mirror of
https://github.com/postgres/postgres.git
synced 2025-09-03 15:22:11 +03:00
Refactor aclcheck functions
Instead of dozens of mostly-duplicate pg_foo_aclcheck() functions, write one common function object_aclcheck() that can handle almost all of them. We already have all the information we need, such as which system catalog corresponds to which catalog table and which column is the ACL column. There are a few pg_foo_aclcheck() that don't work via the generic function and have special APIs, so those stay as is. I also changed most pg_foo_aclmask() functions to static functions, since they are not used outside of aclchk.c. Reviewed-by: Corey Huinker <corey.huinker@gmail.com> Reviewed-by: Antonin Houska <ah@cybertec.at> Discussion: https://www.postgresql.org/message-id/flat/95c30f96-4060-2f48-98b5-a4392d3b6066@enterprisedb.com
This commit is contained in:
Peter Eisentraut
@@ -25,6 +25,7 @@
|
||||
#include "access/htup_details.h"
|
||||
#include "catalog/dependency.h"
|
||||
#include "catalog/pg_aggregate.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "catalog/pg_proc.h"
|
||||
#include "catalog/pg_type.h"
|
||||
#include "commands/alter.h"
|
||||
@@ -104,7 +105,7 @@ DefineAggregate(ParseState *pstate,
|
||||
aggNamespace = QualifiedNameGetCreationNamespace(name, &aggName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(aggNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, aggNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(aggNamespace));
|
||||
|
||||
@@ -228,7 +228,7 @@ AlterObjectRename_internal(Relation rel, Oid objectId, const char *new_name)
|
||||
/* User must have CREATE privilege on the namespace */
|
||||
if (OidIsValid(namespaceId))
|
||||
{
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
@@ -757,7 +757,7 @@ AlterObjectNamespace_internal(Relation rel, Oid objid, Oid nspOid)
|
||||
NameStr(*(DatumGetName(name))));
|
||||
|
||||
/* User must have CREATE privilege on new namespace */
|
||||
aclresult = pg_namespace_aclcheck(nspOid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, nspOid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(nspOid));
|
||||
@@ -1006,7 +1006,7 @@ AlterObjectOwner_internal(Relation rel, Oid objectId, Oid new_ownerId)
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, new_ownerId,
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, new_ownerId,
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "catalog/objectaccess.h"
|
||||
#include "catalog/pg_collation.h"
|
||||
#include "catalog/pg_database.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "commands/alter.h"
|
||||
#include "commands/collationcmds.h"
|
||||
#include "commands/comment.h"
|
||||
@@ -76,7 +77,7 @@ DefineCollation(ParseState *pstate, List *names, List *parameters, bool if_not_e
|
||||
|
||||
collNamespace = QualifiedNameGetCreationNamespace(names, &collName);
|
||||
|
||||
aclresult = pg_namespace_aclcheck(collNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, collNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(collNamespace));
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
#include "catalog/dependency.h"
|
||||
#include "catalog/indexing.h"
|
||||
#include "catalog/pg_conversion.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "catalog/pg_proc.h"
|
||||
#include "catalog/pg_type.h"
|
||||
#include "commands/alter.h"
|
||||
#include "commands/conversioncmds.h"
|
||||
@@ -54,7 +56,7 @@ CreateConversionCommand(CreateConversionStmt *stmt)
|
||||
&conversion_name);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceId));
|
||||
@@ -101,7 +103,7 @@ CreateConversionCommand(CreateConversionStmt *stmt)
|
||||
NameListToString(func_name), "integer")));
|
||||
|
||||
/* Check we have EXECUTE rights for the function */
|
||||
aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, funcoid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION,
|
||||
NameListToString(func_name));
|
||||
|
||||
@@ -1164,7 +1164,7 @@ createdb(ParseState *pstate, const CreatedbStmt *stmt)
|
||||
tablespacename = defGetString(dtablespacename);
|
||||
dst_deftablespace = get_tablespace_oid(tablespacename, false);
|
||||
/* check permissions */
|
||||
aclresult = pg_tablespace_aclcheck(dst_deftablespace, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, dst_deftablespace, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
@@ -1874,7 +1874,7 @@ movedb(const char *dbname, const char *tblspcname)
|
||||
/*
|
||||
* Permission checks
|
||||
*/
|
||||
