Fix GRANTED BY support in REVOKE ROLE statements

Commit 6aaaa76bb added support for the GRANTED BY clause in GRANT and REVOKE statements, but missed adding support for checking the role in the REVOKE ROLE case. Fix by checking that the parsed role matches the CURRENT_ROLE/CURRENT_USER requirement, and also add some tests for it. Backpatch to v14 where GRANTED BY support was introduced. Discussion: https://postgr.es/m/B7F6699A-A984-4943-B9BF-CEB84C003527@yesql.se Backpatch-through: 14
author: Daniel Gustafsson 2021-11-26 13:02:01 +0000
committer: Daniel Gustafsson 2021-11-26 13:02:01 +0000
commit: b2a459edfe645747744402f23de041e9c0a3cd93 (patch)
tree: 9dc7046907d64ed2e3c896bbf668a40c443544e3 /src/backend/commands/user.c
parent: 36cb5e7c512bef394c9288786c62ef0eb1e891ba (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index aa69821be49..c8c0dd0dd53 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1259,7 +1259,18 @@ GrantRole(GrantRoleStmt *stmt)
 	ListCell   *item;
 
 	if (stmt->grantor)
+	{
 		grantor = get_rolespec_oid(stmt->grantor, false);
+
+		/*
+		 * Currently, this clause is only for SQL compatibility, not very
+		 * interesting otherwise.
+		 */
+		if (grantor != GetUserId())
+			ereport(ERROR,
+					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					 errmsg("grantor must be current user")));
+	}
 	else
 		grantor = GetUserId();
author	Daniel Gustafsson	2021-11-26 13:02:01 +0000
committer	Daniel Gustafsson	2021-11-26 13:02:01 +0000
commit	b2a459edfe645747744402f23de041e9c0a3cd93 (patch)
tree	9dc7046907d64ed2e3c896bbf668a40c443544e3 /src/backend/commands/user.c
parent	36cb5e7c512bef394c9288786c62ef0eb1e891ba (diff)