-- -- Test access privileges -- CREATE USER regressuser1; CREATE USER regressuser2; CREATE USER regressuser3; CREATE USER regressuser4; CREATE USER regressuser4; -- duplicate ERROR: CREATE USER: user name "regressuser4" already exists CREATE GROUP regressgroup1; CREATE GROUP regressgroup2 WITH USER regressuser1, regressuser2; ALTER GROUP regressgroup1 ADD USER regressuser4; ALTER GROUP regressgroup2 ADD USER regressuser2; -- duplicate NOTICE: ALTER GROUP: user "regressuser2" is already in group "regressgroup2" ALTER GROUP regressgroup2 DROP USER regressuser2; ALTER GROUP regressgroup2 ADD USER regressuser4; -- test owner privileges SET SESSION AUTHORIZATION regressuser1; SELECT session_user, current_user; session_user | current_user --------------+-------------- regressuser1 | regressuser1 (1 row) CREATE TABLE atest1 ( a int, b text ); SELECT * FROM atest1; a | b ---+--- (0 rows) INSERT INTO atest1 VALUES (1, 'one'); DELETE FROM atest1; UPDATE atest1 SET a = 1 WHERE b = 'blech'; LOCK atest1 IN ACCESS EXCLUSIVE MODE; REVOKE ALL ON atest1 FROM PUBLIC; SELECT * FROM atest1; a | b ---+--- (0 rows) GRANT ALL ON atest1 TO regressuser2; GRANT SELECT ON atest1 TO regressuser3, regressuser4; SELECT * FROM atest1; a | b ---+--- (0 rows) CREATE TABLE atest2 (col1 varchar(10), col2 boolean); GRANT SELECT ON atest2 TO regressuser2; GRANT UPDATE ON atest2 TO regressuser3; GRANT INSERT ON atest2 TO regressuser4; SET SESSION AUTHORIZATION regressuser2; SELECT session_user, current_user; session_user | current_user --------------+-------------- regressuser2 | regressuser2 (1 row) -- try various combinations of queries on atest1 and atest2 SELECT * FROM atest1; -- ok a | b ---+--- (0 rows) SELECT * FROM atest2; -- ok col1 | col2 ------+------ (0 rows) INSERT INTO atest1 VALUES (2, 'two'); -- ok INSERT INTO atest2 VALUES ('foo', true); -- fail ERROR: atest2: Permission denied. INSERT INTO atest1 SELECT 1, b FROM atest1; -- ok UPDATE atest1 SET a = 1 WHERE a = 2; -- ok UPDATE atest2 SET col2 = NOT col2; -- fail ERROR: atest2: Permission denied. SELECT * FROM atest1 FOR UPDATE; -- ok a | b ---+----- 1 | two 1 | two (2 rows) SELECT * FROM atest2 FOR UPDATE; -- fail ERROR: atest2: Permission denied. DELETE FROM atest2; -- fail ERROR: atest2: Permission denied. LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- fail ERROR: LOCK TABLE: permission denied COPY atest2 FROM stdin; -- fail ERROR: atest2: Permission denied. GRANT ALL ON atest1 TO PUBLIC; -- fail ERROR: permission denied -- checks in subquery, both ok SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) ); a | b ---+--- (0 rows) SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) ); col1 | col2 ------+------ (0 rows) SET SESSION AUTHORIZATION regressuser3; SELECT session_user, current_user; session_user | current_user --------------+-------------- regressuser3 | regressuser3 (1 row) SELECT * FROM atest1; -- ok a | b ---+----- 1 | two 1 | two (2 rows) SELECT * FROM atest2; -- fail ERROR: atest2: Permission denied. INSERT INTO atest1 VALUES (2, 'two'); -- fail ERROR: atest1: Permission denied. INSERT INTO atest2 VALUES ('foo', true); -- fail ERROR: atest2: Permission denied. INSERT INTO atest1 SELECT 1, b FROM atest1; -- fail ERROR: atest1: Permission denied. UPDATE atest1 SET a = 1 WHERE a = 2; -- fail ERROR: atest1: Permission denied. UPDATE atest2 SET col2 = NULL; -- ok UPDATE atest2 SET col2 = NOT col2; -- fails; requires SELECT on atest2 ERROR: atest2: Permission denied. UPDATE atest2 SET col2 = true WHERE atest1.a = 5; -- ok SELECT * FROM atest1 FOR UPDATE; -- fail ERROR: atest1: Permission denied. SELECT * FROM atest2 FOR UPDATE; -- fail ERROR: atest2: Permission denied. DELETE FROM atest2; -- fail ERROR: atest2: Permission denied. LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- ok COPY atest2 FROM stdin; -- fail ERROR: atest2: Permission denied. -- checks in subquery, both fail SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) ); ERROR: atest2: Permission denied. SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) ); ERROR: atest2: Permission denied. SET SESSION AUTHORIZATION regressuser4; COPY atest2 FROM stdin; -- ok SELECT * FROM atest1; -- ok a | b ---+----- 1 | two 1 | two (2 rows) -- groups SET SESSION AUTHORIZATION regressuser3; CREATE TABLE atest3 (one int, two int, three int); GRANT DELETE ON atest3 TO GROUP regressgroup2; SET SESSION AUTHORIZATION regressuser1; SELECT * FROM atest3; -- fail ERROR: atest3: Permission denied. DELETE FROM atest3; -- ok -- views SET SESSION AUTHORIZATION regressuser3; CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok /* The next *should* fail, but it's not implemented that way yet. */ CREATE VIEW atestv2 AS SELECT * FROM atest2; CREATE VIEW atestv3 AS SELECT * FROM atest3; -- ok SELECT * FROM atestv1; -- ok a | b ---+----- 1 | two 1 | two (2 rows) GRANT SELECT ON atestv1, atestv3 TO regressuser4; SET SESSION AUTHORIZATION regressuser4; SELECT * FROM atestv1; -- ok a | b ---+----- 1 | two 1 | two (2 rows) SELECT * FROM atestv3; -- ok one | two | three -----+-----+------- (0 rows) -- has_table_privilege function -- bad-input checks select has_table_privilege(NULL,'pg_shadow','select'); has_table_privilege --------------------- (1 row) select has_table_privilege('pg_shad','select'); ERROR: has_table_privilege: relation "pg_shad" does not exist select