Re: New patch for Column-level privileges

Stephen Frost wrote:
> Tom, er al,
>
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> I'm thinking make_var is not the place to do this. The places that are
>> supposed to be taking care of permissions are the ones that do this:
>>
>> /* Require read access --- see comments in setTargetTable() */
>> rte->requiredPerms |= ACL_SELECT;
>
> Argh. That's what I had started out with, but I couldn't figure out how
> to handle the JOIN case. I'm a bit mystified by what KaiGai found
> though and havn't had a chance to look at it yet, but I thought I had
> tested the JOIN cases and I had added them to the regression tests.
> Guess I missed something.

It seems to me you didn't add "success cases" for JOINs.
The previous patch tries to check privilege for each columns within
JOIN'ed tables unexpectedly, so the test case always fails.

*** src/test/regress/sql/privileges.sql 4 Nov 2008 00:57:19 -0000 1.22
--- src/test/regress/sql/privileges.sql 10 Jan 2009 19:10:19 -0000
:
+ SET SESSION AUTHORIZATION regressuser4;
+ SELECT * FROM atest5; -- fail
+ SELECT one FROM atest5; -- ok
+ SELECT two FROM atest5; -- fail
+ SELECT atest5 FROM atest5; -- fail
+ SELECT 1 FROM atest5; -- ok
+ SELECT 1 FROM atest5 JOIN atest5 USING (two); -- fail
+ SELECT 1 FROM atest5 WHERE two = 2; -- fail
+ SELECT * FROM atest1, atest5; -- fail
+ SELECT atest1.* FROM atest1, atest5; -- ok
+ SELECT atest1.*,atest5.one FROM atest1, atest5; -- ok
+ SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.two); -- fail
+ SELECT one, two FROM atest5; -- fail
+
:

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>