MERGE ... DO NOTHING: require SELECT privileges

Verify that a user running MERGE with a DO NOTHING clause has
privileges to read the table, even if no columns are referenced.  Such
privileges were already required if the ON clause or any of the WHEN
conditions referenced any column at all, so there's no functional change
in practice.

This change fixes an assertion failure in the case where no column is
referenced by the command and the WHEN clauses are all DO NOTHING.

Backpatch to 15, where MERGE was introduced.

Reported-by: Alena Rybakina <a.rybakina@postgrespro.ru>
Reported-by: Alexander Lakhin <exclusion@gmail.com>
Discussion: https://postgr.es/m/4d65a385-7efa-4436-a825-0869f89d9d92@postgrespro.ru

diff --git a/src/backend/parser/parse_merge.c b/src/backend/parser/parse_merge.c
index e8865bfaf543cbc4ffd762d1b682fead46559489..de4825b1854cde2dfd08e64410632451de53f64f 100644 (file)
--- a/src/backend/parser/parse_merge.c
+++ b/src/backend/parser/parse_merge.c
@@ -133,7 +133,11 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt)
        int         when_type = (mergeWhenClause->matched ? 0 : 1);
 
        /*
-        * Collect action types so we can check target permissions
+        * Collect permissions to check, according to action types. We require
+        * SELECT privileges for DO NOTHING because it'd be irregular to have
+        * a target relation with zero privileges checked, in case DO NOTHING
+        * is the only action.  There's no damage from that: any meaningful
+        * MERGE command requires at least some access to the table anyway.
         */
        switch (mergeWhenClause->commandType)
        {
@@ -147,6 +151,7 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt)
                targetPerms |= ACL_DELETE;
                break;
            case CMD_NOTHING:
+               targetPerms |= ACL_SELECT;
                break;
            default:
                elog(ERROR, "unknown action in MERGE WHEN clause");

diff --git a/src/test/regress/expected/merge.out b/src/test/regress/expected/merge.out
index edc0043ca868cc65bcbdab9cfa74d468e5a58ac5..1fb53a3a546b1b84b093ca48466a7b528eb7d050 100644 (file)
--- a/src/test/regress/expected/merge.out
+++ b/src/test/regress/expected/merge.out
@@ -3,6 +3,7 @@
 --
 CREATE USER regress_merge_privs;
 CREATE USER regress_merge_no_privs;
+CREATE USER regress_merge_none;
 DROP TABLE IF EXISTS target;
 NOTICE:  table "target" does not exist, skipping
 DROP TABLE IF EXISTS source;
@@ -159,6 +160,14 @@ ERROR:  cannot execute MERGE on relation "mv"
 DETAIL:  This operation is not supported for materialized views.
 DROP MATERIALIZED VIEW mv;
 -- permissions
+SET SESSION AUTHORIZATION regress_merge_none;
+MERGE INTO target
+USING (SELECT 1) AS s
+ON true
+WHEN MATCHED THEN
+   DO NOTHING;
+ERROR:  permission denied for table target
+SET SESSION AUTHORIZATION regress_merge_privs;
 MERGE INTO target
 USING source2
 ON target.tid = source2.sid
@@ -2244,3 +2253,4 @@ DROP TABLE source, source2;
 DROP FUNCTION merge_trigfunc();
 DROP USER regress_merge_privs;
 DROP USER regress_merge_no_privs;
+DROP USER regress_merge_none;

diff --git a/src/test/regress/sql/merge.sql b/src/test/regress/sql/merge.sql
index 66cb75a7566c0d40d880c54e7b9dae0bff73e6c3..28b696f3ae00b39250cb644992407c333975c395 100644 (file)
--- a/src/test/regress/sql/merge.sql
+++ b/src/test/regress/sql/merge.sql
@@ -4,6 +4,8 @@
 
 CREATE USER regress_merge_privs;
 CREATE USER regress_merge_no_privs;
+CREATE USER regress_merge_none;
+
 DROP TABLE IF EXISTS target;
 DROP TABLE IF EXISTS source;
 CREATE TABLE target (tid integer, balance integer)
@@ -118,6 +120,14 @@ DROP MATERIALIZED VIEW mv;
 
 -- permissions
 
+SET SESSION AUTHORIZATION regress_merge_none;
+MERGE INTO target
+USING (SELECT 1) AS s
+ON true
+WHEN MATCHED THEN
+   DO NOTHING;
+
+SET SESSION AUTHORIZATION regress_merge_privs;
 MERGE INTO target
 USING source2
 ON target.tid = source2.sid
@@ -1471,3 +1481,4 @@ DROP TABLE source, source2;
 DROP FUNCTION merge_trigfunc();
 DROP USER regress_merge_privs;
 DROP USER regress_merge_no_privs;
+DROP USER regress_merge_none;