From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "Florian G(dot) Pflug" <fgp(at)phlo(dot)org>, pgsql-hackers(at)postgresql(dot)org, Jan Wieck <JanWieck(at)Yahoo(dot)com> |
Subject: | Re: [GENERAL] Strange permission problem regarding pg_settings |
Date: | 2003-12-27 21:18:18 |
Message-ID: | 3FEDF71A.5030001@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Tom Lane wrote:
> Reverting the change will bring back the bug for which it was created.
> It does seem though that we have an inadequate model of how to perform
> permission checks. In particular, the "write" flag bit in RTEs is
> context dependent: it can mean insert, update, or delete permission
> depending on the surrounding command.
Sorry if I'm being thick, but what of this?
> regression=> insert into table1 values (1);
> NOTICE: relOid = 1245674
> NOTICE: userid = 101
> NOTICE: operation = CMD_INSERT
> NOTICE: relOid = 1245674
> NOTICE: userid = 101
> NOTICE: operation = CMD_UPDATE
> ERROR: table1: permission denied
>
> regression=> select oid, relname from pg_class where relname like
'table%';
> oid | relname
> ---------+---------
> 1245674 | table1
> 1245676 | table2
> (2 rows)
Given how rules are supposed to work, the first check looks correct:
INSERT on table1 checked as pleb, userid = 101
But the second check is incorrect, not because of the mode being
checked, but because of the reloid and userid. The second check should be:
UPDATE on table2 checked as postgres, userid = 1
So why doesn't the second rte refer to table2 and userid=1?
Joe
From | Date | Subject | |
---|---|---|---|
Next Message | Manfred Spraul | 2003-12-27 21:36:36 | Re: update i386 spinlock for hyperthreading |
Previous Message | Tom Lane | 2003-12-27 21:11:55 | Re: update i386 spinlock for hyperthreading |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2003-12-27 21:19:17 | Re: Error with returning SETOF Record |
Previous Message | Tom Lane | 2003-12-27 21:11:55 | Re: update i386 spinlock for hyperthreading |