Add context info to OAT_POST_CREATE security hook

... and have sepgsql use it to determine whether to check permissions during certain operations. Indexes that are being created as a result of REINDEX, for instance, do not need to have their permissions checked; they were already checked when the index was created. Author: KaiGai Kohei, slightly revised by me
2025-09-02 04:21:28 +03:00 · 2012-10-23 18:07:26 -03:00
parent 4c9d0901f1
commit f4c4335a4a
16 changed files with 336 additions and 116 deletions
--- a/src/include/catalog/heap.h
+++ b/src/include/catalog/heap.h
@@ -66,7 +66,8 @@ extern Oid heap_create_with_catalog(const char *relname,
 						 OnCommitAction oncommit,
 						 Datum reloptions,
 						 bool use_user_acl,
-						 bool allow_system_table_mods);
+						 bool allow_system_table_mods,
+						 bool is_internal);

 extern void heap_create_init_fork(Relation rel);

--- a/src/include/catalog/index.h
+++ b/src/include/catalog/index.h
@@ -50,7 +50,8 @@ extern Oid index_create(Relation heapRelation,
 			 bool initdeferred,
 			 bool allow_system_table_mods,
 			 bool skip_build,
-			 bool concurrent);
+			 bool concurrent,
+			 bool is_internal);

 extern void index_constraint_create(Relation heapRelation,
 						Oid indexRelationId,
--- a/src/include/catalog/objectaccess.h
+++ b/src/include/catalog/objectaccess.h
@@ -30,6 +30,19 @@ typedef enum ObjectAccessType
 	OAT_DROP,
 } ObjectAccessType;

+/*
+ * Arguments of OAT_POST_CREATE event
+ */
+typedef struct
+{
+	/*
+	 * This flag informs extensions whether the context of this creation
+	 * is invoked by user's operations, or not. E.g, it shall be dealt
+	 * as internal stuff on toast tables or indexes due to type changes.
+	 */
+	bool		is_internal;
+} ObjectAccessPostCreate;
+
 /*
 * Arguments of OAT_DROP event
 */