_data_wrapper) GETSTRUCT(tuple); - - /* - * Normal case: get the FDW's ACL from pg_foreign_data_wrapper - */ - ownerId = fdwForm->fdwowner; - - aclDatum = SysCacheGetAttr(FOREIGNDATAWRAPPEROID, tuple, - Anum_pg_foreign_data_wrapper_fdwacl, &isNull); - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_FDW, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast rel's ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a foreign - * server. - */ -AclMode -pg_foreign_server_aclmask(Oid srv_oid, Oid roleid, - AclMode mask, AclMaskHow how) -{ - AclMode result; - HeapTuple tuple; - Datum aclDatum; - bool isNull; - Acl *acl; - Oid ownerId; - - Form_pg_foreign_server srvForm; - - /* Bypass permission checks for superusers */ - if (superuser_arg(roleid)) - return mask; - - /* - * Must get the FDW's tuple from pg_foreign_data_wrapper - */ - tuple = SearchSysCache1(FOREIGNSERVEROID, ObjectIdGetDatum(srv_oid)); - if (!HeapTupleIsValid(tuple)) - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("foreign server with OID %u does not exist", - srv_oid))); - srvForm = (Form_pg_foreign_server) GETSTRUCT(tuple); - - /* - * Normal case: get the foreign server's ACL from pg_foreign_server - */ - ownerId = srvForm->srvowner; - - aclDatum = SysCacheGetAttr(FOREIGNSERVEROID, tuple, - Anum_pg_foreign_server_srvacl, &isNull); - if (isNull) - { - /* No ACL, so build default ACL */ - acl = acldefault(OBJECT_FOREIGN_SERVER, ownerId); - aclDatum = (Datum) 0; - } - else - { - /* detoast rel's ACL if necessary */ - acl = DatumGetAclP(aclDatum); - } - - result = aclmask(acl, roleid, ownerId, mask, how); - - /* if we have a detoasted copy, free it */ - if (acl && (Pointer) acl != DatumGetPointer(aclDatum)) - pfree(acl); - - ReleaseSysCache(tuple); - - return result; -} - -/* - * Exported routine for examining a user's privileges for a type. - */ -AclMode +static AclMode pg_type_aclmask(Oid type_oid, Oid roleid, AclMode mask, AclMaskHow how) { AclMode result; @@ -4811,6 +4563,18 @@ pg_type_aclmask(Oid type_oid, Oid roleid, AclMode mask, AclMaskHow how) return result; } +/* + * Exported generic routine for checking a user's access privileges to an object + */ +AclResult +object_aclcheck(Oid classid, Oid objectid, Oid roleid, AclMode mode) +{ + if (object_aclmask(classid, objectid, roleid, mode, ACLMASK_ANY) != 0) + return ACLCHECK_OK; + else + return ACLCHECK_NO_PRIV; +} + /* * Exported routine for checking a user's access privileges to a column * @@ -4973,18 +4737,6 @@ pg_class_aclcheck_ext(Oid table_oid, Oid roleid, return ACLCHECK_NO_PRIV; } -/* - * Exported routine for checking a user's access privileges to a database - */ -AclResult -pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode) -{ - if (pg_database_aclmask(db_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - /* * Exported routine for checking a user's access privileges to a configuration * parameter (GUC), identified by GUC name. @@ -4998,43 +4750,6 @@ pg_parameter_aclcheck(const char *name, Oid roleid, AclMode mode) return ACLCHECK_NO_PRIV; } -/* - * Exported routine for checking a user's access privileges to a configuration - * parameter (GUC), identified by the OID of its pg_parameter_acl entry. - */ -AclResult -pg_parameter_acl_aclcheck(Oid acl_oid, Oid roleid, AclMode mode) -{ - if (pg_parameter_acl_aclmask(acl_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a function - */ -AclResult -pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode) -{ - if (pg_proc_aclmask(proc_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a language - */ -AclResult -pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode) -{ - if (pg_language_aclmask(lang_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - /* * Exported routine for checking a user's access privileges to a largeobject */ @@ -5049,68 +4764,6 @@ pg_largeobject_aclcheck_snapshot(Oid lobj_oid, Oid roleid, AclMode mode, return ACLCHECK_NO_PRIV; } -/* - * Exported routine for checking a user's access privileges to a namespace - */ -AclResult -pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode) -{ - if (pg_namespace_aclmask(nsp_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a tablespace - */ -AclResult -pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode) -{ - if (pg_tablespace_aclmask(spc_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a foreign - * data wrapper - */ -AclResult -pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode) -{ - if (pg_foreign_data_wrapper_aclmask(fdw_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a foreign - * server - */ -AclResult -pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode) -{ - if (pg_foreign_server_aclmask(srv_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - -/* - * Exported routine for checking a user's access privileges to a type - */ -AclResult -pg_type_aclcheck(Oid type_oid, Oid roleid, AclMode mode) -{ - if (pg_type_aclmask(type_oid, roleid, mode, ACLMASK_ANY) != 0) - return ACLCHECK_OK; - else - return ACLCHECK_NO_PRIV; -} - /* * Generic ownership check for an object */ diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c index 1543f2abcd8..bac0deb6da3 100644 --- a/src/backend/catalog/namespace.c +++ b/src/backend/catalog/namespace.c @@ -28,6 +28,7 @@ #include "catalog/pg_authid.h" #include "catalog/pg_collation.h" #include "catalog/pg_conversion.h" +#include "catalog/pg_database.h" #include "catalog/pg_namespace.h" #include "catalog/pg_opclass.h" #include "catalog/pg_operator.h" @@ -586,7 +587,7 @@ RangeVarGetAndCheckCreationNamespace(RangeVar *relation, break; /* Check namespace permissions. */ - aclresult = pg_namespace_aclcheck(nspid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, nspid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(nspid)); @@ -2954,7 +2955,7 @@ LookupExplicitNamespace(const char *nspname, bool missing_ok) if (missing_ok && !OidIsValid(namespaceId)) return InvalidOid; - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, nspname); @@ -2990,7 +2991,7 @@ LookupCreationNamespace(const char *nspname) namespaceId = get_namespace_oid(nspname, false); - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, nspname); @@ -3836,7 +3837,7 @@ recomputeNamespacePath(void) ReleaseSysCache(tuple); if (OidIsValid(namespaceId) && !list_member_oid(oidlist, namespaceId) && - pg_namespace_aclcheck(namespaceId, roleid, + object_aclcheck(NamespaceRelationId, namespaceId, roleid, ACL_USAGE) == ACLCHECK_OK && InvokeNamespaceSearchHook(namespaceId, false)) oidlist = lappend_oid(oidlist, namespaceId); @@ -3864,7 +3865,7 @@ recomputeNamespacePath(void) namespaceId = get_namespace_oid(curname, true); if (OidIsValid(namespaceId) && !list_member_oid(oidlist, namespaceId) && - pg_namespace_aclcheck(namespaceId, roleid, + object_aclcheck(NamespaceRelationId, namespaceId, roleid, ACL_USAGE) == ACLCHECK_OK && InvokeNamespaceSearchHook(namespaceId, false)) oidlist = lappend_oid(oidlist, namespaceId); @@ -4000,7 +4001,7 @@ InitTempTableNamespace(void) * But there's no need to make the namespace in the first place until a * temp table creation request is made by someone with appropriate rights. */ - if (pg_database_aclcheck(MyDatabaseId, GetUserId(), + if (object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE_TEMP) != ACLCHECK_OK) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/src/backend/catalog/pg_aggregate.c b/src/backend/catalog/pg_aggregate.c index 0d0daa69b34..a98445b741a 100644 --- a/src/backend/catalog/pg_aggregate.c +++ b/src/backend/catalog/pg_aggregate.c @@ -586,23 +586,23 @@ AggregateCreate(const char *aggName, */ for (i = 0; i < numArgs; i++) { - aclresult = pg_type_aclcheck(aggArgTypes[i], GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, aggArgTypes[i], GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, aggArgTypes[i]); } - aclresult = pg_type_aclcheck(aggTransType, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, aggTransType, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, aggTransType); if (OidIsValid(aggmTransType)) { - aclresult = pg_type_aclcheck(aggmTransType, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, aggmTransType, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, aggmTransType); } - aclresult = pg_type_aclcheck(finaltype, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, finaltype, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, finaltype); @@ -906,7 +906,7 @@ lookup_agg_function(List *fnName, } /* Check aggregate creator has permission to call the function */ - aclresult = pg_proc_aclcheck(fnOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, fnOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(fnOid)); diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c index e6e794b6ff9..1017f2eed18 100644 --- a/src/backend/catalog/pg_operator.c +++ b/src/backend/catalog/pg_operator.c @@ -624,7 +624,7 @@ get_other_operator(List *otherOp, Oid otherLeftTypeId, Oid otherRightTypeId, /* not in catalogs, different from operator, so make shell */ - aclresult = pg_namespace_aclcheck(otherNamespace, GetUserId(), + aclresult = object_aclcheck(NamespaceRelationId, otherNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, diff --git a/src/backend/commands/aggregatecmds.c b/src/backend/commands/aggregatecmds.c index 010eca7340a..a9339e40b31 100644 --- a/src/backend/commands/aggregatecmds.c +++ b/src/backend/commands/aggregatecmds.c @@ -25,6 +25,7 @@ #include "access/htup_details.h" #include "catalog/dependency.h" #include "catalog/pg_aggregate.h" +#include "catalog/pg_namespace.h" #include "catalog/pg_proc.h" #include "catalog/pg_type.h" #include "commands/alter.h" @@ -104,7 +105,7 @@ DefineAggregate(ParseState *pstate, aggNamespace = QualifiedNameGetCreationNamespace(name, &aggName); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(aggNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, aggNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(aggNamespace)); diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c index 5dabba4dd06..b2089d785b6 100644 --- a/src/backend/commands/alter.c +++ b/src/backend/commands/alter.c @@ -228,7 +228,7 @@ AlterObjectRename_internal(Relation rel, Oid objectId, const char *new_name) /* User must have CREATE privilege on the namespace */ if (OidIsValid(namespaceId)) { - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, @@ -757,7 +757,7 @@ AlterObjectNamespace_internal(Relation rel, Oid objid, Oid nspOid) NameStr(*(DatumGetName(name)))); /* User must have CREATE privilege on new namespace */ - aclresult = pg_namespace_aclcheck(nspOid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, nspOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(nspOid)); @@ -1006,7 +1006,7 @@ AlterObjectOwner_internal(Relation rel, Oid objectId, Oid new_ownerId) { AclResult aclresult; - aclresult = pg_namespace_aclcheck(namespaceId, new_ownerId, + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, new_ownerId, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, diff --git a/src/backend/commands/collationcmds.c b/src/backend/commands/collationcmds.c index 1753d67b612..25efa6e0bf0 100644 --- a/src/backend/commands/collationcmds.c +++ b/src/backend/commands/collationcmds.c @@ -23,6 +23,7 @@ #include "catalog/objectaccess.h" #include "catalog/pg_collation.h" #include "catalog/pg_database.h" +#include "catalog/pg_namespace.h" #include "commands/alter.h" #include "commands/collationcmds.h" #include "commands/comment.h" @@ -76,7 +77,7 @@ DefineCollation(ParseState *pstate, List *names, List *parameters, bool if_not_e collNamespace = QualifiedNameGetCreationNamespace(names, &collName); - aclresult = pg_namespace_aclcheck(collNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, collNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(collNamespace)); diff --git a/src/backend/commands/conversioncmds.c b/src/backend/commands/conversioncmds.c index 67feda33ec5..7f721cca714 100644 --- a/src/backend/commands/conversioncmds.c +++ b/src/backend/commands/conversioncmds.c @@ -18,6 +18,8 @@ #include "catalog/dependency.h" #include "catalog/indexing.h" #include "catalog/pg_conversion.h" +#include "catalog/pg_namespace.h" +#include "catalog/pg_proc.h" #include "catalog/pg_type.h" #include "commands/alter.h" #include "commands/conversioncmds.h" @@ -54,7 +56,7 @@ CreateConversionCommand(CreateConversionStmt *stmt) &conversion_name); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceId)); @@ -101,7 +103,7 @@ CreateConversionCommand(CreateConversionStmt *stmt) NameListToString(func_name), "integer"))); /* Check we have EXECUTE rights for the function */ - aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, funcoid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(func_name)); diff --git a/src/backend/commands/dbcommands.c b/src/backend/commands/dbcommands.c index 0d6a1228639..a67ea86619c 100644 --- a/src/backend/commands/dbcommands.c +++ b/src/backend/commands/dbcommands.c @@ -1164,7 +1164,7 @@ createdb(ParseState *pstate, const CreatedbStmt *stmt) tablespacename = defGetString(dtablespacename); dst_deftablespace = get_tablespace_oid(tablespacename, false); /* check permissions */ - aclresult = pg_tablespace_aclcheck(dst_deftablespace, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, dst_deftablespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, @@ -1874,7 +1874,7 @@ movedb(const char *dbname, const char *tblspcname) /* * Permission checks */ - aclresult = pg_tablespace_aclcheck(dst_tblspcoid, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, dst_tblspcoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c index 722e94bbce0..806d6056ab6 100644 --- a/src/backend/commands/extension.c +++ b/src/backend/commands/extension.c @@ -42,6 +42,7 @@ #include "catalog/objectaccess.h" #include "catalog/pg_authid.h" #include "catalog/pg_collation.h" +#include "catalog/pg_database.h" #include "catalog/pg_depend.h" #include "catalog/pg_extension.h" #include "catalog/pg_namespace.h" @@ -832,7 +833,7 @@ extension_is_trusted(ExtensionControlFile *control) if (!control->trusted) return false; /* Allow if user has CREATE privilege on current database */ - aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE); if (aclresult == ACLCHECK_OK) return true; return false; @@ -2732,7 +2733,7 @@ AlterExtensionNamespace(const char *extensionName, const char *newschema, Oid *o extensionName); /* Permission check: must have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(nspOid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, nspOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, newschema); diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c index e6e6d128d11..55b0be9e1d1 100644 --- a/src/backend/commands/foreigncmds.c +++ b/src/backend/commands/foreigncmds.c @@ -366,7 +366,7 @@ AlterForeignServerOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId) check_is_member_of_role(GetUserId(), newOwnerId); /* New owner must have USAGE privilege on foreign-data wrapper */ - aclresult = pg_foreign_data_wrapper_aclcheck(form->srvfdw, newOwnerId, ACL_USAGE); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, form->srvfdw, newOwnerId, ACL_USAGE); if (aclresult != ACLCHECK_OK) { ForeignDataWrapper *fdw = GetForeignDataWrapper(form->srvfdw); @@ -891,7 +891,7 @@ CreateForeignServer(CreateForeignServerStmt *stmt) */ fdw = GetForeignDataWrapperByName(stmt->fdwname, false); - aclresult = pg_foreign_data_wrapper_aclcheck(fdw->fdwid, ownerId, ACL_USAGE); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdw->fdwid, ownerId, ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FDW, fdw->fdwname); @@ -1082,7 +1082,7 @@ user_mapping_ddl_aclcheck(Oid umuserid, Oid serverid, const char *servername) { AclResult aclresult; - aclresult = pg_foreign_server_aclcheck(serverid, curuserid, ACL_USAGE); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, curuserid, ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, servername); } @@ -1433,7 +1433,7 @@ CreateForeignTable(CreateForeignTableStmt *stmt, Oid relid) * get the actual FDW for option validation etc. */ server = GetForeignServerByName(stmt->servername, false); - aclresult = pg_foreign_server_aclcheck(server->serverid, ownerId, ACL_USAGE); + aclresult = object_aclcheck(ForeignServerRelationId, server->serverid, ownerId, ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, server->servername); @@ -1492,7 +1492,7 @@ ImportForeignSchema(ImportForeignSchemaStmt *stmt) /* Check that the foreign server exists and that we have USAGE on it */ server = GetForeignServerByName(stmt->server_name, false); - aclresult = pg_foreign_server_aclcheck(server->serverid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(ForeignServerRelationId, server->serverid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, server->servername); diff --git a/src/backend/commands/functioncmds.c b/src/backend/commands/functioncmds.c index 3645216c4b5..57489f65f2e 100644 --- a/src/backend/commands/functioncmds.c +++ b/src/backend/commands/functioncmds.c @@ -150,7 +150,7 @@ compute_return_type(TypeName *returnType, Oid languageOid, errdetail("Creating a shell type definition."))); namespaceId = QualifiedNameGetCreationNamespace(returnType->names, &typname); - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, @@ -160,7 +160,7 @@ compute_return_type(TypeName *returnType, Oid languageOid, Assert(OidIsValid(rettype)); } - aclresult = pg_type_aclcheck(rettype, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, rettype, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, rettype); @@ -272,7 +272,7 @@ interpret_function_parameter_list(ParseState *pstate, toid = InvalidOid; /* keep compiler quiet */ } - aclresult = pg_type_aclcheck(toid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, toid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, toid); @@ -1057,7 +1057,7 @@ CreateFunction(ParseState *pstate, CreateFunctionStmt *stmt) &funcname); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceId)); @@ -1111,7 +1111,7 @@ CreateFunction(ParseState *pstate, CreateFunctionStmt *stmt) if (languageStruct->lanpltrusted) { /* if trusted language, need USAGE privilege */ - aclresult = pg_language_aclcheck(languageOid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(LanguageRelationId, languageOid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_LANGUAGE, NameStr(languageStruct->lanname)); @@ -1562,11 +1562,11 @@ CreateCast(CreateCastStmt *stmt) format_type_be(sourcetypeid), format_type_be(targettypeid)))); - aclresult = pg_type_aclcheck(sourcetypeid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, sourcetypeid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, sourcetypeid); - aclresult = pg_type_aclcheck(targettypeid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, targettypeid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, targettypeid); @@ -1841,7 +1841,7 @@ CreateTransform(CreateTransformStmt *stmt) if (!object_ownercheck(TypeRelationId, typeid, GetUserId())) aclcheck_error_type(ACLCHECK_NOT_OWNER, typeid); - aclresult = pg_type_aclcheck(typeid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, typeid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, typeid); @@ -1850,7 +1850,7 @@ CreateTransform(CreateTransformStmt *stmt) */ langid = get_language_oid(stmt->lang, false); - aclresult = pg_language_aclcheck(langid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(LanguageRelationId, langid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_LANGUAGE, stmt->lang); @@ -1864,7 +1864,7 @@ CreateTransform(CreateTransformStmt *stmt) if (!object_ownercheck(ProcedureRelationId, fromsqlfuncid, GetUserId())) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_FUNCTION, NameListToString(stmt->fromsql->objname)); - aclresult = pg_proc_aclcheck(fromsqlfuncid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, fromsqlfuncid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(stmt->fromsql->objname)); @@ -1890,7 +1890,7 @@ CreateTransform(CreateTransformStmt *stmt) if (!object_ownercheck(ProcedureRelationId, tosqlfuncid, GetUserId())) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_FUNCTION, NameListToString(stmt->tosql->objname)); - aclresult = pg_proc_aclcheck(tosqlfuncid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, tosqlfuncid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(stmt->tosql->objname)); @@ -2116,7 +2116,7 @@ ExecuteDoStmt(ParseState *pstate, DoStmt *stmt, bool atomic) /* if trusted language, need USAGE privilege */ AclResult aclresult; - aclresult = pg_language_aclcheck(codeblock->langOid, GetUserId(), + aclresult = object_aclcheck(LanguageRelationId, codeblock->langOid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_LANGUAGE, @@ -2193,7 +2193,7 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver Assert(fexpr); Assert(IsA(fexpr, FuncExpr)); - aclresult = pg_proc_aclcheck(fexpr->funcid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, fexpr->funcid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_PROCEDURE, get_func_name(fexpr->funcid)); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index aadd67b07f5..91cee27743d 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -742,7 +742,7 @@ DefineIndex(Oid relationId, { AclResult aclresult; - aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid, + aclresult = object_aclcheck(NamespaceRelationId, namespaceId, root_save_userid, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, @@ -774,7 +774,7 @@ DefineIndex(Oid relationId, { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid, + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, root_save_userid, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, @@ -2648,7 +2648,7 @@ ExecReindex(ParseState *pstate, ReindexStmt *stmt, bool isTopLevel) { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(params.tablespaceOid, + aclresult = object_aclcheck(TableSpaceRelationId, params.tablespaceOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, @@ -3245,7 +3245,7 @@ ReindexMultipleInternal(List *relids, ReindexParams *params) { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(params->tablespaceOid, + aclresult = object_aclcheck(TableSpaceRelationId, params->tablespaceOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, diff --git a/src/backend/commands/opclasscmds.c b/src/backend/commands/opclasscmds.c index c004e303e28..0bc6deda008 100644 --- a/src/backend/commands/opclasscmds.c +++ b/src/backend/commands/opclasscmds.c @@ -362,7 +362,7 @@ DefineOpClass(CreateOpClassStmt *stmt) &opcname); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceoid)); @@ -781,7 +781,7 @@ DefineOpFamily(CreateOpFamilyStmt *stmt) &opfname); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceoid)); diff --git a/src/backend/commands/operatorcmds.c b/src/backend/commands/operatorcmds.c index a2d7ae89d74..8dc57976268 100644 --- a/src/backend/commands/operatorcmds.c +++ b/src/backend/commands/operatorcmds.c @@ -36,7 +36,9 @@ #include "catalog/dependency.h" #include "catalog/indexing.h" #include "catalog/objectaccess.h" +#include "catalog/pg_namespace.h" #include "catalog/pg_operator.h" +#include "catalog/pg_proc.h" #include "catalog/pg_type.h" #include "commands/alter.h" #include "commands/defrem.h" @@ -90,7 +92,7 @@ DefineOperator(List *names, List *parameters) oprNamespace = QualifiedNameGetCreationNamespace(names, &oprName); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(oprNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, oprNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(oprNamespace)); @@ -187,14 +189,14 @@ DefineOperator(List *names, List *parameters) if (typeName1) { - aclresult = pg_type_aclcheck(typeId1, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, typeId1, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, typeId1); } if (typeName2) { - aclresult = pg_type_aclcheck(typeId2, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, typeId2, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, typeId2); } @@ -225,13 +227,13 @@ DefineOperator(List *names, List *parameters) * necessary, since EXECUTE will be checked at any attempted use of the * operator, but it seems like a good idea anyway. */ - aclresult = pg_proc_aclcheck(functionOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, functionOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(functionName)); rettype = get_func_rettype(functionOid); - aclresult = pg_type_aclcheck(rettype, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, rettype, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, rettype); @@ -291,7 +293,7 @@ ValidateRestrictionEstimator(List *restrictionName) NameListToString(restrictionName), "float8"))); /* Require EXECUTE rights for the estimator */ - aclresult = pg_proc_aclcheck(restrictionOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, restrictionOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(restrictionName)); @@ -349,7 +351,7 @@ ValidateJoinEstimator(List *joinName) NameListToString(joinName), "float8"))); /* Require EXECUTE rights for the estimator */ - aclresult = pg_proc_aclcheck(joinOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, joinOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(joinName)); diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c index 8428e9e7b22..940655b9be0 100644 --- a/src/backend/commands/publicationcmds.c +++ b/src/backend/commands/publicationcmds.c @@ -24,6 +24,7 @@ #include "catalog/objectaccess.h" #include "catalog/objectaddress.h" #include "catalog/partition.h" +#include "catalog/pg_database.h" #include "catalog/pg_inherits.h" #include "catalog/pg_namespace.h" #include "catalog/pg_proc.h" @@ -748,7 +749,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt) List *schemaidlist = NIL; /* must have CREATE privilege on database */ - aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(MyDatabaseId)); @@ -1913,7 +1914,7 @@ AlterPublicationOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId) check_is_member_of_role(GetUserId(), newOwnerId); /* New owner must have CREATE privilege on database */ - aclresult = pg_database_aclcheck(MyDatabaseId, newOwnerId, ACL_CREATE); + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, newOwnerId, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(MyDatabaseId)); diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c index 3005a059e82..b03f07a2322 100644 --- a/src/backend/commands/schemacmds.c +++ b/src/backend/commands/schemacmds.c @@ -23,6 +23,7 @@ #include "catalog/namespace.h" #include "catalog/objectaccess.h" #include "catalog/pg_authid.h" +#include "catalog/pg_database.h" #include "catalog/pg_namespace.h" #include "commands/dbcommands.h" #include "commands/event_trigger.h" @@ -91,7 +92,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, * The latter provision guards against "giveaway" attacks. Note that a * superuser will always have both of these privileges a fortiori. */ - aclresult = pg_database_aclcheck(MyDatabaseId, saved_uid, ACL_CREATE); + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, saved_uid, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(MyDatabaseId)); @@ -259,7 +260,7 @@ RenameSchema(const char *oldname, const char *newname) oldname); /* must have CREATE privilege on database */ - aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(MyDatabaseId)); @@ -380,7 +381,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId) * schemas. Because superusers will always have this right, we need * no special case for them. */ - aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), + aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_DATABASE, diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 6804c7a8597..f0068078520 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -804,7 +804,7 @@ DefineRelation(CreateStmt *stmt, char relkind, Oid ownerId, { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, @@ -845,7 +845,7 @@ DefineRelation(CreateStmt *stmt, char relkind, Oid ownerId, ofTypeId = typenameTypeId(NULL, stmt->ofTypename); - aclresult = pg_type_aclcheck(ofTypeId, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, ofTypeId, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, ofTypeId); } @@ -6830,7 +6830,7 @@ ATExecAddColumn(List **wqueue, AlteredTableInfo *tab, Relation rel, tform = (Form_pg_type) GETSTRUCT(typeTuple); typeOid = tform->oid; - aclresult = pg_type_aclcheck(typeOid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, typeOid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, typeOid); @@ -12164,7 +12164,7 @@ ATPrepAlterColumnType(List **wqueue, /* Look up the target type */ typenameTypeIdAndMod(NULL, typeName, &targettype, &targettypmod); - aclresult = pg_type_aclcheck(targettype, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, targettype, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, targettype); @@ -13836,7 +13836,7 @@ ATExecChangeOwner(Oid relationOid, Oid newOwnerId, bool recursing, LOCKMODE lock check_is_member_of_role(GetUserId(), newOwnerId); /* New owner must have CREATE privilege on namespace */ - aclresult = pg_namespace_aclcheck(namespaceOid, newOwnerId, + aclresult = object_aclcheck(NamespaceRelationId, namespaceOid, newOwnerId, ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, @@ -14152,7 +14152,7 @@ ATPrepSetTableSpace(AlteredTableInfo *tab, Relation rel, const char *tablespacen { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, tablespacename); } @@ -14545,7 +14545,7 @@ AlterTableMoveAll(AlterTableMoveAllStmt *stmt) { AclResult aclresult; - aclresult = pg_tablespace_aclcheck(new_tablespaceoid, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, new_tablespaceoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, @@ -17052,7 +17052,7 @@ RangeVarCallbackForAlterRelation(const RangeVar *rv, Oid relid, Oid oldrelid, */ if (IsA(stmt, RenameStmt)) { - aclresult = pg_namespace_aclcheck(classform->relnamespace, + aclresult = object_aclcheck(NamespaceRelationId, classform->relnamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, diff --git a/src/backend/commands/tablespace.c b/src/backend/commands/tablespace.c index b60cb712c1f..76e100b5602 100644 --- a/src/backend/commands/tablespace.c +++ b/src/backend/commands/tablespace.c @@ -1277,7 +1277,7 @@ check_temp_tablespaces(char **newval, void **extra, GucSource source) } /* Check permissions, similarly complaining only if interactive */ - aclresult = pg_tablespace_aclcheck(curoid, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, curoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) { @@ -1407,7 +1407,7 @@ PrepareTempTablespaces(void) } /* Check permissions similarly */ - aclresult = pg_tablespace_aclcheck(curoid, GetUserId(), + aclresult = object_aclcheck(TableSpaceRelationId, curoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) continue; diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index df408092820..aaf54874be2 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -696,7 +696,7 @@ CreateTriggerFiringOn(CreateTrigStmt *stmt, const char *queryString, funcoid = LookupFuncName(stmt->funcname, 0, NULL, false); if (!isInternal) { - aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, funcoid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(stmt->funcname)); diff --git a/src/backend/commands/tsearchcmds.c b/src/backend/commands/tsearchcmds.c index 365bfd30fdf..9304c53d4ba 100644 --- a/src/backend/commands/tsearchcmds.c +++ b/src/backend/commands/tsearchcmds.c @@ -408,7 +408,7 @@ DefineTSDictionary(List *names, List *parameters) namespaceoid = QualifiedNameGetCreationNamespace(names, &dictname); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceoid)); @@ -911,7 +911,7 @@ DefineTSConfiguration(List *names, List *parameters, ObjectAddress *copied) namespaceoid = QualifiedNameGetCreationNamespace(names, &cfgname); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(namespaceoid)); diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c index b7e0194d236..ecc8b3f44c9 100644 --- a/src/backend/commands/typecmds.c +++ b/src/backend/commands/typecmds.c @@ -222,7 +222,7 @@ DefineType(ParseState *pstate, List *names, List *parameters) #ifdef NOT_USED /* XXX this is unnecessary given the superuser check above */ /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(typeNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, typeNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(typeNamespace)); @@ -733,7 +733,7 @@ DefineDomain(CreateDomainStmt *stmt) &domainName); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(domainNamespace, GetUserId(), + aclresult = object_aclcheck(NamespaceRelationId, domainNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, @@ -781,7 +781,7 @@ DefineDomain(CreateDomainStmt *stmt) errmsg("\"%s\" is not a valid base type for a domain", TypeNameToString(stmt->typeName)))); - aclresult = pg_type_aclcheck(basetypeoid, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(TypeRelationId, basetypeoid, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error_type(aclresult, basetypeoid); @@ -1149,7 +1149,7 @@ DefineEnum(CreateEnumStmt *stmt) &enumName); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(enumNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, enumNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(enumNamespace)); @@ -1369,7 +1369,7 @@ DefineRange(ParseState *pstate, CreateRangeStmt *stmt) &typeName); /* Check we have creation rights in target namespace */ - aclresult = pg_namespace_aclcheck(typeNamespace, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(NamespaceRelationId, typeNamespace, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(typeNamespace)); @@ -2341,7 +2341,7 @@ findRangeCanonicalFunction(List *procname, Oid typeOid) func_signature_string(procname, 1, NIL, argList)))); /* Also, range type's creator must have permission to call function */ - aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, procOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(procOid)); @@ -2384,7 +2384,7 @@ findRangeSubtypeDiffFunction(List *procname, Oid subtype) func_signature_string(procname, 2, NIL, argList)))); /* Also, range type's creator must have permission to call function */ - aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, procOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(procOid)); @@ -3748,7 +3748,7 @@ AlterTypeOwner(List *names, Oid newOwnerId, ObjectType objecttype) check_is_member_of_role(GetUserId(), newOwnerId); /* New owner must have CREATE privilege on namespace */ - aclresult = pg_namespace_aclcheck(typTup->typnamespace, + aclresult = object_aclcheck(NamespaceRelationId, typTup->typnamespace, newOwnerId, ACL_CREATE); if (aclresult != ACLCHECK_OK) diff --git a/src/backend/executor/execExpr.c b/src/backend/executor/execExpr.c index 25a94bbaaaa..0ecb2f86100 100644 --- a/src/backend/executor/execExpr.c +++ b/src/backend/executor/execExpr.c @@ -32,6 +32,7 @@ #include "access/nbtree.h" #include "catalog/objectaccess.h" +#include "catalog/pg_proc.h" #include "catalog/pg_type.h" #include "executor/execExpr.h" #include "executor/nodeSubplan.h" @@ -1224,7 +1225,7 @@ ExecInitExprRec(Expr *node, ExprState *state, arrayarg = (Expr *) lsecond(opexpr->args); /* Check permission to call function */ - aclresult = pg_proc_aclcheck(cmpfuncid, + aclresult = object_aclcheck(ProcedureRelationId, cmpfuncid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) @@ -1234,7 +1235,7 @@ ExecInitExprRec(Expr *node, ExprState *state, if (OidIsValid(opexpr->hashfuncid)) { - aclresult = pg_proc_aclcheck(opexpr->hashfuncid, + aclresult = object_aclcheck(ProcedureRelationId, opexpr->hashfuncid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) @@ -2462,7 +2463,7 @@ ExecInitFunc(ExprEvalStep *scratch, Expr *node, List *args, Oid funcid, ListCell *lc; /* Check permission to call function */ - aclresult = pg_proc_aclcheck(funcid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, funcid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(funcid)); InvokeFunctionExecuteHook(funcid); @@ -3797,7 +3798,7 @@ ExecBuildGroupingEqual(TupleDesc ldesc, TupleDesc rdesc, AclResult aclresult; /* Check permission to call function */ - aclresult = pg_proc_aclcheck(foid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, foid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(foid)); @@ -3931,7 +3932,7 @@ ExecBuildParamSetEqual(TupleDesc desc, AclResult aclresult; /* Check permission to call function */ - aclresult = pg_proc_aclcheck(foid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, foid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(foid)); diff --git a/src/backend/executor/execSRF.c b/src/backend/executor/execSRF.c index c2ad4d731b8..d8a5e3ce35b 100644 --- a/src/backend/executor/execSRF.c +++ b/src/backend/executor/execSRF.c @@ -20,6 +20,7 @@ #include "access/htup_details.h" #include "catalog/objectaccess.h" +#include "catalog/pg_proc.h" #include "executor/execdebug.h" #include "funcapi.h" #include "miscadmin.h" @@ -701,7 +702,7 @@ init_sexpr(Oid foid, Oid input_collation, Expr *node, size_t numargs = list_length(sexpr->args); /* Check permission to call function */ - aclresult = pg_proc_aclcheck(foid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, foid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(foid)); InvokeFunctionExecuteHook(foid); diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c index 28f6f9c5c5a..30c91431838 100644 --- a/src/backend/executor/nodeAgg.c +++ b/src/backend/executor/nodeAgg.c @@ -3676,7 +3676,7 @@ ExecInitAgg(Agg *node, EState *estate, int eflags) aggform = (Form_pg_aggregate) GETSTRUCT(aggTuple); /* Check permission to call aggregate function */ - aclresult = pg_proc_aclcheck(aggref->aggfnoid, GetUserId(), + aclresult = object_aclcheck(ProcedureRelationId, aggref->aggfnoid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_AGGREGATE, @@ -3743,7 +3743,7 @@ ExecInitAgg(Agg *node, EState *estate, int eflags) if (OidIsValid(finalfn_oid)) { - aclresult = pg_proc_aclcheck(finalfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, finalfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -3752,7 +3752,7 @@ ExecInitAgg(Agg *node, EState *estate, int eflags) } if (OidIsValid(serialfn_oid)) { - aclresult = pg_proc_aclcheck(serialfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, serialfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -3761,7 +3761,7 @@ ExecInitAgg(Agg *node, EState *estate, int eflags) } if (OidIsValid(deserialfn_oid)) { - aclresult = pg_proc_aclcheck(deserialfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, deserialfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -3841,7 +3841,7 @@ ExecInitAgg(Agg *node, EState *estate, int eflags) else transfn_oid = aggform->aggtransfn; - aclresult = pg_proc_aclcheck(transfn_oid, aggOwner, ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, transfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(transfn_oid)); diff --git a/src/backend/executor/nodeWindowAgg.c b/src/backend/executor/nodeWindowAgg.c index 1750121c492..81ba024bbaf 100644 --- a/src/backend/executor/nodeWindowAgg.c +++ b/src/backend/executor/nodeWindowAgg.c @@ -2553,7 +2553,7 @@ ExecInitWindowAgg(WindowAgg *node, EState *estate, int eflags) wfuncstate->wfuncno = wfuncno; /* Check permission to call window function */ - aclresult = pg_proc_aclcheck(wfunc->winfnoid, GetUserId(), + aclresult = object_aclcheck(ProcedureRelationId, wfunc->winfnoid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -2834,7 +2834,7 @@ initialize_peragg(WindowAggState *winstate, WindowFunc *wfunc, aggOwner = ((Form_pg_proc) GETSTRUCT(procTuple))->proowner; ReleaseSysCache(procTuple); - aclresult = pg_proc_aclcheck(transfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, transfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -2843,7 +2843,7 @@ initialize_peragg(WindowAggState *winstate, WindowFunc *wfunc, if (OidIsValid(invtransfn_oid)) { - aclresult = pg_proc_aclcheck(invtransfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, invtransfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, @@ -2853,7 +2853,7 @@ initialize_peragg(WindowAggState *winstate, WindowFunc *wfunc, if (OidIsValid(finalfn_oid)) { - aclresult = pg_proc_aclcheck(finalfn_oid, aggOwner, + aclresult = object_aclcheck(ProcedureRelationId, finalfn_oid, aggOwner, ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c index 5e791333cbd..317c10c2b9f 100644 --- a/src/backend/optimizer/util/clauses.c +++ b/src/backend/optimizer/util/clauses.c @@ -4436,7 +4436,7 @@ inline_function(Oid funcid, Oid result_type, Oid result_collid, return NULL; /* Check permission to call function (fail later, if not) */ - if (pg_proc_aclcheck(funcid, GetUserId(), ACL_EXECUTE) != ACLCHECK_OK) + if (object_aclcheck(ProcedureRelationId, funcid, GetUserId(), ACL_EXECUTE) != ACLCHECK_OK) return NULL; /* Check whether a plugin wants to hook function entry/exit */ @@ -4978,7 +4978,7 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte) return NULL; /* Check permission to call function (fail later, if not) */ - if (pg_proc_aclcheck(func_oid, GetUserId(), ACL_EXECUTE) != ACLCHECK_OK) + if (object_aclcheck(ProcedureRelationId, func_oid, GetUserId(), ACL_EXECUTE) != ACLCHECK_OK) return NULL; /* Check whether a plugin wants to hook function entry/exit */ diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c index 8140e79d8f1..487eb2041be 100644 --- a/src/backend/parser/parse_utilcmd.c +++ b/src/backend/parser/parse_utilcmd.c @@ -996,7 +996,7 @@ transformTableLikeClause(CreateStmtContext *cxt, TableLikeClause *table_like_cla */ if (relation->rd_rel->relkind == RELKIND_COMPOSITE_TYPE) { - aclresult = pg_type_aclcheck(relation->rd_rel->reltype, GetUserId(), + aclresult = object_aclcheck(TypeRelationId, relation->rd_rel->reltype, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TYPE, diff --git a/src/backend/tcop/fastpath.c b/src/backend/tcop/fastpath.c index d429aa46631..4e6cc0667d3 100644 --- a/src/backend/tcop/fastpath.c +++ b/src/backend/tcop/fastpath.c @@ -20,6 +20,7 @@ #include "access/htup_details.h" #include "access/xact.h" #include "catalog/objectaccess.h" +#include "catalog/pg_namespace.h" #include "catalog/pg_proc.h" #include "libpq/libpq.h" #include "libpq/pqformat.h" @@ -239,13 +240,13 @@ HandleFunctionRequest(StringInfo msgBuf) * Check permission to access and call function. Since we didn't go * through a normal name lookup, we need to check schema usage too. */ - aclresult = pg_namespace_aclcheck(fip->namespace, GetUserId(), ACL_USAGE); + aclresult = object_aclcheck(NamespaceRelationId, fip->namespace, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_SCHEMA, get_namespace_name(fip->namespace)); InvokeNamespaceSearchHook(fip->namespace, true); - aclresult = pg_proc_aclcheck(fid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, fid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(fid)); diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 0bc79cba2b1..8bdb9461b7f 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -23,7 +23,13 @@ #include "catalog/pg_authid.h" #include "catalog/pg_class.h" #include "catalog/pg_database.h" +#include "catalog/pg_foreign_data_wrapper.h" +#include "catalog/pg_foreign_server.h" +#include "catalog/pg_language.h" +#include "catalog/pg_namespace.h" #include "catalog/pg_parameter_acl.h" +#include "catalog/pg_proc.h" +#include "catalog/pg_tablespace.h" #include "catalog/pg_type.h" #include "commands/dbcommands.h" #include "commands/proclang.h" @@ -2902,7 +2908,7 @@ has_database_privilege_name_name(PG_FUNCTION_ARGS) databaseoid = convert_database_name(databasename); mode = convert_database_priv_string(priv_type_text); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -2927,7 +2933,7 @@ has_database_privilege_name(PG_FUNCTION_ARGS) databaseoid = convert_database_name(databasename); mode = convert_database_priv_string(priv_type_text); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -2953,7 +2959,7 @@ has_database_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(DATABASEOID, ObjectIdGetDatum(databaseoid))) PG_RETURN_NULL(); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -2979,7 +2985,7 @@ has_database_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(DATABASEOID, ObjectIdGetDatum(databaseoid))) PG_RETURN_NULL(); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3002,7 +3008,7 @@ has_database_privilege_id_name(PG_FUNCTION_ARGS) databaseoid = convert_database_name(databasename); mode = convert_database_priv_string(priv_type_text); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3026,7 +3032,7 @@ has_database_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(DATABASEOID, ObjectIdGetDatum(databaseoid))) PG_RETURN_NULL(); - aclresult = pg_database_aclcheck(databaseoid, roleid, mode); + aclresult = object_aclcheck(DatabaseRelationId, databaseoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3099,7 +3105,7 @@ has_foreign_data_wrapper_privilege_name_name(PG_FUNCTION_ARGS) fdwid = convert_foreign_data_wrapper_name(fdwname); mode = convert_foreign_data_wrapper_priv_string(priv_type_text); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3124,7 +3130,7 @@ has_foreign_data_wrapper_privilege_name(PG_FUNCTION_ARGS) fdwid = convert_foreign_data_wrapper_name(fdwname); mode = convert_foreign_data_wrapper_priv_string(priv_type_text); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3150,7 +3156,7 @@ has_foreign_data_wrapper_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdwid))) PG_RETURN_NULL(); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3176,7 +3182,7 @@ has_foreign_data_wrapper_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdwid))) PG_RETURN_NULL(); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3199,7 +3205,7 @@ has_foreign_data_wrapper_privilege_id_name(PG_FUNCTION_ARGS) fdwid = convert_foreign_data_wrapper_name(fdwname); mode = convert_foreign_data_wrapper_priv_string(priv_type_text); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3223,7 +3229,7 @@ has_foreign_data_wrapper_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNDATAWRAPPEROID, ObjectIdGetDatum(fdwid))) PG_RETURN_NULL(); - aclresult = pg_foreign_data_wrapper_aclcheck(fdwid, roleid, mode); + aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdwid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3290,7 +3296,7 @@ has_function_privilege_name_name(PG_FUNCTION_ARGS) functionoid = convert_function_name(functionname); mode = convert_function_priv_string(priv_type_text); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3315,7 +3321,7 @@ has_function_privilege_name(PG_FUNCTION_ARGS) functionoid = convert_function_name(functionname); mode = convert_function_priv_string(priv_type_text); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3341,7 +3347,7 @@ has_function_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(PROCOID, ObjectIdGetDatum(functionoid))) PG_RETURN_NULL(); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3367,7 +3373,7 @@ has_function_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(PROCOID, ObjectIdGetDatum(functionoid))) PG_RETURN_NULL(); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3390,7 +3396,7 @@ has_function_privilege_id_name(PG_FUNCTION_ARGS) functionoid = convert_function_name(functionname); mode = convert_function_priv_string(priv_type_text); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3414,7 +3420,7 @@ has_function_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(PROCOID, ObjectIdGetDatum(functionoid))) PG_RETURN_NULL(); - aclresult = pg_proc_aclcheck(functionoid, roleid, mode); + aclresult = object_aclcheck(ProcedureRelationId, functionoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3490,7 +3496,7 @@ has_language_privilege_name_name(PG_FUNCTION_ARGS) languageoid = convert_language_name(languagename); mode = convert_language_priv_string(priv_type_text); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3515,7 +3521,7 @@ has_language_privilege_name(PG_FUNCTION_ARGS) languageoid = convert_language_name(languagename); mode = convert_language_priv_string(priv_type_text); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3541,7 +3547,7 @@ has_language_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(LANGOID, ObjectIdGetDatum(languageoid))) PG_RETURN_NULL(); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3567,7 +3573,7 @@ has_language_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(LANGOID, ObjectIdGetDatum(languageoid))) PG_RETURN_NULL(); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3590,7 +3596,7 @@ has_language_privilege_id_name(PG_FUNCTION_ARGS) languageoid = convert_language_name(languagename); mode = convert_language_priv_string(priv_type_text); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3614,7 +3620,7 @@ has_language_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(LANGOID, ObjectIdGetDatum(languageoid))) PG_RETURN_NULL(); - aclresult = pg_language_aclcheck(languageoid, roleid, mode); + aclresult = object_aclcheck(LanguageRelationId, languageoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3681,7 +3687,7 @@ has_schema_privilege_name_name(PG_FUNCTION_ARGS) schemaoid = convert_schema_name(schemaname); mode = convert_schema_priv_string(priv_type_text); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3706,7 +3712,7 @@ has_schema_privilege_name(PG_FUNCTION_ARGS) schemaoid = convert_schema_name(schemaname); mode = convert_schema_priv_string(priv_type_text); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3732,7 +3738,7 @@ has_schema_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(NAMESPACEOID, ObjectIdGetDatum(schemaoid))) PG_RETURN_NULL(); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3758,7 +3764,7 @@ has_schema_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(NAMESPACEOID, ObjectIdGetDatum(schemaoid))) PG_RETURN_NULL(); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3781,7 +3787,7 @@ has_schema_privilege_id_name(PG_FUNCTION_ARGS) schemaoid = convert_schema_name(schemaname); mode = convert_schema_priv_string(priv_type_text); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3805,7 +3811,7 @@ has_schema_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(NAMESPACEOID, ObjectIdGetDatum(schemaoid))) PG_RETURN_NULL(); - aclresult = pg_namespace_aclcheck(schemaoid, roleid, mode); + aclresult = object_aclcheck(NamespaceRelationId, schemaoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3874,7 +3880,7 @@ has_server_privilege_name_name(PG_FUNCTION_ARGS) serverid = convert_server_name(servername); mode = convert_server_priv_string(priv_type_text); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3899,7 +3905,7 @@ has_server_privilege_name(PG_FUNCTION_ARGS) serverid = convert_server_name(servername); mode = convert_server_priv_string(priv_type_text); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3925,7 +3931,7 @@ has_server_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNSERVEROID, ObjectIdGetDatum(serverid))) PG_RETURN_NULL(); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3951,7 +3957,7 @@ has_server_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNSERVEROID, ObjectIdGetDatum(serverid))) PG_RETURN_NULL(); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3974,7 +3980,7 @@ has_server_privilege_id_name(PG_FUNCTION_ARGS) serverid = convert_server_name(servername); mode = convert_server_priv_string(priv_type_text); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -3998,7 +4004,7 @@ has_server_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(FOREIGNSERVEROID, ObjectIdGetDatum(serverid))) PG_RETURN_NULL(); - aclresult = pg_foreign_server_aclcheck(serverid, roleid, mode); + aclresult = object_aclcheck(ForeignServerRelationId, serverid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4065,7 +4071,7 @@ has_tablespace_privilege_name_name(PG_FUNCTION_ARGS) tablespaceoid = convert_tablespace_name(tablespacename); mode = convert_tablespace_priv_string(priv_type_text); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4090,7 +4096,7 @@ has_tablespace_privilege_name(PG_FUNCTION_ARGS) tablespaceoid = convert_tablespace_name(tablespacename); mode = convert_tablespace_priv_string(priv_type_text); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4116,7 +4122,7 @@ has_tablespace_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TABLESPACEOID, ObjectIdGetDatum(tablespaceoid))) PG_RETURN_NULL(); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4142,7 +4148,7 @@ has_tablespace_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TABLESPACEOID, ObjectIdGetDatum(tablespaceoid))) PG_RETURN_NULL(); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4165,7 +4171,7 @@ has_tablespace_privilege_id_name(PG_FUNCTION_ARGS) tablespaceoid = convert_tablespace_name(tablespacename); mode = convert_tablespace_priv_string(priv_type_text); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4189,7 +4195,7 @@ has_tablespace_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TABLESPACEOID, ObjectIdGetDatum(tablespaceoid))) PG_RETURN_NULL(); - aclresult = pg_tablespace_aclcheck(tablespaceoid, roleid, mode); + aclresult = object_aclcheck(TableSpaceRelationId, tablespaceoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4255,7 +4261,7 @@ has_type_privilege_name_name(PG_FUNCTION_ARGS) typeoid = convert_type_name(typename); mode = convert_type_priv_string(priv_type_text); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4280,7 +4286,7 @@ has_type_privilege_name(PG_FUNCTION_ARGS) typeoid = convert_type_name(typename); mode = convert_type_priv_string(priv_type_text); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4306,7 +4312,7 @@ has_type_privilege_name_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TYPEOID, ObjectIdGetDatum(typeoid))) PG_RETURN_NULL(); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4332,7 +4338,7 @@ has_type_privilege_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TYPEOID, ObjectIdGetDatum(typeoid))) PG_RETURN_NULL(); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4355,7 +4361,7 @@ has_type_privilege_id_name(PG_FUNCTION_ARGS) typeoid = convert_type_name(typename); mode = convert_type_priv_string(priv_type_text); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } @@ -4379,7 +4385,7 @@ has_type_privilege_id_id(PG_FUNCTION_ARGS) if (!SearchSysCacheExists1(TYPEOID, ObjectIdGetDatum(typeoid))) PG_RETURN_NULL(); - aclresult = pg_type_aclcheck(typeoid, roleid, mode); + aclresult = object_aclcheck(TypeRelationId, typeoid, roleid, mode); PG_RETURN_BOOL(aclresult == ACLCHECK_OK); } diff --git a/src/backend/utils/adt/dbsize.c b/src/backend/utils/adt/dbsize.c index 0a9b93f2634..141db7c9c1c 100644 --- a/src/backend/utils/adt/dbsize.c +++ b/src/backend/utils/adt/dbsize.c @@ -18,6 +18,7 @@ #include "catalog/catalog.h" #include "catalog/namespace.h" #include "catalog/pg_authid.h" +#include "catalog/pg_database.h" #include "catalog/pg_tablespace.h" #include "commands/dbcommands.h" #include "commands/tablespace.h" @@ -115,7 +116,7 @@ calculate_database_size(Oid dbOid) * User must have connect privilege for target database or have privileges * of pg_read_all_stats */ - aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT); + aclresult = object_aclcheck(DatabaseRelationId, dbOid, GetUserId(), ACL_CONNECT); if (aclresult != ACLCHECK_OK && !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { @@ -203,7 +204,7 @@ calculate_tablespace_size(Oid tblspcOid) if (tblspcOid != MyDatabaseTableSpace && !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { - aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE); + aclresult = object_aclcheck(TableSpaceRelationId, tblspcOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_TABLESPACE, get_tablespace_name(tblspcOid)); diff --git a/src/backend/utils/fmgr/fmgr.c b/src/backend/utils/fmgr/fmgr.c index a9dd068095b..3c210297aa1 100644 --- a/src/backend/utils/fmgr/fmgr.c +++ b/src/backend/utils/fmgr/fmgr.c @@ -2054,7 +2054,7 @@ CheckFunctionValidatorAccess(Oid validatorOid, Oid functionOid) langStruct->lanvalidator))); /* first validate that we have permissions to use the language */ - aclresult = pg_language_aclcheck(procStruct->prolang, GetUserId(), + aclresult = object_aclcheck(LanguageRelationId, procStruct->prolang, GetUserId(), ACL_USAGE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_LANGUAGE, @@ -2065,7 +2065,7 @@ CheckFunctionValidatorAccess(Oid validatorOid, Oid functionOid) * execute it, there should be no possible side-effect of * compiling/validation that execution can't have. */ - aclresult = pg_proc_aclcheck(functionOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, functionOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, NameStr(procStruct->proname)); diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index 31b7e1de5df..a990c833c5b 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -359,7 +359,7 @@ CheckMyDatabase(const char *name, bool am_superuser, bool override_allow_connect * and save a few cycles.) */ if (!am_superuser && - pg_database_aclcheck(MyDatabaseId, GetUserId(), + object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CONNECT) != ACLCHECK_OK) ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index 79eff597689..35b3d8dd88b 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -235,39 +235,13 @@ extern void ExecAlterDefaultPrivilegesStmt(ParseState *pstate, AlterDefaultPrivi extern void RemoveRoleFromObjectACL(Oid roleid, Oid classid, Oid objid); -extern AclMode pg_attribute_aclmask(Oid table_oid, AttrNumber attnum, - Oid roleid, AclMode mask, AclMaskHow how); -extern AclMode pg_attribute_aclmask_ext(Oid table_oid, AttrNumber attnum, - Oid roleid, AclMode mask, - AclMaskHow how, bool *is_missing); extern AclMode pg_class_aclmask(Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how); -extern AclMode pg_class_aclmask_ext(Oid table_oid, Oid roleid, - AclMode mask, AclMaskHow how, - bool *is_missing); -extern AclMode pg_database_aclmask(Oid db_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_parameter_aclmask(const char *name, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_parameter_acl_aclmask(Oid acl_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_proc_aclmask(Oid proc_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_language_aclmask(Oid lang_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_largeobject_aclmask_snapshot(Oid lobj_oid, Oid roleid, - AclMode mask, AclMaskHow how, Snapshot snapshot); -extern AclMode pg_namespace_aclmask(Oid nsp_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_tablespace_aclmask(Oid spc_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_foreign_data_wrapper_aclmask(Oid fdw_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_foreign_server_aclmask(Oid srv_oid, Oid roleid, - AclMode mask, AclMaskHow how); -extern AclMode pg_type_aclmask(Oid type_oid, Oid roleid, - AclMode mask, AclMaskHow how); +/* generic function */ +extern AclResult object_aclcheck(Oid classid, Oid objectid, Oid roleid, AclMode mode); + +/* special cases */ extern AclResult pg_attribute_aclcheck(Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mode); extern AclResult pg_attribute_aclcheck_ext(Oid table_oid, AttrNumber attnum, @@ -278,20 +252,10 @@ extern AclResult pg_attribute_aclcheck_all(Oid table_oid, Oid roleid, extern AclResult pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode); extern AclResult pg_class_aclcheck_ext(Oid table_oid, Oid roleid, AclMode mode, bool *is_missing); -extern AclResult pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode); extern AclResult pg_parameter_aclcheck(const char *name, Oid roleid, AclMode mode); -extern AclResult pg_parameter_acl_aclcheck(Oid acl_oid, Oid roleid, - AclMode mode); -extern AclResult pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode); -extern AclResult pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode); extern AclResult pg_largeobject_aclcheck_snapshot(Oid lobj_oid, Oid roleid, AclMode mode, Snapshot snapshot); -extern AclResult pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode); -extern AclResult pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode); -extern AclResult pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode); -extern AclResult pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode); -extern AclResult pg_type_aclcheck(Oid type_oid, Oid roleid, AclMode mode); extern void aclcheck_error(AclResult aclerr, ObjectType objtype, const char *objectname); diff --git a/src/pl/tcl/pltcl.c b/src/pl/tcl/pltcl.c index eaa98d42c2e..4185fb12210 100644 --- a/src/pl/tcl/pltcl.c +++ b/src/pl/tcl/pltcl.c @@ -619,7 +619,7 @@ call_pltcl_start_proc(Oid prolang, bool pltrusted) procOid = LookupFuncName(namelist, 0, NULL, false); /* Current user must have permission to call function */ - aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE); + aclresult = object_aclcheck(ProcedureRelationId, procOid, GetUserId(), ACL_EXECUTE); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, OBJECT_FUNCTION, start_proc);