has_table_privilege('nosuchuser','pg_shadow','select'); ERROR: user "nosuchuser" does not exist select has_table_privilege('pg_shadow','sel'); ERROR: has_table_privilege: invalid privilege type sel select has_table_privilege(-999999,'pg_shadow','update'); ERROR: pg_aclcheck: invalid user id 4293967297 select has_table_privilege(1,'rule'); ERROR: has_table_privilege: invalid relation oid 1 -- superuser \c regression select has_table_privilege(current_user,'pg_shadow','select'); has_table_privilege --------------------- t (1 row) select has_table_privilege(current_user,'pg_shadow','insert'); has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,'pg_shadow','update') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,'pg_shadow','delete') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege(current_user,t1.oid,'rule') from (select oid from pg_class where relname = 'pg_shadow') as t1; has_table_privilege --------------------- t (1 row) select has_table_privilege(current_user,t1.oid,'references') from (select oid from pg_class where relname = 'pg_shadow') as t1; has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,t1.oid,'select') from (select oid from pg_class where relname = 'pg_shadow') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,t1.oid,'insert') from (select oid from pg_class where relname = 'pg_shadow') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege('pg_shadow','update'); has_table_privilege --------------------- t (1 row) select has_table_privilege('pg_shadow','delete'); has_table_privilege --------------------- t (1 row) select has_table_privilege(t1.oid,'select') from (select oid from pg_class where relname = 'pg_shadow') as t1; has_table_privilege --------------------- t (1 row) select has_table_privilege(t1.oid,'trigger') from (select oid from pg_class where relname = 'pg_shadow') as t1; has_table_privilege --------------------- t (1 row) -- non-superuser SET SESSION AUTHORIZATION regressuser3; select has_table_privilege(current_user,'pg_class','select'); has_table_privilege --------------------- t (1 row) select has_table_privilege(current_user,'pg_class','insert'); has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,'pg_class','update') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,'pg_class','delete') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege(current_user,t1.oid,'rule') from (select oid from pg_class where relname = 'pg_class') as t1; has_table_privilege --------------------- f (1 row) select has_table_privilege(current_user,t1.oid,'references') from (select oid from pg_class where relname = 'pg_class') as t1; has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,t1.oid,'select') from (select oid from pg_class where relname = 'pg_class') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,t1.oid,'insert') from (select oid from pg_class where relname = 'pg_class') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege('pg_class','update'); has_table_privilege --------------------- f (1 row) select has_table_privilege('pg_class','delete'); has_table_privilege --------------------- f (1 row) select has_table_privilege(t1.oid,'select') from (select oid from pg_class where relname = 'pg_class') as t1; has_table_privilege --------------------- t (1 row) select has_table_privilege(t1.oid,'trigger') from (select oid from pg_class where relname = 'pg_class') as t1; has_table_privilege --------------------- f (1 row) select has_table_privilege(current_user,'atest1','select'); has_table_privilege --------------------- t (1 row) select has_table_privilege(current_user,'atest1','insert'); has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,'atest1','update') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,'atest1','delete') from (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege(current_user,t1.oid,'rule') from (select oid from pg_class where relname = 'atest1') as t1; has_table_privilege --------------------- f (1 row) select has_table_privilege(current_user,t1.oid,'references') from (select oid from pg_class where relname = 'atest1') as t1; has_table_privilege --------------------- f (1 row) select has_table_privilege(t2.usesysid,t1.oid,'select') from (select oid from pg_class where relname = 'atest1') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- t (1 row) select has_table_privilege(t2.usesysid,t1.oid,'insert') from (select oid from pg_class where relname = 'atest1') as t1, (select usesysid from pg_user where usename = current_user) as t2; has_table_privilege --------------------- f (1 row) select has_table_privilege('atest1','update'); has_table_privilege --------------------- f (1 row) select has_table_privilege('atest1','delete'); has_table_privilege --------------------- f (1 row) select has_table_privilege(t1.oid,'select') from (select oid from pg_class where relname = 'atest1') as t1; has_table_privilege --------------------- t (1 row) select has_table_privilege(t1.oid,'trigger') from (select oid from pg_class where relname = 'atest1') as t1; has_table_privilege --------------------- f (1 row) -- clean up \c regression DROP TABLE atest1; DROP TABLE atest2; DROP TABLE atest3; DROP VIEW atestv1; DROP VIEW atestv2; DROP VIEW atestv3; DROP GROUP regressgroup1; DROP GROUP regressgroup2; DROP USER regressuser1; DROP USER regressuser2; DROP USER regressuser3; DROP USER regressuser4;