#include "postgres.h"
#include "access/genam.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/tableam.h"
#include "access/xact.h"
#include "catalog/binary_upgrade.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h"
#include "catalog/indexing.h"
#include "catalog/objectaccess.h"
#include "catalog/pg_authid.h"
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_default_acl.h"
#include "catalog/pg_foreign_data_wrapper.h"
#include "catalog/pg_foreign_server.h"
#include "catalog/pg_init_privs.h"
#include "catalog/pg_language.h"
#include "catalog/pg_largeobject.h"
#include "catalog/pg_largeobject_metadata.h"
#include "catalog/pg_namespace.h"
#include "catalog/pg_parameter_acl.h"
#include "catalog/pg_proc.h"
#include "catalog/pg_tablespace.h"
#include "catalog/pg_type.h"
#include "commands/dbcommands.h"
#include "commands/defrem.h"
#include "commands/event_trigger.h"
#include "commands/extension.h"
#include "commands/proclang.h"
#include "commands/tablespace.h"
#include "foreign/foreign.h"
#include "miscadmin.h"
#include "nodes/makefuncs.h"
#include "parser/parse_func.h"
#include "parser/parse_type.h"
#include "storage/lmgr.h"
#include "utils/acl.h"
#include "utils/aclchk_internal.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/syscache.h"

Include dependency graph for aclchk.c:

Data Structures
struct	InternalDefaultACL

Functions
static void	ExecGrantStmt_oids (InternalGrant *istmt)

static void	ExecGrant_Relation (InternalGrant *istmt)

static void	ExecGrant_common (InternalGrant istmt, Oid classid, AclMode default_privs, void(object_check)(InternalGrant *istmt, HeapTuple tuple))

static void	ExecGrant_Language_check (InternalGrant *istmt, HeapTuple tuple)

static void	ExecGrant_Largeobject (InternalGrant *istmt)

static void	ExecGrant_Type_check (InternalGrant *istmt, HeapTuple tuple)

static void	ExecGrant_Parameter (InternalGrant *istmt)

static void	SetDefaultACLsInSchemas (InternalDefaultACL iacls, List nspnames)

static void	SetDefaultACL (InternalDefaultACL *iacls)

static List *	objectNamesToOids (ObjectType objtype, List *objnames, bool is_grant)

static List *	objectsInSchemaToOids (ObjectType objtype, List *nspnames)

static List *	getRelationsInNamespace (Oid namespaceId, char relkind)

static void	expand_col_privileges (List colnames, Oid table_oid, AclMode this_privileges, AclMode col_privileges, int num_col_privileges)

static void	expand_all_col_privileges (Oid table_oid, Form_pg_class classForm, AclMode this_privileges, AclMode *col_privileges, int num_col_privileges)

static AclMode	string_to_privilege (const char *privname)

static const char *	privilege_to_string (AclMode privilege)

static AclMode	restrict_and_check_grant (bool is_grant, AclMode avail_goptions, bool all_privs, AclMode privileges, Oid objectId, Oid grantorId, ObjectType objtype, const char objname, AttrNumber att_number, const char colname)

static AclMode	pg_aclmask (ObjectType objtype, Oid object_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how)

static AclMode	object_aclmask (Oid classid, Oid objectid, Oid roleid, AclMode mask, AclMaskHow how)

static AclMode	object_aclmask_ext (Oid classid, Oid objectid, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)

static AclMode	pg_attribute_aclmask (Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how)

static AclMode	pg_attribute_aclmask_ext (Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)

static AclMode	pg_class_aclmask_ext (Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)

static AclMode	pg_parameter_acl_aclmask (Oid acl_oid, Oid roleid, AclMode mask, AclMaskHow how)

static AclMode	pg_largeobject_aclmask_snapshot (Oid lobj_oid, Oid roleid, AclMode mask, AclMaskHow how, Snapshot snapshot)

static AclMode	pg_namespace_aclmask_ext (Oid nsp_oid, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)

static AclMode	pg_type_aclmask_ext (Oid type_oid, Oid roleid, AclMode mask, AclMaskHow how, bool *is_missing)

static void	recordExtensionInitPriv (Oid objoid, Oid classoid, int objsubid, Acl *new_acl)

static void	recordExtensionInitPrivWorker (Oid objoid, Oid classoid, int objsubid, Acl *new_acl)

static Acl *	merge_acl_with_grant (Acl old_acl, bool is_grant, bool grant_option, DropBehavior behavior, List grantees, AclMode privileges, Oid grantorId, Oid ownerId)

void	ExecuteGrantStmt (GrantStmt *stmt)

void	ExecAlterDefaultPrivilegesStmt (ParseState pstate, AlterDefaultPrivilegesStmt stmt)

void	RemoveRoleFromObjectACL (Oid roleid, Oid classid, Oid objid)

static void	ExecGrant_Attribute (InternalGrant istmt, Oid relOid, const char relname, AttrNumber attnum, Oid ownerId, AclMode col_privileges, Relation attRelation, const Acl *old_rel_acl)

void	aclcheck_error (AclResult aclerr, ObjectType objtype, const char *objectname)

void	aclcheck_error_col (AclResult aclerr, ObjectType objtype, const char objectname, const char colname)

void	aclcheck_error_type (AclResult aclerr, Oid typeOid)

AclMode	pg_class_aclmask (Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how)

static AclMode	pg_parameter_aclmask (const char *name, Oid roleid, AclMode mask, AclMaskHow how)

AclResult	object_aclcheck (Oid classid, Oid objectid, Oid roleid, AclMode mode)

AclResult	object_aclcheck_ext (Oid classid, Oid objectid, Oid roleid, AclMode mode, bool *is_missing)

AclResult	pg_attribute_aclcheck (Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mode)

AclResult	pg_attribute_aclcheck_ext (Oid table_oid, AttrNumber attnum, Oid roleid, AclMode mode, bool *is_missing)

AclResult	pg_attribute_aclcheck_all (Oid table_oid, Oid roleid, AclMode mode, AclMaskHow how)

AclResult	pg_attribute_aclcheck_all_ext (Oid table_oid, Oid roleid, AclMode mode, AclMaskHow how, bool *is_missing)

AclResult	pg_class_aclcheck (Oid table_oid, Oid roleid, AclMode mode)

AclResult	pg_class_aclcheck_ext (Oid table_oid, Oid roleid, AclMode mode, bool *is_missing)

AclResult	pg_parameter_aclcheck (const char *name, Oid roleid, AclMode mode)

AclResult	pg_largeobject_aclcheck_snapshot (Oid lobj_oid, Oid roleid, AclMode mode, Snapshot snapshot)

bool	object_ownercheck (Oid classid, Oid objectid, Oid roleid)

bool	has_createrole_privilege (Oid roleid)

bool	has_bypassrls_privilege (Oid roleid)

static Acl *	get_default_acl_internal (Oid roleId, Oid nsp_oid, char objtype)

Acl *	get_user_default_acl (ObjectType objtype, Oid ownerId, Oid nsp_oid)

void	recordDependencyOnNewAcl (Oid classId, Oid objectId, int32 objsubId, Oid ownerId, Acl *acl)

void	recordExtObjInitPriv (Oid objoid, Oid classoid)

void	removeExtObjInitPriv (Oid objoid, Oid classoid)

void	ReplaceRoleInInitPriv (Oid oldroleid, Oid newroleid, Oid classid, Oid objid, int32 objsubid)

void	RemoveRoleFromInitPriv (Oid roleid, Oid classid, Oid objid, int32 objsubid)

Variables
bool	binary_upgrade_record_init_privs = false

Function Documentation

◆ aclcheck_error()

void aclcheck_error	(	AclResult	aclerr,
		ObjectType	objtype,
		const char *	objectname
	)

Definition at line 2639 of file aclchk.c.