aclresult = pg_tablespace_aclcheck(dst_tblspcoid, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, dst_tblspcoid, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
|
||||
@@ -42,6 +42,7 @@
|
||||
#include "catalog/objectaccess.h"
|
||||
#include "catalog/pg_authid.h"
|
||||
#include "catalog/pg_collation.h"
|
||||
#include "catalog/pg_database.h"
|
||||
#include "catalog/pg_depend.h"
|
||||
#include "catalog/pg_extension.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
@@ -832,7 +833,7 @@ extension_is_trusted(ExtensionControlFile *control)
|
||||
if (!control->trusted)
|
||||
return false;
|
||||
/* Allow if user has CREATE privilege on current database */
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult == ACLCHECK_OK)
|
||||
return true;
|
||||
return false;
|
||||
@@ -2732,7 +2733,7 @@ AlterExtensionNamespace(const char *extensionName, const char *newschema, Oid *o
|
||||
extensionName);
|
||||
|
||||
/* Permission check: must have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(nspOid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, nspOid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA, newschema);
|
||||
|
||||
|
||||
@@ -366,7 +366,7 @@ AlterForeignServerOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)
|
||||
check_is_member_of_role(GetUserId(), newOwnerId);
|
||||
|
||||
/* New owner must have USAGE privilege on foreign-data wrapper */
|
||||
aclresult = pg_foreign_data_wrapper_aclcheck(form->srvfdw, newOwnerId, ACL_USAGE);
|
||||
aclresult = object_aclcheck(ForeignDataWrapperRelationId, form->srvfdw, newOwnerId, ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
{
|
||||
ForeignDataWrapper *fdw = GetForeignDataWrapper(form->srvfdw);
|
||||
@@ -891,7 +891,7 @@ CreateForeignServer(CreateForeignServerStmt *stmt)
|
||||
*/
|
||||
fdw = GetForeignDataWrapperByName(stmt->fdwname, false);
|
||||
|
||||
aclresult = pg_foreign_data_wrapper_aclcheck(fdw->fdwid, ownerId, ACL_USAGE);
|
||||
aclresult = object_aclcheck(ForeignDataWrapperRelationId, fdw->fdwid, ownerId, ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FDW, fdw->fdwname);
|
||||
|
||||
@@ -1082,7 +1082,7 @@ user_mapping_ddl_aclcheck(Oid umuserid, Oid serverid, const char *servername)
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_foreign_server_aclcheck(serverid, curuserid, ACL_USAGE);
|
||||
aclresult = object_aclcheck(ForeignServerRelationId, serverid, curuserid, ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, servername);
|
||||
}
|
||||
@@ -1433,7 +1433,7 @@ CreateForeignTable(CreateForeignTableStmt *stmt, Oid relid)
|
||||
* get the actual FDW for option validation etc.
|
||||
*/
|
||||
server = GetForeignServerByName(stmt->servername, false);
|
||||
aclresult = pg_foreign_server_aclcheck(server->serverid, ownerId, ACL_USAGE);
|
||||
aclresult = object_aclcheck(ForeignServerRelationId, server->serverid, ownerId, ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, server->servername);
|
||||
|
||||
@@ -1492,7 +1492,7 @@ ImportForeignSchema(ImportForeignSchemaStmt *stmt)
|
||||
|
||||
/* Check that the foreign server exists and that we have USAGE on it */
|
||||
server = GetForeignServerByName(stmt->server_name, false);
|
||||
aclresult = pg_foreign_server_aclcheck(server->serverid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(ForeignServerRelationId, server->serverid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FOREIGN_SERVER, server->servername);
|
||||
|
||||
|
||||
@@ -150,7 +150,7 @@ compute_return_type(TypeName *returnType, Oid languageOid,
|
||||
errdetail("Creating a shell type definition.")));
|
||||
namespaceId = QualifiedNameGetCreationNamespace(returnType->names,
|
||||
&typname);
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
@@ -160,7 +160,7 @@ compute_return_type(TypeName *returnType, Oid languageOid,
|
||||
Assert(OidIsValid(rettype));
|
||||
}
|
||||
|
||||
aclresult = pg_type_aclcheck(rettype, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, rettype, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, rettype);
|
||||
|
||||
@@ -272,7 +272,7 @@ interpret_function_parameter_list(ParseState *pstate,
|
||||
toid = InvalidOid; /* keep compiler quiet */
|
||||
}
|
||||
|
||||
aclresult = pg_type_aclcheck(toid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, toid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, toid);
|
||||
|
||||
@@ -1057,7 +1057,7 @@ CreateFunction(ParseState *pstate, CreateFunctionStmt *stmt)
|
||||
&funcname);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceId));
|
||||
