On Sat, 2009-10-03 at 09:45 +0300, I wrote:
> So let's get rid of that. Selecting (or in general, operating) on a
> table with children only checks the privileges on that table, not the
> children.
If I'm seeing this right, it's literally a one-line fix. Patch attached
with documentation and test updates.
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index e055518..51d9aef 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -2124,20 +2124,20 @@ VALUES ('New York', NULL, NULL, 'NY');
and rejection that apply during <command>CREATE TABLE</command>.
</para>
- <sect2 id="ddl-inherit-caveats">
- <title>Caveats</title>
-
<para>
- Table access permissions are not automatically inherited. Therefore,
- a user attempting to access a parent table must either have permissions
- to do the same operation on all its child tables as well, or must use the
- <literal>ONLY</literal> notation. When adding a new child table to
- an existing inheritance hierarchy, be careful to grant all the needed
- permissions on it.
+ Note how table access permissions are handled. Querying a parent
+ table can automatically access data in child tables without further
+ access privilege checking. This preserves the appearance that the
+ data is (also) in the parent table. Accessing the child tables
+ directly is, however, not automatically allowed and would require
+ further privileges to be granted.
</para>
+ <sect2 id="ddl-inherit-caveats">
+ <title>Caveats</title>
+
<para>
- More generally, note that not all SQL commands are able to work on
+ Note that not all SQL commands are able to work on
inheritance hierarchies. Commands that are used for data querying,
data modification, or schema modification
(e.g., <literal>SELECT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>,
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
index df9eac6..17ddbe2 100644
--- a/src/backend/optimizer/prep/prepunion.c
+++ b/src/backend/optimizer/prep/prepunion.c
@@ -1244,6 +1244,7 @@ expand_inherited_rtentry(PlannerInfo *root, RangeTblEntry *rte, Index rti)
childrte = copyObject(rte);
childrte->relid = childOID;
childrte->inh = false;
+ childrte->requiredPerms = 0;
parse->rtable = lappend(parse->rtable, childrte);
childRTindex = list_length(parse->rtable);
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 16b5581..4decb2b 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -406,11 +406,22 @@ SELECT fx FROM atestp2; -- ok
----
(0 rows)
-SELECT fy FROM atestp2; -- fail, no privilege on atestc.fy
-ERROR: permission denied for relation atestc
-SELECT atestp2 FROM atestp2; -- fail, no privilege on atestc.fy
-ERROR: permission denied for relation atestc
-SELECT oid FROM atestp2; -- fail, no privilege on atestc.oid
+SELECT fy FROM atestp2; -- ok
+ fy
+----
+(0 rows)
+
+SELECT atestp2 FROM atestp2; -- ok
+ atestp2
+---------
+(0 rows)
+
+SELECT oid FROM atestp2; -- ok
+ oid
+-----
+(0 rows)
+
+SELECT fy FROM atestc; -- fail
ERROR: permission denied for relation atestc
SET SESSION AUTHORIZATION regressuser1;
GRANT SELECT(fy,oid) ON atestc TO regressuser2;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index 943fe36..d4f7282 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -277,9 +277,10 @@ GRANT SELECT(fx) ON atestc TO regressuser2;
SET SESSION AUTHORIZATION regressuser2;
SELECT fx FROM atestp2; -- ok
-SELECT fy FROM atestp2; -- fail, no privilege on atestc.fy
-SELECT atestp2 FROM atestp2; -- fail, no privilege on atestc.fy
-SELECT oid FROM atestp2; -- fail, no privilege on atestc.oid
+SELECT fy FROM atestp2; -- ok
+SELECT atestp2 FROM atestp2; -- ok
+SELECT oid FROM atestp2; -- ok
+SELECT fy FROM atestc; -- fail
SET SESSION AUTHORIZATION regressuser1;
GRANT SELECT(fy,oid) ON atestc TO regressuser2;
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
