sepgsql: Enforce db_schema:search permission.

KaiGai Kohei, with comment and doc wordsmithing by me
2025-07-30 11:03:19 +03:00 · 2013-04-05 08:51:31 -04:00
parent 52f436b807
commit e965e6344c
13 changed files with 258 additions and 15 deletions
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@ -397,6 +397,16 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
    checked in this version.
   </para>

+   <para>
+    In order to access any schema object, <literal>db_schema:search</>
+    permission is required on the containing schema.  When an object is
+    referenced without schema qualification, schemas on which this
+    permission is not present will not be searched (just as if the user did
+    not have <literal>USAGE</> privilege on the schema).  If an explicit schema
+    qualification is present, an error will occur if the user does not have
+    the requisite permission on the named schema.
+   </para>
+
   <para>
    The client must be allowed to access all referenced tables and
    columns, even if they originated from views which were then expanded,