@@ -1111,7 +1111,7 @@ CreateFunction(ParseState *pstate, CreateFunctionStmt *stmt)
|
||||
if (languageStruct->lanpltrusted)
|
||||
{
|
||||
/* if trusted language, need USAGE privilege */
|
||||
aclresult = pg_language_aclcheck(languageOid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(LanguageRelationId, languageOid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_LANGUAGE,
|
||||
NameStr(languageStruct->lanname));
|
||||
@@ -1562,11 +1562,11 @@ CreateCast(CreateCastStmt *stmt)
|
||||
format_type_be(sourcetypeid),
|
||||
format_type_be(targettypeid))));
|
||||
|
||||
aclresult = pg_type_aclcheck(sourcetypeid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, sourcetypeid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, sourcetypeid);
|
||||
|
||||
aclresult = pg_type_aclcheck(targettypeid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, targettypeid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, targettypeid);
|
||||
|
||||
@@ -1841,7 +1841,7 @@ CreateTransform(CreateTransformStmt *stmt)
|
||||
if (!object_ownercheck(TypeRelationId, typeid, GetUserId()))
|
||||
aclcheck_error_type(ACLCHECK_NOT_OWNER, typeid);
|
||||
|
||||
aclresult = pg_type_aclcheck(typeid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, typeid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, typeid);
|
||||
|
||||
@@ -1850,7 +1850,7 @@ CreateTransform(CreateTransformStmt *stmt)
|
||||
*/
|
||||
langid = get_language_oid(stmt->lang, false);
|
||||
|
||||
aclresult = pg_language_aclcheck(langid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(LanguageRelationId, langid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_LANGUAGE, stmt->lang);
|
||||
|
||||
@@ -1864,7 +1864,7 @@ CreateTransform(CreateTransformStmt *stmt)
|
||||
if (!object_ownercheck(ProcedureRelationId, fromsqlfuncid, GetUserId()))
|
||||
aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_FUNCTION, NameListToString(stmt->fromsql->objname));
|
||||
|
||||
aclresult = pg_proc_aclcheck(fromsqlfuncid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, fromsqlfuncid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(stmt->fromsql->objname));
|
||||
|
||||
@@ -1890,7 +1890,7 @@ CreateTransform(CreateTransformStmt *stmt)
|
||||
if (!object_ownercheck(ProcedureRelationId, tosqlfuncid, GetUserId()))
|
||||
aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_FUNCTION, NameListToString(stmt->tosql->objname));
|
||||
|
||||
aclresult = pg_proc_aclcheck(tosqlfuncid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, tosqlfuncid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION, NameListToString(stmt->tosql->objname));
|
||||
|
||||
@@ -2116,7 +2116,7 @@ ExecuteDoStmt(ParseState *pstate, DoStmt *stmt, bool atomic)
|
||||
/* if trusted language, need USAGE privilege */
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_language_aclcheck(codeblock->langOid, GetUserId(),
|
||||
aclresult = object_aclcheck(LanguageRelationId, codeblock->langOid, GetUserId(),
|
||||
ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_LANGUAGE,
|
||||
@@ -2193,7 +2193,7 @@ ExecuteCallStmt(CallStmt *stmt, ParamListInfo params, bool atomic, DestReceiver
|
||||
Assert(fexpr);
|
||||
Assert(IsA(fexpr, FuncExpr));
|
||||
|
||||
aclresult = pg_proc_aclcheck(fexpr->funcid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, fexpr->funcid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_PROCEDURE, get_func_name(fexpr->funcid));
|
||||
|
||||
|
||||
@@ -742,7 +742,7 @@ DefineIndex(Oid relationId,
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid,
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceId, root_save_userid,
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
@@ -774,7 +774,7 @@ DefineIndex(Oid relationId,
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid,
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, root_save_userid,
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
@@ -2648,7 +2648,7 @@ ExecReindex(ParseState *pstate, ReindexStmt *stmt, bool isTopLevel)
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(params.tablespaceOid,
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, params.tablespaceOid,
|
||||
GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
@@ -3245,7 +3245,7 @@ ReindexMultipleInternal(List *relids, ReindexParams *params)
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(params->tablespaceOid,
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, params->tablespaceOid,
|
||||
GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
|
||||
