diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index ed6136c..7fec099 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -291,8 +291,8 @@ CheckIndexCompatible(Oid oldId, * 'indexRelationId': normally InvalidOid, but during bootstrap can be * nonzero to specify a preselected OID for the index. * 'is_alter_table': this is due to an ALTER rather than a CREATE operation. - * 'check_rights': check for CREATE rights in the namespace. (This should - * be true except when ALTER is deleting/recreating an index.) + * 'check_rights': check for CREATE rights in namespace and tablespace. (This + * should be true except when ALTER is deleting/recreating an index.) * 'skip_build': make the catalog entries but leave the index file empty; * it will be filled later. * 'quiet': suppress the NOTICE chatter ordinarily provided for constraints. @@ -433,8 +433,9 @@ DefineIndex(Oid relationId, /* note InvalidOid is OK in this case */ } - /* Check permissions except when using database's default */ - if (OidIsValid(tablespaceId) && tablespaceId != MyDatabaseTableSpace) + /* Check tablespace permissions */ + if (check_rights && + OidIsValid(tablespaceId) && tablespaceId != MyDatabaseTableSpace) { AclResult aclresult; diff --git a/src/test/regress/input/tablespace.source b/src/test/regress/input/tablespace.source index 743c4b9..03a62bd 100644 --- a/src/test/regress/input/tablespace.source +++ b/src/test/regress/input/tablespace.source @@ -109,11 +109,18 @@ DROP TABLESPACE regress_tblspace; CREATE ROLE regress_tablespace_user1 login; CREATE ROLE regress_tablespace_user2 login; +GRANT USAGE ON SCHEMA testschema TO regress_tablespace_user2; ALTER TABLESPACE regress_tblspace OWNER TO regress_tablespace_user1; +CREATE TABLE testschema.tablespace_acl (c int); +-- new owner lacks permission to create this index from scratch +CREATE INDEX k ON testschema.tablespace_acl (c) TABLESPACE regress_tblspace; +ALTER TABLE testschema.tablespace_acl OWNER TO regress_tablespace_user2; + SET SESSION ROLE regress_tablespace_user2; CREATE TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail +ALTER TABLE testschema.tablespace_acl ALTER c TYPE bigint; RESET ROLE; ALTER TABLESPACE regress_tblspace RENAME TO regress_tblspace_renamed; diff --git a/src/test/regress/output/tablespace.source b/src/test/regress/output/tablespace.source index 31f2ac0..aaedf5f 100644 --- a/src/test/regress/output/tablespace.source +++ b/src/test/regress/output/tablespace.source @@ -221,10 +221,16 @@ DROP TABLESPACE regress_tblspace; ERROR: tablespace "regress_tblspace" is not empty CREATE ROLE regress_tablespace_user1 login; CREATE ROLE regress_tablespace_user2 login; +GRANT USAGE ON SCHEMA testschema TO regress_tablespace_user2; ALTER TABLESPACE regress_tblspace OWNER TO regress_tablespace_user1; +CREATE TABLE testschema.tablespace_acl (c int); +-- new owner lacks permission to create this index from scratch +CREATE INDEX k ON testschema.tablespace_acl (c) TABLESPACE regress_tblspace; +ALTER TABLE testschema.tablespace_acl OWNER TO regress_tablespace_user2; SET SESSION ROLE regress_tablespace_user2; CREATE TABLE tablespace_table (i int) TABLESPACE regress_tblspace; -- fail ERROR: permission denied for tablespace regress_tblspace +ALTER TABLE testschema.tablespace_acl ALTER c TYPE bigint; RESET ROLE; ALTER TABLESPACE regress_tblspace RENAME TO regress_tblspace_renamed; ALTER TABLE ALL IN TABLESPACE regress_tblspace_renamed SET TABLESPACE pg_default; @@ -235,10 +241,11 @@ NOTICE: no matching relations in tablespace "regress_tblspace_renamed" found -- Should succeed DROP TABLESPACE regress_tblspace_renamed; DROP SCHEMA testschema CASCADE; -NOTICE: drop cascades to 4 other objects +NOTICE: drop cascades to 5 other objects DETAIL: drop cascades to table testschema.foo drop cascades to table testschema.asselect drop cascades to table testschema.asexecute drop cascades to table testschema.atable +drop cascades to table testschema.tablespace_acl DROP ROLE regress_tablespace_user1; DROP ROLE regress_tablespace_user2;