{
    switch (aclerr)
    {
        case ACLCHECK_OK:
            /* no error, so return to caller */
            break;
        case ACLCHECK_NO_PRIV:
            {
                const char *msg = "???";
 
                switch (objtype)
                {
                    case OBJECT_AGGREGATE:
                        msg = gettext_noop("permission denied for aggregate %s");
                        break;
                    case OBJECT_COLLATION:
                        msg = gettext_noop("permission denied for collation %s");
                        break;
                    case OBJECT_COLUMN:
                        msg = gettext_noop("permission denied for column %s");
                        break;
                    case OBJECT_CONVERSION:
                        msg = gettext_noop("permission denied for conversion %s");
                        break;
                    case OBJECT_DATABASE:
                        msg = gettext_noop("permission denied for database %s");
                        break;
                    case OBJECT_DOMAIN:
                        msg = gettext_noop("permission denied for domain %s");
                        break;
                    case OBJECT_EVENT_TRIGGER:
                        msg = gettext_noop("permission denied for event trigger %s");
                        break;
                    case OBJECT_EXTENSION:
                        msg = gettext_noop("permission denied for extension %s");
                        break;
                    case OBJECT_FDW:
                        msg = gettext_noop("permission denied for foreign-data wrapper %s");
                        break;
                    case OBJECT_FOREIGN_SERVER:
                        msg = gettext_noop("permission denied for foreign server %s");
                        break;
                    case OBJECT_FOREIGN_TABLE:
                        msg = gettext_noop("permission denied for foreign table %s");
                        break;
                    case OBJECT_FUNCTION:
                        msg = gettext_noop("permission denied for function %s");
                        break;
                    case OBJECT_INDEX:
                        msg = gettext_noop("permission denied for index %s");
                        break;
                    case OBJECT_LANGUAGE:
                        msg = gettext_noop("permission denied for language %s");
                        break;
                    case OBJECT_LARGEOBJECT:
                        msg = gettext_noop("permission denied for large object %s");
                        break;
                    case OBJECT_MATVIEW:
                        msg = gettext_noop("permission denied for materialized view %s");
                        break;
                    case OBJECT_OPCLASS:
                        msg = gettext_noop("permission denied for operator class %s");
                        break;
                    case OBJECT_OPERATOR:
                        msg = gettext_noop("permission denied for operator %s");
                        break;
                    case OBJECT_OPFAMILY:
                        msg = gettext_noop("permission denied for operator family %s");
                        break;
                    case OBJECT_PARAMETER_ACL:
                        msg = gettext_noop("permission denied for parameter %s");
                        break;
                    case OBJECT_POLICY:
                        msg = gettext_noop("permission denied for policy %s");
                        break;
                    case OBJECT_PROCEDURE:
                        msg = gettext_noop("permission denied for procedure %s");
                        break;
                    case OBJECT_PUBLICATION:
                        msg = gettext_noop("permission denied for publication %s");
                        break;
                    case OBJECT_ROUTINE:
                        msg = gettext_noop("permission denied for routine %s");
                        break;
                    case OBJECT_SCHEMA:
                        msg = gettext_noop("permission denied for schema %s");
                        break;
                    case OBJECT_SEQUENCE:
                        msg = gettext_noop("permission denied for sequence %s");
                        break;
                    case OBJECT_STATISTIC_EXT:
                        msg = gettext_noop("permission denied for statistics object %s");
                        break;
                    case OBJECT_SUBSCRIPTION:
                        msg = gettext_noop("permission denied for subscription %s");
                        break;
                    case OBJECT_TABLE:
                        msg = gettext_noop("permission denied for table %s");
                        break;
                    case OBJECT_TABLESPACE:
                        msg = gettext_noop("permission denied for tablespace %s");
                        break;
                    case OBJECT_TSCONFIGURATION:
                        msg = gettext_noop("permission denied for text search configuration %s");
                        break;
                    case OBJECT_TSDICTIONARY:
                        msg = gettext_noop("permission denied for text search dictionary %s");
                        break;
                    case OBJECT_TYPE:
                        msg = gettext_noop("permission denied for type %s");
                        break;
                    case OBJECT_VIEW:
                        msg = gettext_noop("permission denied for view %s");
                        break;
                        /* these currently aren't used */
                    case OBJECT_ACCESS_METHOD:
                    case OBJECT_AMOP:
                    case OBJECT_AMPROC:
                    case OBJECT_ATTRIBUTE:
                    case OBJECT_CAST:
                    case OBJECT_DEFAULT:
                    case OBJECT_DEFACL:
                    case OBJECT_DOMCONSTRAINT:
                    case OBJECT_PUBLICATION_NAMESPACE:
                    case OBJECT_PUBLICATION_REL:
                    case OBJECT_ROLE:
                    case OBJECT_RULE:
                    case OBJECT_TABCONSTRAINT:
                    case OBJECT_TRANSFORM:
                    case OBJECT_TRIGGER:
                    case OBJECT_TSPARSER:
                    case OBJECT_TSTEMPLATE:
                    case OBJECT_USER_MAPPING:
                        elog(ERROR, "unsupported object type: %d", objtype);
                }
 
                ereport(ERROR,
                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                         errmsg(msg, objectname)));
                break;
            }
        case ACLCHECK_NOT_OWNER:
            {
                const char *msg = "???";
 
                switch (objtype)
                {
                    case OBJECT_AGGREGATE:
                        msg = gettext_noop("must be owner of aggregate %s");
                        break;
                    case OBJECT_COLLATION:
                        msg = gettext_noop("must be owner of collation %s");
                        break;
                    case OBJECT_CONVERSION:
                        msg = gettext_noop("must be owner of conversion %s");
                        break;
                    case OBJECT_DATABASE:
                        msg = gettext_noop("must be owner of database %s");
                        break;
                    case OBJECT_DOMAIN:
                        msg = gettext_noop("must be owner of domain %s");
                        break;
                    case OBJECT_EVENT_TRIGGER:
                        msg = gettext_noop("must be owner of event trigger %s");
                        break;
                    case OBJECT_EXTENSION:
                        msg = gettext_noop("must be owner of extension %s");
                        break;
                    case OBJECT_FDW:
                        msg = gettext_noop("must be owner of foreign-data wrapper %s");
                        break;
                    case OBJECT_FOREIGN_SERVER:
                        msg = gettext_noop("must be owner of foreign server %s");
                        break;
                    case OBJECT_FOREIGN_TABLE:
                        msg = gettext_noop("must be owner of foreign table %s");
                        break;
                    case OBJECT_FUNCTION:
                        msg = gettext_noop("must be owner of function %s");
                        break;
                    case OBJECT_INDEX:
                        msg = gettext_noop("must be owner of index %s");
                        break;
                    case OBJECT_LANGUAGE:
                        msg = gettext_noop("must be owner of language %s");
                        break;
                    case OBJECT_LARGEOBJECT:
                        msg = gettext_noop("must be owner of large object %s");
                        break;
                    case OBJECT_MATVIEW:
                        msg = gettext_noop("must be owner of materialized view %s");
                        break;
                    case OBJECT_OPCLASS:
                        msg = gettext_noop("must be owner of operator class %s");
                        break;
                    case OBJECT_OPERATOR:
                        msg = gettext_noop("must be owner of operator %s");
                        break;
                    case OBJECT_OPFAMILY:
                        msg = gettext_noop("must be owner of operator family %s");
                        break;
                    case OBJECT_PROCEDURE:
                        msg = gettext_noop("must be owner of procedure %s");
                        break;
                    case OBJECT_PUBLICATION:
                        msg = gettext_noop("must be owner of publication %s");
                        break;
                    case OBJECT_ROUTINE:
                        msg = gettext_noop("must be owner of routine %s");
                        break;
                    case OBJECT_SEQUENCE:
                        msg = gettext_noop("must be owner of sequence %s");
                        break;
                    case OBJECT_SUBSCRIPTION:
                        msg = gettext_noop("must be owner of subscription %s");
                        break;
                    case OBJECT_TABLE:
                        msg = gettext_noop("must be owner of table %s");
                        break;
                    case OBJECT_TYPE:
                        msg = gettext_noop("must be owner of type %s");
                        break;
                    case OBJECT_VIEW:
                        msg = gettext_noop("must be owner of view %s");
                        break;
                    case OBJECT_SCHEMA:
                        msg = gettext_noop("must be owner of schema %s");
                        break;
                    case OBJECT_STATISTIC_EXT:
                        msg = gettext_noop("must be owner of statistics object %s");
                        break;
                    case OBJECT_TABLESPACE:
                        msg = gettext_noop("must be owner of tablespace %s");
                        break;
                    case OBJECT_TSCONFIGURATION:
                        msg = gettext_noop("must be owner of text search configuration %s");
                        break;
                    case OBJECT_TSDICTIONARY:
                        msg = gettext_noop("must be owner of text search dictionary %s");
                        break;
 