@@ -362,7 +362,7 @@ DefineOpClass(CreateOpClassStmt *stmt)
|
||||
&opcname);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceoid));
|
||||
@@ -781,7 +781,7 @@ DefineOpFamily(CreateOpFamilyStmt *stmt)
|
||||
&opfname);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceoid));
|
||||
|
||||
@@ -36,7 +36,9 @@
|
||||
#include "catalog/dependency.h"
|
||||
#include "catalog/indexing.h"
|
||||
#include "catalog/objectaccess.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "catalog/pg_operator.h"
|
||||
#include "catalog/pg_proc.h"
|
||||
#include "catalog/pg_type.h"
|
||||
#include "commands/alter.h"
|
||||
#include "commands/defrem.h"
|
||||
@@ -90,7 +92,7 @@ DefineOperator(List *names, List *parameters)
|
||||
oprNamespace = QualifiedNameGetCreationNamespace(names, &oprName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(oprNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, oprNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(oprNamespace));
|
||||
@@ -187,14 +189,14 @@ DefineOperator(List *names, List *parameters)
|
||||
|
||||
if (typeName1)
|
||||
{
|
||||
aclresult = pg_type_aclcheck(typeId1, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, typeId1, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, typeId1);
|
||||
}
|
||||
|
||||
if (typeName2)
|
||||
{
|
||||
aclresult = pg_type_aclcheck(typeId2, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, typeId2, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, typeId2);
|
||||
}
|
||||
@@ -225,13 +227,13 @@ DefineOperator(List *names, List *parameters)
|
||||
* necessary, since EXECUTE will be checked at any attempted use of the
|
||||
* operator, but it seems like a good idea anyway.
|
||||
*/
|
||||
aclresult = pg_proc_aclcheck(functionOid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, functionOid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION,
|
||||
NameListToString(functionName));
|
||||
|
||||
rettype = get_func_rettype(functionOid);
|
||||
aclresult = pg_type_aclcheck(rettype, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, rettype, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, rettype);
|
||||
|
||||
@@ -291,7 +293,7 @@ ValidateRestrictionEstimator(List *restrictionName)
|
||||
NameListToString(restrictionName), "float8")));
|
||||
|
||||
/* Require EXECUTE rights for the estimator */
|
||||
aclresult = pg_proc_aclcheck(restrictionOid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, restrictionOid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION,
|
||||
NameListToString(restrictionName));
|
||||
@@ -349,7 +351,7 @@ ValidateJoinEstimator(List *joinName)
|
||||
NameListToString(joinName), "float8")));
|
||||
|
||||
/* Require EXECUTE rights for the estimator */
|
||||
aclresult = pg_proc_aclcheck(joinOid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, joinOid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION,
|
||||
NameListToString(joinName));
|
||||
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "catalog/objectaccess.h"
|
||||
#include "catalog/objectaddress.h"
|
||||
#include "catalog/partition.h"
|
||||
#include "catalog/pg_database.h"
|
||||
#include "catalog/pg_inherits.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "catalog/pg_proc.h"
|
||||
@@ -748,7 +749,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
|
||||
List *schemaidlist = NIL;
|
||||
|
||||
/* must have CREATE privilege on database */
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_DATABASE,
|
||||
get_database_name(MyDatabaseId));
|
||||
@@ -1913,7 +1914,7 @@ AlterPublicationOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)
|
||||
check_is_member_of_role(GetUserId(), newOwnerId);
|
||||
|
||||
/* New owner must have CREATE privilege on database */
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, newOwnerId, ACL_CREATE);
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, newOwnerId, ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_DATABASE,
|
||||
get_database_name(MyDatabaseId));
|
||||
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "catalog/namespace.h"
|
||||
#include "catalog/objectaccess.h"
|
||||
#include "catalog/pg_authid.h"
|
||||
#include "catalog/pg_database.h"
|
||||
#include "catalog/pg_namespace.h"
|
||||
#include "commands/dbcommands.h"
|
||||
#include "commands/event_trigger.h"
|
||||
@@ -91,7 +92,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
|
||||
* The latter provision guards against "giveaway" attacks. Note that a
|
||||
* superuser will always have both of these privileges a fortiori.
