Skip site navigation (1) Skip section navigation (2)

Re: patch for type privileges

From: Yeb Havinga <yebhavinga(at)gmail(dot)com>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: patch for type privileges
Date: 2011-12-13 18:13:03
Message-ID: 4EE795AF.7050905@gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On 2011-12-12 20:53, Peter Eisentraut wrote:
> On sön, 2011-12-11 at 21:21 +0200, Peter Eisentraut wrote:
>>> * Cannot restrict access to array types. After revoking usage from the
>>> element type, the error is perhaps a bit misleading. (smallint[] vs
>>> smallint)
>>>
>>> postgres=>  create table a (a int2[]);
>>> ERROR:  permission denied for type smallint[]
>> OK, that error message should be improved.
> Fixing this is easy, but I'd like to look into refactoring this a bit.
> Let's ignore that for now; it's easy to do later.

My experience with ignoring things for now is not positive.
>>> * The information schema view 'attributes' has this additional condition:
>>>             AND (pg_has_role(t.typowner, 'USAGE')
>>>                  OR has_type_privilege(t.oid, 'USAGE'));
>>>
>>> What happens is that attributes in a composite type are shown, or not,
>>> if the current user has USAGE rights. The strange thing here, is that
>>> the attribute in the type being show or not, doesn't match being able to
>>> use it (in the creation of e.g. a table).
>> Yeah, that's a bug.  That should be something like
>>
>> AND (pg_has_role(c.relowner, 'USAGE')
>>       OR has_type_privilege(c.reltype, 'USAGE'));
> And fix for that included.

Confirmed that this now works as expected.

I have no remarks on the other parts of the patch code.

After puzzling a bit more with the udt and usage privileges views, it is 
clear that they should complement each other. That might be reflected by 
adding to the 'usage_privileges' section a link back to the 
'udt_privileges' section.

I have no further comments on this patch.

regards,
Yeb Havinga



In response to

Responses

pgsql-hackers by date

Next:From: Lionel Elie MamaneDate: 2011-12-13 18:17:05
Subject: Re: LibreOffice driver 1: Building libpq with Mozilla LDAP instead of OpenLDAP
Previous:From: David E. WheelerDate: 2011-12-13 18:05:57
Subject: Re: JSON for PG 9.2

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group