                        /*
                         * Special cases: For these, the error message talks
                         * about "relation", because that's where the
                         * ownership is attached.  See also
                         * check_object_ownership().
                         */
                    case OBJECT_COLUMN:
                    case OBJECT_POLICY:
                    case OBJECT_RULE:
                    case OBJECT_TABCONSTRAINT:
                    case OBJECT_TRIGGER:
                        msg = gettext_noop("must be owner of relation %s");
                        break;
                        /* these currently aren't used */
                    case OBJECT_ACCESS_METHOD:
                    case OBJECT_AMOP:
                    case OBJECT_AMPROC:
                    case OBJECT_ATTRIBUTE:
                    case OBJECT_CAST:
                    case OBJECT_DEFAULT:
                    case OBJECT_DEFACL:
                    case OBJECT_DOMCONSTRAINT:
                    case OBJECT_PARAMETER_ACL:
                    case OBJECT_PUBLICATION_NAMESPACE:
                    case OBJECT_PUBLICATION_REL:
                    case OBJECT_ROLE:
                    case OBJECT_TRANSFORM:
                    case OBJECT_TSPARSER:
                    case OBJECT_TSTEMPLATE:
                    case OBJECT_USER_MAPPING:
                        elog(ERROR, "unsupported object type: %d", objtype);
                }
 
                ereport(ERROR,
                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                         errmsg(msg, objectname)));
                break;
            }
        default:
            elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
            break;
    }
}

References ACLCHECK_NO_PRIV, ACLCHECK_NOT_OWNER, ACLCHECK_OK, elog, ereport, errcode(), errmsg(), ERROR, gettext_noop, OBJECT_ACCESS_METHOD, OBJECT_AGGREGATE, OBJECT_AMOP, OBJECT_AMPROC, OBJECT_ATTRIBUTE, OBJECT_CAST, OBJECT_COLLATION, OBJECT_COLUMN, OBJECT_CONVERSION, OBJECT_DATABASE, OBJECT_DEFACL, OBJECT_DEFAULT, OBJECT_DOMAIN, OBJECT_DOMCONSTRAINT, OBJECT_EVENT_TRIGGER, OBJECT_EXTENSION, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FOREIGN_TABLE, OBJECT_FUNCTION, OBJECT_INDEX, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_MATVIEW, OBJECT_OPCLASS, OBJECT_OPERATOR, OBJECT_OPFAMILY, OBJECT_PARAMETER_ACL, OBJECT_POLICY, OBJECT_PROCEDURE, OBJECT_PUBLICATION, OBJECT_PUBLICATION_NAMESPACE, OBJECT_PUBLICATION_REL, OBJECT_ROLE, OBJECT_ROUTINE, OBJECT_RULE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_STATISTIC_EXT, OBJECT_SUBSCRIPTION, OBJECT_TABCONSTRAINT, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TRANSFORM, OBJECT_TRIGGER, OBJECT_TSCONFIGURATION, OBJECT_TSDICTIONARY, OBJECT_TSPARSER, OBJECT_TSTEMPLATE, OBJECT_TYPE, OBJECT_USER_MAPPING, and OBJECT_VIEW.

Referenced by aclcheck_error_col(), aclcheck_error_type(), AlterCollation(), AlterDatabase(), AlterDatabaseOwner(), AlterDatabaseRefreshColl(), AlterDatabaseSet(), AlterEventTrigger(), AlterEventTriggerOwner_internal(), AlterExtensionNamespace(), AlterForeignServer(), AlterForeignServerOwner_internal(), AlterFunction(), AlterObjectNamespace_internal(), AlterObjectOwner_internal(), AlterObjectRename_internal(), AlterOperator(), AlterOpFamilyAdd(), AlterPublication(), AlterPublicationOwner_internal(), AlterRoleSet(), AlterSchemaOwner_internal(), AlterStatistics(), AlterSubscription(), AlterSubscriptionOwner_internal(), AlterTableMoveAll(), AlterTableSpaceOptions(), AlterTSConfiguration(), AlterTSDictionary(), AlterTypeOwner(), ATExecChangeOwner(), ATPrepSetTableSpace(), ATSimplePermissions(), brin_desummarize_range(), brin_summarize_range(), calculate_database_size(), calculate_tablespace_size(), call_pltcl_start_proc(), check_object_ownership(), check_temp_tablespaces(), checkFkeyPermissions(), CheckFunctionValidatorAccess(), compute_return_type(), CreateConversionCommand(), createdb(), CreateForeignServer(), CreateForeignTable(), CreateFunction(), CreateProceduralLanguage(), CreatePublication(), CreateSchemaCommand(), CreateStatistics(), CreateSubscription(), CreateTransform(), CreateTriggerFiringOn(), currtid_internal(), DefineAggregate(), DefineCollation(), DefineDomain(), DefineEnum(), DefineIndex(), DefineOpClass(), DefineOperator(), DefineOpFamily(), DefineQueryRewrite(), DefineRange(), DefineRelation(), DefineTSConfiguration(), DefineTSDictionary(), DefineType(), dropdb(), DropSubscription(), DropTableSpace(), EnableDisableRule(), ExecAlterExtensionContentsStmt(), ExecAlterExtensionStmt(), ExecBuildGroupingEqual(), ExecBuildParamSetEqual(), ExecCheckPermissions(), ExecInitAgg(), ExecInitExprRec(), ExecInitFunc(), ExecInitWindowAgg(), ExecReindex(), ExecuteCallStmt(), ExecuteDoStmt(), ExecuteTruncateGuts(), findRangeCanonicalFunction(), findRangeSubtypeDiffFunction(), get_connect_string(), get_other_operator(), get_rel_from_relname(), gin_clean_pending_list(), HandleFunctionRequest(), heap_force_common(), ImportForeignSchema(), init_sexpr(), initialize_peragg(), LockViewRecurse_walker(), LogicalRepSyncTableStart(), lookup_agg_function(), LookupCreationNamespace(), LookupExplicitNamespace(), MergeAttributes(), movedb(), OperatorCreate(), pg_prewarm(), pgrowlocks(), ProcedureCreate(), PublicationAddTables(), RangeVarCallbackForAlterRelation(), RangeVarCallbackForDropRelation(), RangeVarCallbackForLockTable(), RangeVarCallbackForPolicy(), RangeVarCallbackForReindexIndex(), RangeVarCallbackForRenameRule(), RangeVarCallbackForRenameTrigger(), RangeVarCallbackMaintainsTable(), RangeVarCallbackOwnsRelation(), RangeVarGetAndCheckCreationNamespace(), ReindexMultipleInternal(), ReindexMultipleTables(), renameatt_check(), RenameDatabase(), RenameSchema(), RenameTableSpace(), restrict_and_check_grant(), stats_lock_check_privileges(), TargetPrivilegesCheck(), transformTableLikeClause(), truncate_check_perms(), TypeCreate(), user_mapping_ddl_aclcheck(), ValidateJoinEstimator(), ValidateOperatorReference(), and ValidateRestrictionEstimator().

◆ aclcheck_error_col()

void aclcheck_error_col	(	AclResult	aclerr,
		ObjectType	objtype,
		const char *	objectname,
		const char *	colname
	)

Definition at line 2928 of file aclchk.c.

{
    switch (aclerr)
    {
        case ACLCHECK_OK:
            /* no error, so return to caller */
            break;
        case ACLCHECK_NO_PRIV:
            ereport(ERROR,
                    (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                     errmsg("permission denied for column \"%s\" of relation \"%s\"",
                            colname, objectname)));
            break;
        case ACLCHECK_NOT_OWNER:
            /* relation msg is OK since columns don't have separate owners */
            aclcheck_error(aclerr, objtype, objectname);
            break;
        default:
            elog(ERROR, "unrecognized AclResult: %d", (int) aclerr);
            break;
    }
}

References aclcheck_error(), ACLCHECK_NO_PRIV, ACLCHECK_NOT_OWNER, ACLCHECK_OK, elog, ereport, errcode(), errmsg(), and ERROR.

Referenced by restrict_and_check_grant().

◆ aclcheck_error_type()

void aclcheck_error_type	(	AclResult	aclerr,
		Oid	typeOid
	)

Definition at line 2958 of file aclchk.c.