|
||||
*/
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, saved_uid, ACL_CREATE);
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, saved_uid, ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_DATABASE,
|
||||
get_database_name(MyDatabaseId));
|
||||
@@ -259,7 +260,7 @@ RenameSchema(const char *oldname, const char *newname)
|
||||
oldname);
|
||||
|
||||
/* must have CREATE privilege on database */
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_DATABASE,
|
||||
get_database_name(MyDatabaseId));
|
||||
@@ -380,7 +381,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
|
||||
* schemas. Because superusers will always have this right, we need
|
||||
* no special case for them.
|
||||
*/
|
||||
aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(),
|
||||
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_DATABASE,
|
||||
|
||||
@@ -804,7 +804,7 @@ DefineRelation(CreateStmt *stmt, char relkind, Oid ownerId,
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
@@ -845,7 +845,7 @@ DefineRelation(CreateStmt *stmt, char relkind, Oid ownerId,
|
||||
|
||||
ofTypeId = typenameTypeId(NULL, stmt->ofTypename);
|
||||
|
||||
aclresult = pg_type_aclcheck(ofTypeId, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, ofTypeId, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, ofTypeId);
|
||||
}
|
||||
@@ -6830,7 +6830,7 @@ ATExecAddColumn(List **wqueue, AlteredTableInfo *tab, Relation rel,
|
||||
tform = (Form_pg_type) GETSTRUCT(typeTuple);
|
||||
typeOid = tform->oid;
|
||||
|
||||
aclresult = pg_type_aclcheck(typeOid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, typeOid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, typeOid);
|
||||
|
||||
@@ -12164,7 +12164,7 @@ ATPrepAlterColumnType(List **wqueue,
|
||||
/* Look up the target type */
|
||||
typenameTypeIdAndMod(NULL, typeName, &targettype, &targettypmod);
|
||||
|
||||
aclresult = pg_type_aclcheck(targettype, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, targettype, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, targettype);
|
||||
|
||||
@@ -13836,7 +13836,7 @@ ATExecChangeOwner(Oid relationOid, Oid newOwnerId, bool recursing, LOCKMODE lock
|
||||
check_is_member_of_role(GetUserId(), newOwnerId);
|
||||
|
||||
/* New owner must have CREATE privilege on namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceOid, newOwnerId,
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceOid, newOwnerId,
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
@@ -14152,7 +14152,7 @@ ATPrepSetTableSpace(AlteredTableInfo *tab, Relation rel, const char *tablespacen
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, tablespaceId, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE, tablespacename);
|
||||
}
|
||||
@@ -14545,7 +14545,7 @@ AlterTableMoveAll(AlterTableMoveAllStmt *stmt)
|
||||
{
|
||||
AclResult aclresult;
|
||||
|
||||
aclresult = pg_tablespace_aclcheck(new_tablespaceoid, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, new_tablespaceoid, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_TABLESPACE,
|
||||
@@ -17052,7 +17052,7 @@ RangeVarCallbackForAlterRelation(const RangeVar *rv, Oid relid, Oid oldrelid,
|
||||
*/
|
||||
if (IsA(stmt, RenameStmt))
|
||||
{
|
||||
aclresult = pg_namespace_aclcheck(classform->relnamespace,
|
||||
aclresult = object_aclcheck(NamespaceRelationId, classform->relnamespace,
|
||||
GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
|
||||
@@ -1277,7 +1277,7 @@ check_temp_tablespaces(char **newval, void **extra, GucSource source)
|
||||
}
|
||||
|
||||
/* Check permissions, similarly complaining only if interactive */
|
||||
aclresult = pg_tablespace_aclcheck(curoid, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, curoid, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
{
|
||||
@@ -1407,7 +1407,7 @@ PrepareTempTablespaces(void)
|
||||
}
|
||||
|
||||
/* Check permissions similarly */
|
||||
aclresult = pg_tablespace_aclcheck(curoid, GetUserId(),
|
||||
aclresult = object_aclcheck(TableSpaceRelationId, curoid, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
continue;
