Skip site navigation (1) Skip section navigation (2)

Re: BUG #1142: Problem with update permissions for view

From: Arturs Zoldners <az(at)rpiva(dot)lv>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #1142: Problem with update permissions for view
Date: 2004-05-18 14:44:05
Message-ID: 1084891444.1272.71.camel@orks.rpiva.lv (view raw or flat)
Thread:
Lists: pgsql-bugs
Dear Tom,

On Fri, 2004-04-30 at 19:48, Tom Lane wrote:
> Arturs Zoldners <az(at)rpiva(dot)lv> writes:
> > -- The following rule prevents user x to update public_data: 
> > CREATE RULE log_public AS ON UPDATE TO private_data WHERE (new.a <>
> > old.a) DO INSERT INTO private_log (old_val, new_val) VALUES (old.a,
> > new.a);
> 
> This is a known problem.  It's fixed for 7.5 but there seems no way to
> back-port the fix into existing release series (without forcing initdb).
> 
> The error is essentially that the use of an INSERT command as the rule
> body causes the original view to be checked for INSERT rather than
> UPDATE permissions ...
> 
> 			regards, tom lane

I tried the same test with 7.5devel. The problem is solved, but...
I found another bug, which sounds very like the first one:

ERROR: permission denied for relation...

Here are sql statements (postgres is superuser, x is ordinal user):

--********************************************************************

SET SESSION AUTHORIZATION 'postgres';
SELECT version();
--PostgreSQL 7.5devel on i686-pc-linux-gnu, compiled by GCC gcc (GCC)
--3.2.2 20030222 (Red Hat Linux 3.2.2-5)

REVOKE ALL ON SCHEMA public FROM PUBLIC;
GRANT ALL ON SCHEMA public TO PUBLIC;
SET search_path = public, pg_catalog;
CREATE TABLE private_data (
    id serial NOT NULL,
    a integer
);
REVOKE ALL ON TABLE private_data FROM PUBLIC;
CREATE VIEW public_data AS
    SELECT private_data.id, private_data.a FROM private_data;
REVOKE ALL ON public_data FROM PUBLIC;

GRANT SELECT,RULE,UPDATE ON public_data TO x;

CREATE TABLE private_log (
    old_val integer,
    new_val integer
);
REVOKE ALL ON TABLE private_log FROM PUBLIC;
CREATE RULE on_update  AS ON UPDATE TO public_data DO INSTEAD UPDATE
private_data SET a = new.a WHERE (private_data.id = old.id);
SELECT pg_catalog.setval('private_data_id_seq', 3, true);
COMMENT ON SCHEMA public IS 'Standard public schema';

--

INSERT INTO private_data(id, a) VALUES (1, 1);
--INSERT 17832 1

UPDATE public_data SET a=2 WHERE id = 1;
--UPDATE 1

SET SESSION AUTHORIZATION 'x';
UPDATE public_data SET a=3 WHERE id = 1;
--UPDATE 1

SET SESSION AUTHORIZATION 'postgres';
CREATE RULE log_public AS ON UPDATE TO private_data WHERE (new.a <>
old.a) DO INSERT INTO private_log (old_val, new_val) VALUES (old.a,
new.a);

UPDATE public_data SET a=4 WHERE id = 1;
--UPDATE 1

SET SESSION AUTHORIZATION 'x';
UPDATE public_data SET a=5 WHERE id = 1;
--UPDATE 1

-- ^ This was the place, where 7.4.2 failed, now 7.5devel works ok,
--   and user x CAN update a view!
--   But, again, simple rule added to table private_log breaks things...
SET SESSION AUTHORIZATION 'postgres';
CREATE RULE silly_restriction AS ON INSERT TO private_log WHERE EXISTS
(SELECT 1 FROM private_log WHERE (old_val = 1) AND (new_val = 2)) DO
INSTEAD NOTHING;
--CREATE RULE
UPDATE public_data SET a=6 WHERE id = 1;
--UPDATE 1

SET SESSION AUTHORIZATION 'x';
UPDATE public_data SET a=7 WHERE id = 1;

--psql:bug.sql:61: ERROR:  permission denied for relation private_log

--***********************************************

I think, there is no reason for error again, because user x has
SELECT,RULE,UPDATE permissions for view public_data.


Best regards,
AZ

PS.

this bug was in "level 2":
update public_data (0) -> 
update private_data (1) -> 
insert private_log (2)

I found the same problem in "level 1" complex rules
involving deletion and inserts.

I wouldn't like to make a spam, but if you are interested in, I can
reduce them to dummy examples and send out, too.



In response to

Responses

pgsql-bugs by date

Next:From: Tom LaneDate: 2004-05-18 22:51:14
Subject: Re: BUG #1142: Problem with update permissions for view
Previous:From: Adam KempaDate: 2004-05-18 13:52:28
Subject: postgres crashes

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group