{
    Oid         element_type = get_element_type(typeOid);
 
    aclcheck_error(aclerr, OBJECT_TYPE, format_type_be(element_type ? element_type : typeOid));
}

References aclcheck_error(), format_type_be(), get_element_type(), and OBJECT_TYPE.

Referenced by AggregateCreate(), AlterType(), AlterTypeNamespace_oid(), AlterTypeOwner(), ATPrepAlterColumnType(), BuildDescForRelation(), check_object_ownership(), checkDomainOwner(), checkEnumOwner(), compute_return_type(), CreateCast(), CreateTransform(), DefineDomain(), DefineOpClass(), DefineOperator(), DefineRelation(), interpret_function_parameter_list(), and RenameType().

◆ ExecAlterDefaultPrivilegesStmt()

void ExecAlterDefaultPrivilegesStmt	(	ParseState *	pstate,
		AlterDefaultPrivilegesStmt *	stmt
	)

Definition at line 903 of file aclchk.c.

{
    GrantStmt  *action = stmt->action;
    InternalDefaultACL iacls;
    ListCell   *cell;
    List       *rolespecs = NIL;
    List       *nspnames = NIL;
    DefElem    *drolespecs = NULL;
    DefElem    *dnspnames = NULL;
    AclMode     all_privileges;
    const char *errormsg;
 
    /* Deconstruct the "options" part of the statement */
    foreach(cell, stmt->options)
    {
        DefElem    *defel = (DefElem *) lfirst(cell);
 
        if (strcmp(defel->defname, "schemas") == 0)
        {
            if (dnspnames)
                errorConflictingDefElem(defel, pstate);
            dnspnames = defel;
        }
        else if (strcmp(defel->defname, "roles") == 0)
        {
            if (drolespecs)
                errorConflictingDefElem(defel, pstate);
            drolespecs = defel;
        }
        else
            elog(ERROR, "option \"%s\" not recognized", defel->defname);
    }
 
    if (dnspnames)
        nspnames = (List *) dnspnames->arg;
    if (drolespecs)
        rolespecs = (List *) drolespecs->arg;
 
    /* Prepare the InternalDefaultACL representation of the statement */
    /* roleid to be filled below */
    /* nspid to be filled in SetDefaultACLsInSchemas */
    iacls.is_grant = action->is_grant;
    iacls.objtype = action->objtype;
    /* all_privs to be filled below */
    /* privileges to be filled below */
    iacls.grantees = NIL;       /* filled below */
    iacls.grant_option = action->grant_option;
    iacls.behavior = action->behavior;
 
    /*
     * Convert the RoleSpec list into an Oid list.  Note that at this point we
     * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
     * there shouldn't be any additional work needed to support this case.
     */
    foreach(cell, action->grantees)
    {
        RoleSpec   *grantee = (RoleSpec *) lfirst(cell);
        Oid         grantee_uid;
 
        switch (grantee->roletype)
        {
            case ROLESPEC_PUBLIC:
                grantee_uid = ACL_ID_PUBLIC;
                break;
            default:
                grantee_uid = get_rolespec_oid(grantee, false);
                break;
        }
        iacls.grantees = lappend_oid(iacls.grantees, grantee_uid);
    }
 
    /*
     * Convert action->privileges, a list of privilege strings, into an
     * AclMode bitmask.
     */
    switch (action->objtype)
    {
        case OBJECT_TABLE:
            all_privileges = ACL_ALL_RIGHTS_RELATION;
            errormsg = gettext_noop("invalid privilege type %s for relation");
            break;
        case OBJECT_SEQUENCE:
            all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
            errormsg = gettext_noop("invalid privilege type %s for sequence");
            break;
        case OBJECT_FUNCTION:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for function");
            break;
        case OBJECT_PROCEDURE:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for procedure");
            break;
        case OBJECT_ROUTINE:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for routine");
            break;
        case OBJECT_TYPE:
            all_privileges = ACL_ALL_RIGHTS_TYPE;
            errormsg = gettext_noop("invalid privilege type %s for type");
            break;
        case OBJECT_SCHEMA:
            all_privileges = ACL_ALL_RIGHTS_SCHEMA;
            errormsg = gettext_noop("invalid privilege type %s for schema");
            break;
        case OBJECT_LARGEOBJECT:
            all_privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
            errormsg = gettext_noop("invalid privilege type %s for large object");
            break;
        default:
            elog(ERROR, "unrecognized GrantStmt.objtype: %d",
                 (int) action->objtype);
            /* keep compiler quiet */
            all_privileges = ACL_NO_RIGHTS;
            errormsg = NULL;
    }
 
    if (action->privileges == NIL)
    {
        iacls.all_privs = true;
 
        /*
         * will be turned into ACL_ALL_RIGHTS_* by the internal routines
         * depending on the object type
         */
        iacls.privileges = ACL_NO_RIGHTS;
    }
    else
    {
        iacls.all_privs = false;
        iacls.privileges = ACL_NO_RIGHTS;
 
        foreach(cell, action->privileges)
        {
            AccessPriv *privnode = (AccessPriv *) lfirst(cell);
            AclMode     priv;
 
            if (privnode->cols)
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg("default privileges cannot be set for columns")));
 
            if (privnode->priv_name == NULL)    /* parser mistake? */
                elog(ERROR, "AccessPriv node must specify privilege");
            priv = string_to_privilege(privnode->priv_name);
 
            if (priv & ~((AclMode) all_privileges))
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg(errormsg, privilege_to_string(priv))));
 
            iacls.privileges |= priv;
        }
    }
 
    if (rolespecs == NIL)
    {
        /* Set permissions for myself */
        iacls.roleid = GetUserId();
 
        SetDefaultACLsInSchemas(&iacls, nspnames);
    }
    else
    {
        /* Look up the role OIDs and do permissions checks */
        ListCell   *rolecell;
 
        foreach(rolecell, rolespecs)
        {
            RoleSpec   *rolespec = lfirst(rolecell);
 
            iacls.roleid = get_rolespec_oid(rolespec, false);
 
            if (!has_privs_of_role(GetUserId(), iacls.roleid))
                ereport(ERROR,
                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                         errmsg("permission denied to change default privileges")));
 
            SetDefaultACLsInSchemas(&iacls, nspnames);
        }
    }
}

Referenced by ProcessUtilitySlow().

◆ ExecGrant_Attribute()

static void ExecGrant_Attribute	(	InternalGrant *	istmt,
		Oid	relOid,
		const char *	relname,
		AttrNumber	attnum,
		Oid	ownerId,
		AclMode	col_privileges,
		Relation	attRelation,
		const Acl *	old_rel_acl
	)

static

Definition at line 1624 of file aclchk.c.

{
    HeapTuple   attr_tuple;
    Form_pg_attribute pg_attribute_tuple;
    Acl        *old_acl;
    Acl        *new_acl;
    Acl        *merged_acl;
    Datum       aclDatum;
    bool        isNull;
    Oid         grantorId;
    AclMode     avail_goptions;
    bool        need_update;
    HeapTuple   newtuple;
    Datum       values[Natts_pg_attribute] = {0};
    bool        nulls[Natts_pg_attribute] = {0};
    bool        replaces[Natts_pg_attribute] = {0};
    int         noldmembers;
    int         nnewmembers;
    Oid        *oldmembers;
    Oid        *newmembers;
 
    attr_tuple = SearchSysCache2(ATTNUM,
                                 ObjectIdGetDatum(relOid),
                                 Int16GetDatum(attnum));
    if (!HeapTupleIsValid(attr_tuple))
        elog(ERROR, "cache lookup failed for attribute %d of relation %u",
             attnum, relOid);
    pg_attribute_tuple = (Form_pg_attribute) GETSTRUCT(attr_tuple);
 
    /*
     * Get working copy of existing ACL. If there's no ACL, substitute the
     * proper default.
     */
    aclDatum = SysCacheGetAttr(ATTNUM, attr_tuple, Anum_pg_attribute_attacl,
                               &isNull);
    if (isNull)
    {
        old_acl = acldefault(OBJECT_COLUMN, ownerId);
        /* There are no old member roles according to the catalogs */
        noldmembers = 0;
        oldmembers = NULL;
    }
    else
    {
        old_acl = DatumGetAclPCopy(aclDatum);
        /* Get the roles mentioned in the existing ACL */
        noldmembers = aclmembers(old_acl, &oldmembers);
    }
 