|
||||
|
||||
@@ -696,7 +696,7 @@ CreateTriggerFiringOn(CreateTrigStmt *stmt, const char *queryString,
|
||||
funcoid = LookupFuncName(stmt->funcname, 0, NULL, false);
|
||||
if (!isInternal)
|
||||
{
|
||||
aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, funcoid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION,
|
||||
NameListToString(stmt->funcname));
|
||||
|
||||
@@ -408,7 +408,7 @@ DefineTSDictionary(List *names, List *parameters)
|
||||
namespaceoid = QualifiedNameGetCreationNamespace(names, &dictname);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceoid));
|
||||
@@ -911,7 +911,7 @@ DefineTSConfiguration(List *names, List *parameters, ObjectAddress *copied)
|
||||
namespaceoid = QualifiedNameGetCreationNamespace(names, &cfgname);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, namespaceoid, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(namespaceoid));
|
||||
|
||||
@@ -222,7 +222,7 @@ DefineType(ParseState *pstate, List *names, List *parameters)
|
||||
#ifdef NOT_USED
|
||||
/* XXX this is unnecessary given the superuser check above */
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(typeNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, typeNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(typeNamespace));
|
||||
@@ -733,7 +733,7 @@ DefineDomain(CreateDomainStmt *stmt)
|
||||
&domainName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(domainNamespace, GetUserId(),
|
||||
aclresult = object_aclcheck(NamespaceRelationId, domainNamespace, GetUserId(),
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
@@ -781,7 +781,7 @@ DefineDomain(CreateDomainStmt *stmt)
|
||||
errmsg("\"%s\" is not a valid base type for a domain",
|
||||
TypeNameToString(stmt->typeName))));
|
||||
|
||||
aclresult = pg_type_aclcheck(basetypeoid, GetUserId(), ACL_USAGE);
|
||||
aclresult = object_aclcheck(TypeRelationId, basetypeoid, GetUserId(), ACL_USAGE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error_type(aclresult, basetypeoid);
|
||||
|
||||
@@ -1149,7 +1149,7 @@ DefineEnum(CreateEnumStmt *stmt)
|
||||
&enumName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(enumNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, enumNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(enumNamespace));
|
||||
@@ -1369,7 +1369,7 @@ DefineRange(ParseState *pstate, CreateRangeStmt *stmt)
|
||||
&typeName);
|
||||
|
||||
/* Check we have creation rights in target namespace */
|
||||
aclresult = pg_namespace_aclcheck(typeNamespace, GetUserId(), ACL_CREATE);
|
||||
aclresult = object_aclcheck(NamespaceRelationId, typeNamespace, GetUserId(), ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_SCHEMA,
|
||||
get_namespace_name(typeNamespace));
|
||||
@@ -2341,7 +2341,7 @@ findRangeCanonicalFunction(List *procname, Oid typeOid)
|
||||
func_signature_string(procname, 1, NIL, argList))));
|
||||
|
||||
/* Also, range type's creator must have permission to call function */
|
||||
aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, procOid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(procOid));
|
||||
|
||||
@@ -2384,7 +2384,7 @@ findRangeSubtypeDiffFunction(List *procname, Oid subtype)
|
||||
func_signature_string(procname, 2, NIL, argList))));
|
||||
|
||||
/* Also, range type's creator must have permission to call function */
|
||||
aclresult = pg_proc_aclcheck(procOid, GetUserId(), ACL_EXECUTE);
|
||||
aclresult = object_aclcheck(ProcedureRelationId, procOid, GetUserId(), ACL_EXECUTE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
aclcheck_error(aclresult, OBJECT_FUNCTION, get_func_name(procOid));
|
||||
|
||||
@@ -3748,7 +3748,7 @@ AlterTypeOwner(List *names, Oid newOwnerId, ObjectType objecttype)
|
||||
check_is_member_of_role(GetUserId(), newOwnerId);
|
||||
|
||||
/* New owner must have CREATE privilege on namespace */
|
||||
aclresult = pg_namespace_aclcheck(typTup->typnamespace,
|
||||
aclresult = object_aclcheck(NamespaceRelationId, typTup->typnamespace,
|
||||
newOwnerId,
|
||||
ACL_CREATE);
|
||||
if (aclresult != ACLCHECK_OK)
|
||||
|
||||
Reference in New Issue
Block a user