Hi, On Tue, Jun 09, 2026 at 06:47:06AM +0000, Bertrand Drouvot wrote: > Hi, > > On Mon, Jun 08, 2026 at 02:55:19PM -0700, Jeff Davis wrote: > > On Fri, 2026-06-05 at 13:09 +0000, Bertrand Drouvot wrote: > > > the current patch > > > > /* > > * Look up a tracked aclcheck entry for the given object. > > * Returns true if found, filling in roleId, mode, and inval_count. > > * Searches from the end to find the most recent check (the one with > > the > > * freshest inval_count). > > > > What if two tracked ACL checks had different modes? Don't you need to > > do both checks or somehow combine the modes in the tracking entry? > > > > (I'm not sure if this is a practical problem or not.) > > Humm, good point. I was focusing on a "full" role revoke but maybe what you > describe could be a practical problem (in case of privilege revoke from the > role). > > In order to be on the safe side of things, the attached now iterates through > all > matching entries (and not only the last one). It's still a flat array as its > linear scan is O(n) in the number of tracked entries, but that's fine since a > typical DDL statement tracks only a few objects.
I just realized that the cfbot is complaining, let me fix it and come back with an updated patch. Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