    /*
     * In select_best_grantor we should consider existing table-level ACL bits
     * as well as the per-column ACL.  Build a new ACL that is their
     * concatenation.  (This is a bit cheap and dirty compared to merging them
     * properly with no duplications, but it's all we need here.)
     */
    merged_acl = aclconcat(old_rel_acl, old_acl);
 
    /* Determine ID to do the grant as, and available grant options */
    select_best_grantor(GetUserId(), col_privileges,
                        merged_acl, ownerId,
                        &grantorId, &avail_goptions);
 
    pfree(merged_acl);
 
    /*
     * Restrict the privileges to what we can actually grant, and emit the
     * standards-mandated warning and error messages.  Note: we don't track
     * whether the user actually used the ALL PRIVILEGES(columns) syntax for
     * each column; we just approximate it by whether all the possible
     * privileges are specified now.  Since the all_privs flag only determines
     * whether a warning is issued, this seems close enough.
     */
    col_privileges =
        restrict_and_check_grant(istmt->is_grant, avail_goptions,
                                 (col_privileges == ACL_ALL_RIGHTS_COLUMN),
                                 col_privileges,
                                 relOid, grantorId, OBJECT_COLUMN,
                                 relname, attnum,
                                 NameStr(pg_attribute_tuple->attname));
 
    /*
     * Generate new ACL.
     */
    new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
                                   istmt->grant_option,
                                   istmt->behavior, istmt->grantees,
                                   col_privileges, grantorId,
                                   ownerId);
 
    /*
     * We need the members of both old and new ACLs so we can correct the
     * shared dependency information.
     */
    nnewmembers = aclmembers(new_acl, &newmembers);
 
    /* finished building new ACL value, now insert it */
 
    /*
     * If the updated ACL is empty, we can set attacl to null, and maybe even
     * avoid an update of the pg_attribute row.  This is worth testing because
     * we'll come through here multiple times for any relation-level REVOKE,
     * even if there were never any column GRANTs.  Note we are assuming that
     * the "default" ACL state for columns is empty.
     */
    if (ACL_NUM(new_acl) > 0)
    {
        values[Anum_pg_attribute_attacl - 1] = PointerGetDatum(new_acl);
        need_update = true;
    }
    else
    {
        nulls[Anum_pg_attribute_attacl - 1] = true;
        need_update = !isNull;
    }
    replaces[Anum_pg_attribute_attacl - 1] = true;
 
    if (need_update)
    {
        newtuple = heap_modify_tuple(attr_tuple, RelationGetDescr(attRelation),
                                     values, nulls, replaces);
 
        CatalogTupleUpdate(attRelation, &newtuple->t_self, newtuple);
 
        /* Update initial privileges for extensions */
        recordExtensionInitPriv(relOid, RelationRelationId, attnum,
                                ACL_NUM(new_acl) > 0 ? new_acl : NULL);
 
        /* Update the shared dependency ACL info */
        updateAclDependencies(RelationRelationId, relOid, attnum,
                              ownerId,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
    }
 
    pfree(new_acl);
 
    ReleaseSysCache(attr_tuple);
}

References ACL_ALL_RIGHTS_COLUMN, ACL_NUM, aclconcat(), acldefault(), aclmembers(), attnum, InternalGrant::behavior, CatalogTupleUpdate(), DatumGetAclPCopy, elog, ERROR, GETSTRUCT(), GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, heap_modify_tuple(), HeapTupleIsValid, Int16GetDatum(), InternalGrant::is_grant, merge_acl_with_grant(), NameStr, OBJECT_COLUMN, ObjectIdGetDatum(), pfree(), PointerGetDatum(), recordExtensionInitPriv(), RelationGetDescr, ReleaseSysCache(), relname, restrict_and_check_grant(), SearchSysCache2(), select_best_grantor(), SysCacheGetAttr(), HeapTupleData::t_self, updateAclDependencies(), and values.

Referenced by ExecGrant_Relation().

◆ ExecGrant_common()

static void ExecGrant_common	(	InternalGrant *	istmt,
		Oid	classid,
		AclMode	default_privs,
		void()(InternalGrant istmt, HeapTuple tuple)	object_check
	)

static

Definition at line 2100 of file aclchk.c.

{
    int         cacheid;
    Relation    relation;
    ListCell   *cell;
 
    if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
        istmt->privileges = default_privs;
 
    cacheid = get_object_catcache_oid(classid);
 
    relation = table_open(classid, RowExclusiveLock);
 
    foreach(cell, istmt->objects)
    {
        Oid         objectid = lfirst_oid(cell);
        Datum       aclDatum;
        Datum       nameDatum;
        bool        isNull;
        AclMode     avail_goptions;
        AclMode     this_privileges;
        Acl        *old_acl;
        Acl        *new_acl;
        Oid         grantorId;
        Oid         ownerId;
        HeapTuple   tuple;
        HeapTuple   newtuple;
        Datum      *values = palloc0_array(Datum, RelationGetDescr(relation)->natts);
        bool       *nulls = palloc0_array(bool, RelationGetDescr(relation)->natts);
        bool       *replaces = palloc0_array(bool, RelationGetDescr(relation)->natts);
        int         noldmembers;
        int         nnewmembers;
        Oid        *oldmembers;
        Oid        *newmembers;
 
        tuple = SearchSysCacheLocked1(cacheid, ObjectIdGetDatum(objectid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for %s %u", get_object_class_descr(classid), objectid);
 
        /*
         * Additional object-type-specific checks
         */
        if (object_check)
            object_check(istmt, tuple);
 
        /*
         * Get owner ID and working copy of existing ACL. If there's no ACL,
         * substitute the proper default.
         */
        ownerId = DatumGetObjectId(SysCacheGetAttrNotNull(cacheid,
                                                          tuple,
                                                          get_object_attnum_owner(classid)));
        aclDatum = SysCacheGetAttr(cacheid,
                                   tuple,
                                   get_object_attnum_acl(classid),
                                   &isNull);
        if (isNull)
        {
            old_acl = acldefault(get_object_type(classid, objectid), ownerId);
            /* There are no old member roles according to the catalogs */
            noldmembers = 0;
            oldmembers = NULL;
        }
        else
        {
            old_acl = DatumGetAclPCopy(aclDatum);
            /* Get the roles mentioned in the existing ACL */
            noldmembers = aclmembers(old_acl, &oldmembers);
        }
 
        /* Determine ID to do the grant as, and available grant options */
        select_best_grantor(GetUserId(), istmt->privileges,
                            old_acl, ownerId,
                            &grantorId, &avail_goptions);
 
        nameDatum = SysCacheGetAttrNotNull(cacheid, tuple,
                                           get_object_attnum_name(classid));
 
        /*
         * Restrict the privileges to what we can actually grant, and emit the
         * standards-mandated warning and error messages.
         */
        this_privileges =
            restrict_and_check_grant(istmt->is_grant, avail_goptions,
                                     istmt->all_privs, istmt->privileges,
                                     objectid, grantorId, get_object_type(classid, objectid),
                                     NameStr(*DatumGetName(nameDatum)),
                                     0, NULL);
 
        /*
         * Generate new ACL.
         */
        new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
                                       istmt->grant_option, istmt->behavior,
                                       istmt->grantees, this_privileges,
                                       grantorId, ownerId);
 
        /*
         * We need the members of both old and new ACLs so we can correct the
         * shared dependency information.
         */
        nnewmembers = aclmembers(new_acl, &newmembers);
 
        /* finished building new ACL value, now insert it */
        replaces[get_object_attnum_acl(classid) - 1] = true;
        values[get_object_attnum_acl(classid) - 1] = PointerGetDatum(new_acl);
 
        newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation), values,
                                     nulls, replaces);
 
        CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
        UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock);
 
        /* Update initial privileges for extensions */
        recordExtensionInitPriv(objectid, classid, 0, new_acl);
 
        /* Update the shared dependency ACL info */
        updateAclDependencies(classid,
                              objectid, 0,
                              ownerId,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
        ReleaseSysCache(tuple);
 
        pfree(new_acl);
 
        /* prevent error when processing duplicate objects */
        CommandCounterIncrement();
    }
 
    table_close(relation, RowExclusiveLock);
}

References ACL_NO_RIGHTS, acldefault(), aclmembers(), InternalGrant::all_privs, InternalGrant::behavior, CatalogTupleUpdate(), CommandCounterIncrement(), DatumGetAclPCopy, DatumGetName(), DatumGetObjectId(), elog, ERROR, get_object_attnum_acl(), get_object_attnum_name(), get_object_attnum_owner(), get_object_catcache_oid(), get_object_class_descr(), get_object_type(), GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, heap_modify_tuple(), HeapTupleIsValid, InplaceUpdateTupleLock, InternalGrant::is_grant, lfirst_oid, merge_acl_with_grant(), NameStr, ObjectIdGetDatum(), InternalGrant::objects, palloc0_array, pfree(), PointerGetDatum(), InternalGrant::privileges, recordExtensionInitPriv(), RelationGetDescr, ReleaseSysCache(), restrict_and_check_grant(), RowExclusiveLock, SearchSysCacheLocked1(), select_best_grantor(), SysCacheGetAttr(), SysCacheGetAttrNotNull(), HeapTupleData::t_self, table_close(), table_open(), UnlockTuple(), updateAclDependencies(), and values.

