From e9167c9027017a053311a66df395b914e2e2b11c Mon Sep 17 00:00:00 2001 From: Nisha Moond Date: Mon, 1 Jun 2026 18:43:42 +0530 Subject: [PATCH v2] Fix pg_subscription column privileges for subwalrcvtimeout The subwalrcvtimeout column was added by commit fb80f38, but the column-level privileges on pg_subscription were not updated. As a result, non-superusers cannot read the column, unlike the other publicly readable pg_subscription columns. This commit grants SELECT privilege on subwalrcvtimeout to PUBLIC. Author: Nisha Moond Reviewed-by: Amit Kapila Reviewed-by: Fujii Masao Discussion: https://postgr.es/m/CABdArM4uA=6nA0BunJwudiEoY1BcWUS_oj_2pkEq_d-YdiBJhw@mail.gmail.com --- src/backend/catalog/system_views.sql | 3 ++- src/test/regress/expected/subscription.out | 15 +++++++++++++++ src/test/regress/sql/subscription.sql | 11 +++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index 73a1c1c4670..8f129baec90 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -1527,7 +1527,8 @@ GRANT SELECT (oid, subdbid, subskiplsn, subname, subowner, subenabled, subbinary, substream, subtwophasestate, subdisableonerr, subpasswordrequired, subrunasowner, subfailover, subretaindeadtuples, submaxretention, subretentionactive, - subserver, subslotname, subsynccommit, subpublications, suborigin) + subserver, subslotname, subsynccommit, subwalrcvtimeout, + subpublications, suborigin) ON pg_subscription TO public; CREATE VIEW pg_stat_subscription_stats AS diff --git a/src/test/regress/expected/subscription.out b/src/test/regress/expected/subscription.out index 7e3cabdb93f..8481056a702 100644 --- a/src/test/regress/expected/subscription.out +++ b/src/test/regress/expected/subscription.out @@ -47,6 +47,21 @@ SELECT obj_description(s.oid, 'pg_subscription') FROM pg_subscription s; test subscription (1 row) +-- Check that only subconninfo is not publicly readable in pg_subscription. +SELECT count(*) = 0 AS ok + FROM pg_attribute + WHERE attrelid = 'pg_catalog.pg_subscription'::regclass AND attnum > 0 AND NOT attisdropped + AND ((attname = 'subconninfo' + AND has_column_privilege('regress_subscription_user_dummy', + 'pg_catalog.pg_subscription', attname, 'SELECT')) + OR (attname <> 'subconninfo' + AND NOT has_column_privilege('regress_subscription_user_dummy', + 'pg_catalog.pg_subscription', attname, 'SELECT'))); + ok +---- + t +(1 row) + -- Check if the subscription stats are created and stats_reset is updated -- by pg_stat_reset_subscription_stats(). SELECT subname, stats_reset IS NULL stats_reset_is_null FROM pg_stat_subscription_stats WHERE subname = 'regress_testsub'; diff --git a/src/test/regress/sql/subscription.sql b/src/test/regress/sql/subscription.sql index 6c3d9632e8a..374fad6aa7b 100644 --- a/src/test/regress/sql/subscription.sql +++ b/src/test/regress/sql/subscription.sql @@ -42,6 +42,17 @@ CREATE SUBSCRIPTION regress_testsub CONNECTION 'dbname=regress_doesnotexist' PUB COMMENT ON SUBSCRIPTION regress_testsub IS 'test subscription'; SELECT obj_description(s.oid, 'pg_subscription') FROM pg_subscription s; +-- Check that only subconninfo is not publicly readable in pg_subscription. +SELECT count(*) = 0 AS ok + FROM pg_attribute + WHERE attrelid = 'pg_catalog.pg_subscription'::regclass AND attnum > 0 AND NOT attisdropped + AND ((attname = 'subconninfo' + AND has_column_privilege('regress_subscription_user_dummy', + 'pg_catalog.pg_subscription', attname, 'SELECT')) + OR (attname <> 'subconninfo' + AND NOT has_column_privilege('regress_subscription_user_dummy', + 'pg_catalog.pg_subscription', attname, 'SELECT'))); + -- Check if the subscription stats are created and stats_reset is updated -- by pg_stat_reset_subscription_stats(). SELECT subname, stats_reset IS NULL stats_reset_is_null FROM pg_stat_subscription_stats WHERE subname = 'regress_testsub'; -- 2.53.0