Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 157dcf5

Browse files
committed
Perform RLS subquery checks as the right user when going via a view.
When accessing a table with RLS via a view, the RLS checks are performed as the view owner. However, the code neglected to propagate that to any subqueries in the RLS checks. Fix that by calling setRuleCheckAsUser() for all RLS policy quals and withCheckOption checks for RTEs with RLS. Back-patch to 9.5 where RLS was added. Per bug #15708 from daurnimator. Discussion: https://postgr.es/m/15708-d65cab2ce9b1717a@postgresql.org
1 parent ab7590e commit 157dcf5

File tree

3 files changed

+61
-0
lines changed

3 files changed

+61
-0
lines changed

src/backend/rewrite/rowsecurity.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@
4747
#include "nodes/pg_list.h"
4848
#include "nodes/plannodes.h"
4949
#include "parser/parsetree.h"
50+
#include "rewrite/rewriteDefine.h"
5051
#include "rewrite/rewriteHandler.h"
5152
#include "rewrite/rewriteManip.h"
5253
#include "rewrite/rowsecurity.h"
@@ -381,6 +382,13 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index,
381382

382383
heap_close(rel, NoLock);
383384

385+
/*
386+
* Copy checkAsUser to the row security quals and WithCheckOption checks,
387+
* in case they contain any subqueries referring to other relations.
388+
*/
389+
setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser);
390+
setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser);
391+
384392
/*
385393
* Mark this query as having row security, so plancache can invalidate it
386394
* when necessary (eg: role changes)

src/test/regress/expected/rowsecurity.out

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3911,6 +3911,33 @@ DROP OWNED BY regress_rls_dob_role1;
39113911
DROP POLICY p1 ON dob_t2; -- should succeed
39123912
DROP USER regress_rls_dob_role1;
39133913
DROP USER regress_rls_dob_role2;
3914+
-- Bug #15708: view + table with RLS should check policies as view owner
3915+
CREATE TABLE ref_tbl (a int);
3916+
INSERT INTO ref_tbl VALUES (1);
3917+
CREATE TABLE rls_tbl (a int);
3918+
INSERT INTO rls_tbl VALUES (10);
3919+
ALTER TABLE rls_tbl ENABLE ROW LEVEL SECURITY;
3920+
CREATE POLICY p1 ON rls_tbl USING (EXISTS (SELECT 1 FROM ref_tbl));
3921+
GRANT SELECT ON ref_tbl TO regress_rls_bob;
3922+
GRANT SELECT ON rls_tbl TO regress_rls_bob;
3923+
CREATE VIEW rls_view AS SELECT * FROM rls_tbl;
3924+
ALTER VIEW rls_view OWNER TO regress_rls_bob;
3925+
GRANT SELECT ON rls_view TO regress_rls_alice;
3926+
SET SESSION AUTHORIZATION regress_rls_alice;
3927+
SELECT * FROM ref_tbl; -- Permission denied
3928+
ERROR: permission denied for table ref_tbl
3929+
SELECT * FROM rls_tbl; -- Permission denied
3930+
ERROR: permission denied for table rls_tbl
3931+
SELECT * FROM rls_view; -- OK
3932+
a
3933+
----
3934+
10
3935+
(1 row)
3936+
3937+
RESET SESSION AUTHORIZATION;
3938+
DROP VIEW rls_view;
3939+
DROP TABLE rls_tbl;
3940+
DROP TABLE ref_tbl;
39143941
--
39153942
-- Clean up objects
39163943
--

src/test/regress/sql/rowsecurity.sql

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1767,6 +1767,32 @@ DROP POLICY p1 ON dob_t2; -- should succeed
17671767
DROP USER regress_rls_dob_role1;
17681768
DROP USER regress_rls_dob_role2;
17691769

1770+
-- Bug #15708: view + table with RLS should check policies as view owner
1771+
CREATE TABLE ref_tbl (a int);
1772+
INSERT INTO ref_tbl VALUES (1);
1773+
1774+
CREATE TABLE rls_tbl (a int);
1775+
INSERT INTO rls_tbl VALUES (10);
1776+
ALTER TABLE rls_tbl ENABLE ROW LEVEL SECURITY;
1777+
CREATE POLICY p1 ON rls_tbl USING (EXISTS (SELECT 1 FROM ref_tbl));
1778+
1779+
GRANT SELECT ON ref_tbl TO regress_rls_bob;
1780+
GRANT SELECT ON rls_tbl TO regress_rls_bob;
1781+
1782+
CREATE VIEW rls_view AS SELECT * FROM rls_tbl;
1783+
ALTER VIEW rls_view OWNER TO regress_rls_bob;
1784+
GRANT SELECT ON rls_view TO regress_rls_alice;
1785+
1786+
SET SESSION AUTHORIZATION regress_rls_alice;
1787+
SELECT * FROM ref_tbl; -- Permission denied
1788+
SELECT * FROM rls_tbl; -- Permission denied
1789+
SELECT * FROM rls_view; -- OK
1790+
RESET SESSION AUTHORIZATION;
1791+
1792+
DROP VIEW rls_view;
1793+
DROP TABLE rls_tbl;
1794+
DROP TABLE ref_tbl;
1795+
17701796
--
17711797
-- Clean up objects
17721798
--

0 commit comments

Comments
 (0)