Referenced by ExecGrantStmt_oids().

◆ ExecGrant_Language_check()

static void ExecGrant_Language_check	(	InternalGrant *	istmt,
		HeapTuple	tuple
	)

static

Definition at line 2236 of file aclchk.c.

{
    Form_pg_language pg_language_tuple;
 
    pg_language_tuple = (Form_pg_language) GETSTRUCT(tuple);
 
    if (!pg_language_tuple->lanpltrusted)
        ereport(ERROR,
                (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                 errmsg("language \"%s\" is not trusted",
                        NameStr(pg_language_tuple->lanname)),
                 errdetail("GRANT and REVOKE are not allowed on untrusted languages, "
                           "because only superusers can use untrusted languages.")));
}

References ereport, errcode(), errdetail(), errmsg(), ERROR, GETSTRUCT(), and NameStr.

Referenced by ExecGrantStmt_oids().

◆ ExecGrant_Largeobject()

static void ExecGrant_Largeobject ( InternalGrant * istmt )

static

Definition at line 2252 of file aclchk.c.

{
    Relation    relation;
    ListCell   *cell;
 
    if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
        istmt->privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
 
    relation = table_open(LargeObjectMetadataRelationId,
                          RowExclusiveLock);
 
    foreach(cell, istmt->objects)
    {
        Oid         loid = lfirst_oid(cell);
        Form_pg_largeobject_metadata form_lo_meta;
        char        loname[NAMEDATALEN];
        Datum       aclDatum;
        bool        isNull;
        AclMode     avail_goptions;
        AclMode     this_privileges;
        Acl        *old_acl;
        Acl        *new_acl;
        Oid         grantorId;
        Oid         ownerId;
        HeapTuple   newtuple;
        Datum       values[Natts_pg_largeobject_metadata] = {0};
        bool        nulls[Natts_pg_largeobject_metadata] = {0};
        bool        replaces[Natts_pg_largeobject_metadata] = {0};
        int         noldmembers;
        int         nnewmembers;
        Oid        *oldmembers;
        Oid        *newmembers;
        ScanKeyData entry[1];
        SysScanDesc scan;
        HeapTuple   tuple;
 
        /* There's no syscache for pg_largeobject_metadata */
        ScanKeyInit(&entry[0],
                    Anum_pg_largeobject_metadata_oid,
                    BTEqualStrategyNumber, F_OIDEQ,
                    ObjectIdGetDatum(loid));
 
        scan = systable_beginscan(relation,
                                  LargeObjectMetadataOidIndexId, true,
                                  NULL, 1, entry);
 
        tuple = systable_getnext(scan);
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "could not find tuple for large object %u", loid);
 
        form_lo_meta = (Form_pg_largeobject_metadata) GETSTRUCT(tuple);
 
        /*
         * Get owner ID and working copy of existing ACL. If there's no ACL,
         * substitute the proper default.
         */
        ownerId = form_lo_meta->lomowner;
        aclDatum = heap_getattr(tuple,
                                Anum_pg_largeobject_metadata_lomacl,
                                RelationGetDescr(relation), &isNull);
        if (isNull)
        {
            old_acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
            /* There are no old member roles according to the catalogs */
            noldmembers = 0;
            oldmembers = NULL;
        }
        else
        {
            old_acl = DatumGetAclPCopy(aclDatum);
            /* Get the roles mentioned in the existing ACL */
            noldmembers = aclmembers(old_acl, &oldmembers);
        }
 
        /* Determine ID to do the grant as, and available grant options */
        select_best_grantor(GetUserId(), istmt->privileges,
                            old_acl, ownerId,
                            &grantorId, &avail_goptions);
 
        /*
         * Restrict the privileges to what we can actually grant, and emit the
         * standards-mandated warning and error messages.
         */
        snprintf(loname, sizeof(loname), "large object %u", loid);
        this_privileges =
            restrict_and_check_grant(istmt->is_grant, avail_goptions,
                                     istmt->all_privs, istmt->privileges,
                                     loid, grantorId, OBJECT_LARGEOBJECT,
                                     loname, 0, NULL);
 
        /*
         * Generate new ACL.
         */
        new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
                                       istmt->grant_option, istmt->behavior,
                                       istmt->grantees, this_privileges,
                                       grantorId, ownerId);
 
        /*
         * We need the members of both old and new ACLs so we can correct the
         * shared dependency information.
         */
        nnewmembers = aclmembers(new_acl, &newmembers);
 
        /* finished building new ACL value, now insert it */
        replaces[Anum_pg_largeobject_metadata_lomacl - 1] = true;
        values[Anum_pg_largeobject_metadata_lomacl - 1]
            = PointerGetDatum(new_acl);
 
        newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
                                     values, nulls, replaces);
 
        CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
 
        /* Update initial privileges for extensions */
        recordExtensionInitPriv(loid, LargeObjectRelationId, 0, new_acl);
 
        /* Update the shared dependency ACL info */
        updateAclDependencies(LargeObjectRelationId,
                              form_lo_meta->oid, 0,
                              ownerId,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
        systable_endscan(scan);
 
        pfree(new_acl);
 
        /* prevent error when processing duplicate objects */
        CommandCounterIncrement();
    }
 
    table_close(relation, RowExclusiveLock);
}

References ACL_ALL_RIGHTS_LARGEOBJECT, ACL_NO_RIGHTS, acldefault(), aclmembers(), InternalGrant::all_privs, InternalGrant::behavior, BTEqualStrategyNumber, CatalogTupleUpdate(), CommandCounterIncrement(), DatumGetAclPCopy, elog, ERROR, GETSTRUCT(), GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, heap_getattr(), heap_modify_tuple(), HeapTupleIsValid, InternalGrant::is_grant, lfirst_oid, merge_acl_with_grant(), NAMEDATALEN, OBJECT_LARGEOBJECT, ObjectIdGetDatum(), InternalGrant::objects, pfree(), PointerGetDatum(), InternalGrant::privileges, recordExtensionInitPriv(), RelationGetDescr, restrict_and_check_grant(), RowExclusiveLock, ScanKeyInit(), select_best_grantor(), snprintf, systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), updateAclDependencies(), and values.

Referenced by ExecGrantStmt_oids().

◆ ExecGrant_Parameter()

static void ExecGrant_Parameter ( InternalGrant * istmt )

static

Definition at line 2408 of file aclchk.c.

