summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1a6b1c4)
raw | patch | inline | side by side (parent: 1a6b1c4)
| author | Noah Misch <noah@leadboat.com> | |
| Fri, 25 Dec 2020 18:41:59 +0000 (10:41 -0800) | ||
| committer | Noah Misch <noah@leadboat.com> | |
| Fri, 25 Dec 2020 18:42:03 +0000 (10:42 -0800) |
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as
quickly as they have been reflecting "GRANT role_name". Back-patch to
9.5 (all supported versions).
Reviewed by Nathan Bossart.
Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
quickly as they have been reflecting "GRANT role_name". Back-patch to
9.5 (all supported versions).
Reviewed by Nathan Bossart.
Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
| src/backend/utils/adt/acl.c | patch | blob | blame | history | |
| src/test/regress/expected/privileges.out | patch | blob | blame | history | |
| src/test/regress/sql/privileges.sql | patch | blob | blame | history |
index 12baeca913a45908fd491fe8d4385ede150e82bb..d4df743523fe3108a13b36851c822ddbe2393896 100644 (file)
* role. In most of these tests the "given role" is the same, namely the
* active current user. So we can optimize it by keeping a cached list of
* all the roles the "given role" is a member of, directly or indirectly.
- * The cache is flushed whenever we detect a change in pg_auth_members.
*
* There are actually two caches, one computed under "has_privs" rules
* (do not recurse where rolinherit isn't true) and one computed under
if (!IsBootstrapProcessingMode())
{
/*
- * In normal mode, set a callback on any syscache invalidation of
- * pg_auth_members rows
+ * In normal mode, set a callback on any syscache invalidation of rows
+ * of pg_auth_members (for each AUTHMEM search in this file) or
+ * pg_authid (for has_rolinherit())
*/
CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
RoleMembershipCacheCallback,
(Datum) 0);
+ CacheRegisterSyscacheCallback(AUTHOID,
+ RoleMembershipCacheCallback,
+ (Datum) 0);
}
}
index 26ee16a0c370e13650f558ddbdd34969016fd0eb..80a604c4251045c6220a45fc6ae844f1dec9818d 100644 (file)
SELECT * FROM atest3; -- fail
ERROR: permission denied for relation atest3
DELETE FROM atest3; -- ok
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ERROR: permission denied for table atest3
+ROLLBACK;
-- views
SET SESSION AUTHORIZATION regress_user3;
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok
index f979cccea03f973ecc273e3e75a8239c38bb8cf4..b7bb9d934df136d1b12d01b385460d80c990894d 100644 (file)
SELECT * FROM atest3; -- fail
DELETE FROM atest3; -- ok
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ROLLBACK;
-- views