Greetings, We've run into a curious case and I'd like to solicit feedback regarding a possible change to the access rights required to acquire locks on a relation. Specifically, we have a process which normally INSERTs into a table and another process which Exclusive locks that same table in order to syncronize other processing. We then ran into a case where we didn't actually want to INSERT but still wanted to have the syncronization happen. Unfortunately, we don't allow LOCK TABLE to acquire RowExclusive unless you have UPDATE, DELETE, or TRUNCATE privileges.
My first impression is that the current code was just overly
simplistic regarding what level of permissions are required for a
given lock type and that it wasn't intentional to deny processes which
have INSERT privileges from acquiring RowExclusive (as they can do so
anyway using an actual INSERT). Therefore, I'd like to propose the
below simple 3-line patch to correct this.
Thoughts? Objections to back-patching?
Thanks,
Stephen
diff --git a/src/backend/commands/lockcmds.c b/src/backend/commands/lockcmds.c
new file mode 100644
index 49950d7..60f54c5 100644
*** a/src/backend/commands/lockcmds.c
--- b/src/backend/commands/lockcmds.c
*************** LockTableAclCheck(Oid reloid, LOCKMODE l
*** 174,179 ****
--- 174,182 ----
if (lockmode == AccessShareLock)
aclresult = pg_class_aclcheck(reloid, GetUserId(),
ACL_SELECT);
+ else if (lockmode == RowExclusiveLock)
+ aclresult = pg_class_aclcheck(reloid, GetUserId(),
+ ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE);
else
aclresult = pg_class_aclcheck(reloid, GetUserId(),
ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE);
signature.asc
Description: Digital signature
