| From: | cca5507 <cca5507(at)qq(dot)com> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Why is_admin_of_role() use ROLERECURSE_MEMBERS rather than ROLERECURSE_PRIVS? |
| Date: | 2025-11-19 03:42:59 |
| Message-ID: | tencent_89E0A11CDCDB6586E615E6D4CAA610CBEC0A@qq.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
According to the comment in check_role_grantor():
/*
* Otherwise, the grantor must either have ADMIN OPTION on the role or
* inherit the privileges of a role which does. In the former case,
* record the grantor as the current user; in the latter, pick one of
* the roles that is "most directly" inherited by the current role
* (i.e. fewest "hops").
*
* (We shouldn't fail to find a best grantor, because we've already
* established that the current user has permission to perform the
* operation.)
*/
grantorId = select_best_admin(currentUserId, roleid);
if (!OidIsValid(grantorId))
elog(ERROR, "no possible grantors");
But the "no possible grantors" error can happen in my test case.
The main reason is that is_admin_of_role() and select_best_admin() use different role recurse methods.
I think they should keep consistent, maybe both use ROLERECURSE_PRIVS? Thoughts?
--
Regards,
ChangAo Chen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | torikoshia | 2025-11-19 03:43:22 | Re: RFC: Logging plan of the running query |
| Previous Message | Tom Lane | 2025-11-19 03:15:54 | Re: PRI?64 vs Visual Studio (2022) |