{
    Relation    relation;
    ListCell   *cell;
 
    if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
        istmt->privileges = ACL_ALL_RIGHTS_PARAMETER_ACL;
 
    relation = table_open(ParameterAclRelationId, RowExclusiveLock);
 
    foreach(cell, istmt->objects)
    {
        Oid         parameterId = lfirst_oid(cell);
        Datum       nameDatum;
        const char *parname;
        Datum       aclDatum;
        bool        isNull;
        AclMode     avail_goptions;
        AclMode     this_privileges;
        Acl        *old_acl;
        Acl        *new_acl;
        Oid         grantorId;
        Oid         ownerId;
        HeapTuple   tuple;
        int         noldmembers;
        int         nnewmembers;
        Oid        *oldmembers;
        Oid        *newmembers;
 
        tuple = SearchSysCache1(PARAMETERACLOID, ObjectIdGetDatum(parameterId));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for parameter ACL %u",
                 parameterId);
 
        /* We'll need the GUC's name */
        nameDatum = SysCacheGetAttrNotNull(PARAMETERACLOID, tuple,
                                           Anum_pg_parameter_acl_parname);
        parname = TextDatumGetCString(nameDatum);
 
        /* Treat all parameters as belonging to the bootstrap superuser. */
        ownerId = BOOTSTRAP_SUPERUSERID;
 
        /*
         * Get working copy of existing ACL. If there's no ACL, substitute the
         * proper default.
         */
        aclDatum = SysCacheGetAttr(PARAMETERACLOID, tuple,
                                   Anum_pg_parameter_acl_paracl,
                                   &isNull);
 
        if (isNull)
        {
            old_acl = acldefault(istmt->objtype, ownerId);
            /* There are no old member roles according to the catalogs */
            noldmembers = 0;
            oldmembers = NULL;
        }
        else
        {
            old_acl = DatumGetAclPCopy(aclDatum);
            /* Get the roles mentioned in the existing ACL */
            noldmembers = aclmembers(old_acl, &oldmembers);
        }
 
        /* Determine ID to do the grant as, and available grant options */
        select_best_grantor(GetUserId(), istmt->privileges,
                            old_acl, ownerId,
                            &grantorId, &avail_goptions);
 
        /*
         * Restrict the privileges to what we can actually grant, and emit the
         * standards-mandated warning and error messages.
         */
        this_privileges =
            restrict_and_check_grant(istmt->is_grant, avail_goptions,
                                     istmt->all_privs, istmt->privileges,
                                     parameterId, grantorId,
                                     OBJECT_PARAMETER_ACL,
                                     parname,
                                     0, NULL);
 
        /*
         * Generate new ACL.
         */
        new_acl = merge_acl_with_grant(old_acl, istmt->is_grant,
                                       istmt->grant_option, istmt->behavior,
                                       istmt->grantees, this_privileges,
                                       grantorId, ownerId);
 
        /*
         * We need the members of both old and new ACLs so we can correct the
         * shared dependency information.
         */
        nnewmembers = aclmembers(new_acl, &newmembers);
 
        /*
         * If the new ACL is equal to the default, we don't need the catalog
         * entry any longer.  Delete it rather than updating it, to avoid
         * leaving a degenerate entry.
         */
        if (aclequal(new_acl, acldefault(istmt->objtype, ownerId)))
        {
            CatalogTupleDelete(relation, &tuple->t_self);
        }
        else
        {
            /* finished building new ACL value, now insert it */
            HeapTuple   newtuple;
            Datum       values[Natts_pg_parameter_acl] = {0};
            bool        nulls[Natts_pg_parameter_acl] = {0};
            bool        replaces[Natts_pg_parameter_acl] = {0};
 
            replaces[Anum_pg_parameter_acl_paracl - 1] = true;
            values[Anum_pg_parameter_acl_paracl - 1] = PointerGetDatum(new_acl);
 
            newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
                                         values, nulls, replaces);
 
            CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
        }
 
        /* Update initial privileges for extensions */
        recordExtensionInitPriv(parameterId, ParameterAclRelationId, 0,
                                new_acl);
 
        /* Update the shared dependency ACL info */
        updateAclDependencies(ParameterAclRelationId, parameterId, 0,
                              ownerId,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
        ReleaseSysCache(tuple);
        pfree(new_acl);
 
        /* prevent error when processing duplicate objects */
        CommandCounterIncrement();
    }
 
    table_close(relation, RowExclusiveLock);
}

References ACL_ALL_RIGHTS_PARAMETER_ACL, ACL_NO_RIGHTS, acldefault(), aclequal(), aclmembers(), InternalGrant::all_privs, InternalGrant::behavior, CatalogTupleDelete(), CatalogTupleUpdate(), CommandCounterIncrement(), DatumGetAclPCopy, elog, ERROR, GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, heap_modify_tuple(), HeapTupleIsValid, InternalGrant::is_grant, lfirst_oid, merge_acl_with_grant(), OBJECT_PARAMETER_ACL, ObjectIdGetDatum(), InternalGrant::objects, InternalGrant::objtype, pfree(), PointerGetDatum(), InternalGrant::privileges, recordExtensionInitPriv(), RelationGetDescr, ReleaseSysCache(), restrict_and_check_grant(), RowExclusiveLock, SearchSysCache1(), select_best_grantor(), SysCacheGetAttr(), SysCacheGetAttrNotNull(), HeapTupleData::t_self, table_close(), table_open(), TextDatumGetCString, updateAclDependencies(), and values.

Referenced by ExecGrantStmt_oids().

◆ ExecGrant_Relation()

static void ExecGrant_Relation ( InternalGrant * istmt )

static

Definition at line 1769 of file aclchk.c.

{
    Relation    relation;
    Relation    attRelation;
    ListCell   *cell;
 
    relation = table_open(RelationRelationId, RowExclusiveLock);
    attRelation = table_open(AttributeRelationId, RowExclusiveLock);
 
    foreach(cell, istmt->objects)
    {
        Oid         relOid = lfirst_oid(cell);
        Datum       aclDatum;
        Form_pg_class pg_class_tuple;
        bool        isNull;
        AclMode     this_privileges;
        AclMode    *col_privileges;
        int         num_col_privileges;
        bool        have_col_privileges;
        Acl        *old_acl;
        Acl        *old_rel_acl;
        int         noldmembers;
        Oid        *oldmembers;
        Oid         ownerId;
        HeapTuple   tuple;
        ListCell   *cell_colprivs;
 
        tuple = SearchSysCacheLocked1(RELOID, ObjectIdGetDatum(relOid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for relation %u", relOid);
        pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
 
        /* Not sensible to grant on an index */
        if (pg_class_tuple->relkind == RELKIND_INDEX ||
            pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX)
            ereport(ERROR,
                    (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                     errmsg("\"%s\" is an index",
                            NameStr(pg_class_tuple->relname))));
 
        /* Composite types aren't tables either */
        if (pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
            ereport(ERROR,
                    (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                     errmsg("\"%s\" is a composite type",
                            NameStr(pg_class_tuple->relname))));
 
        /* Used GRANT SEQUENCE on a non-sequence? */
        if (istmt->objtype == OBJECT_SEQUENCE &&
            pg_class_tuple->relkind != RELKIND_SEQUENCE)
            ereport(ERROR,
                    (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                     errmsg("\"%s\" is not a sequence",
                            NameStr(pg_class_tuple->relname))));
 
        /* Adjust the default permissions based on object type */
        if (istmt->all_privs && istmt->privileges == ACL_NO_RIGHTS)
        {
            if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
                this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
            else
                this_privileges = ACL_ALL_RIGHTS_RELATION;
        }
        else
            this_privileges = istmt->privileges;
 
        /*
         * The GRANT TABLE syntax can be used for sequences and non-sequences,
         * so we have to look at the relkind to determine the supported
         * permissions.  The OR of table and sequence permissions were already
         * checked.
         */
        if (istmt->objtype == OBJECT_TABLE)
        {
            if (pg_class_tuple->relkind == RELKIND_SEQUENCE)
            {
                /*
                 * For backward compatibility, just throw a warning for
                 * invalid sequence permissions when using the non-sequence
                 * GRANT syntax.
                 */
                if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_SEQUENCE))
                {
                    /*
                     * Mention the object name because the user needs to know
                     * which operations succeeded.  This is required because
                     * WARNING allows the command to continue.
                     */
                    ereport(WARNING,
                            (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                             errmsg("sequence \"%s\" only supports USAGE, SELECT, and UPDATE privileges",
                                    NameStr(pg_class_tuple->relname))));
                    this_privileges &= (AclMode) ACL_ALL_RIGHTS_SEQUENCE;
                }
            }
            else
            {
                if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_RELATION))
                {
                    /*
                     * USAGE is the only permission supported by sequences but
                     * not by non-sequences.  Don't mention the object name
                     * because we didn't in the combined TABLE | SEQUENCE
                     * check.
                     */
                    ereport(ERROR,
                            (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                             errmsg("invalid privilege type %s for table",
                                    "USAGE")));
                }
            }
        }
 
        /*
         * Set up array in which we'll accumulate any column privilege bits
         * that need modification.  The array is indexed such that entry [0]
         * corresponds to FirstLowInvalidHeapAttributeNumber.
         */
        num_col_privileges = pg_class_tuple->relnatts - FirstLowInvalidHeapAttributeNumber + 1;
        col_privileges = (AclMode *) palloc0(num_col_privileges * sizeof(AclMode));
        have_col_privileges = false;
 
        /*
         * If we are revoking relation privileges that are also column
         * privileges, we must implicitly revoke them from each column too,
         * per SQL spec.  (We don't need to implicitly add column privileges
         * during GRANT because the permissions-checking code always checks
         * both relation and per-column privileges.)
         */
        if (!istmt->is_grant &&
            (this_privileges & ACL_ALL_RIGHTS_COLUMN) != 0)
        {
            expand_all_col_privileges(relOid, pg_class_tuple,
                                      this_privileges & ACL_ALL_RIGHTS_COLUMN,
                                      col_privileges,
                                      num_col_privileges);
            have_col_privileges = true;
        }
 
        /*
         * Get owner ID and working copy of existing ACL. If there's no ACL,
         * substitute the proper default.
         */
        ownerId = pg_class_tuple->relowner;
        aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
                                   &isNull);
        if (isNull)
        {
            switch (pg_class_tuple->relkind)
            {
                case RELKIND_SEQUENCE:
                    old_acl = acldefault(OBJECT_SEQUENCE, ownerId);
                    break;
                default:
                    old_acl = acldefault(OBJECT_TABLE, ownerId);
                    break;
            }
            /* There are no old member roles according to the catalogs */
            noldmembers = 0;
            oldmembers = NULL;
        }
        else
        {
            old_acl = DatumGetAclPCopy(aclDatum);
            /* Get the roles mentioned in the existing ACL */
            noldmembers = aclmembers(old_acl, &oldmembers);
        }
 
        /* Need an extra copy of original rel ACL for column handling */
        old_rel_acl = aclcopy(old_acl);
 
        /*
         * Handle relation-level privileges, if any were specified
         */
        if (this_privileges != ACL_NO_RIGHTS)
        {
            AclMode     avail_goptions;
            Acl        *new_acl;
            Oid         grantorId;
            HeapTuple   newtuple;
            Datum       values[Natts_pg_class] = {0};
            bool        nulls[Natts_pg_class] = {0};
            bool        replaces[Natts_pg_class] = {0};
            int         nnewmembers;
            Oid        *newmembers;
            ObjectType  objtype;
 
            /* Determine ID to do the grant as, and available grant options */
            select_best_grantor(GetUserId(), this_privileges,
                                old_acl, ownerId,
                                &grantorId, &avail_goptions);
 
            switch (pg_class_tuple->relkind)
            {
                case RELKIND_SEQUENCE:
                    objtype = OBJECT_SEQUENCE;
                    break;
                default:
                    objtype = OBJECT_TABLE;
                    break;
            }
 
            /*
             * Restrict the privileges to what we can actually grant, and emit
             * the standards-mandated warning and error messages.
             */
            this_privileges =
                restrict_and_check_grant(istmt->is_grant, avail_goptions,
                                         istmt->all_privs, this_privileges,
                                         relOid, grantorId, objtype,
                                         NameStr(pg_class_tuple->relname),
                                         0, NULL);
 
            /*
             * Generate new ACL.
             */
            new_acl = merge_acl_with_grant(old_acl,
                                           istmt->is_grant,
                                           istmt->grant_option,
                                           istmt->behavior,
                                           istmt->grantees,
                                           this_privileges,
                                           grantorId,
                                           ownerId);
 
            /*
             * We need the members of both old and new ACLs so we can correct
             * the shared dependency information.
             */
            nnewmembers = aclmembers(new_acl, &newmembers);
 
            /* finished building new ACL value, now insert it */
            replaces[Anum_pg_class_relacl - 1] = true;
            values[Anum_pg_class_relacl - 1] = PointerGetDatum(new_acl);
 
            newtuple = heap_modify_tuple(tuple, RelationGetDescr(relation),
                                         values, nulls, replaces);
 
            CatalogTupleUpdate(relation, &newtuple->t_self, newtuple);
            UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock);
 
            /* Update initial privileges for extensions */
            recordExtensionInitPriv(relOid, RelationRelationId, 0, new_acl);
 
            /* Update the shared dependency ACL info */
            updateAclDependencies(RelationRelationId, relOid, 0,
                                  ownerId,
                                  noldmembers, oldmembers,
                                  nnewmembers, newmembers);
 
            pfree(new_acl);
        }
        else
            UnlockTuple(relation, &tuple->t_self, InplaceUpdateTupleLock);
 
        /*
         * Handle column-level privileges, if any were specified or implied.
         * We first expand the user-specified column privileges into the
         * array, and then iterate over all nonempty array entries.
         */
        foreach(cell_colprivs, istmt->col_privs)
        {
            AccessPriv *col_privs = (AccessPriv *) lfirst(cell_colprivs);
 
            if (col_privs->priv_name == NULL)
                this_privileges = ACL_ALL_RIGHTS_COLUMN;
            else
                this_privileges = string_to_privilege(col_privs->priv_name);
 
            if (this_privileges & ~((AclMode) ACL_ALL_RIGHTS_COLUMN))
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg("invalid privilege type %s for column",
                                privilege_to_string(this_privileges))));
 
            if (pg_class_tuple->relkind == RELKIND_SEQUENCE &&
                this_privileges & ~((AclMode) ACL_SELECT))
            {
                /*
                 * The only column privilege allowed on sequences is SELECT.
                 * This is a warning not error because we do it that way for
                 * relation-level privileges.
                 */
                ereport(WARNING,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg("sequence \"%s\" only supports SELECT column privileges",
                                NameStr(pg_class_tuple->relname))));
 
                this_privileges &= (AclMode) ACL_SELECT;
            }
 
            expand_col_privileges(col_privs->cols, relOid,
                                  this_privileges,
                                  col_privileges,
                                  num_col_privileges);
            have_col_privileges = true;
        }
 
        if (have_col_privileges)
        {
            AttrNumber  i;
 
            for (i = 0; i < num_col_privileges; i++)
            {
                if (col_privileges[i] == ACL_NO_RIGHTS)
                    continue;
                ExecGrant_Attribute(istmt,
                                    relOid,
                                    NameStr(pg_class_tuple->relname),
                                    i + FirstLowInvalidHeapAttributeNumber,
                                    ownerId,
                                    col_privileges[i],
                                    attRelation,
                                    old_rel_acl);
            }
        }
 
        pfree(old_rel_acl);
        pfree(col_privileges);
 
        ReleaseSysCache(tuple);
 
        /* prevent error when processing duplicate objects */
        CommandCounterIncrement();
    }
 
    table_close(attRelation, RowExclusiveLock);
    table_close(relation, RowExclusiveLock);
}

References ACL_ALL_RIGHTS_COLUMN, ACL_ALL_RIGHTS_RELATION, ACL_ALL_RIGHTS_SEQUENCE, ACL_NO_RIGHTS, ACL_SELECT, aclcopy(), acldefault(), aclmembers(), InternalGrant::all_privs, InternalGrant::behavior, CatalogTupleUpdate(), InternalGrant::col_privs, AccessPriv::cols, CommandCounterIncrement(), DatumGetAclPCopy, elog, ereport, errcode(), errmsg(), ERROR, ExecGrant_Attribute(), expand_all_col_privileges(), expand_col_privileges(), FirstLowInvalidHeapAttributeNumber, GETSTRUCT(), GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, heap_modify_tuple(), HeapTupleIsValid, i, InplaceUpdateTupleLock, InternalGrant::is_grant, lfirst, lfirst_oid, merge_acl_with_grant(), NameStr, OBJECT_SEQUENCE, OBJECT_TABLE, ObjectIdGetDatum(), InternalGrant::objects, InternalGrant::objtype, palloc0(), pfree(), PointerGetDatum(), AccessPriv::priv_name, privilege_to_string(), InternalGrant::privileges, recordExtensionInitPriv(), RelationGetDescr, ReleaseSysCache(), restrict_and_check_grant(), RowExclusiveLock, SearchSysCacheLocked1(), select_best_grantor(), string_to_privilege(), SysCacheGetAttr(), HeapTupleData::t_self, table_close(), table_open(), UnlockTuple(), updateAclDependencies(), values, and WARNING.

Referenced by ExecGrantStmt_oids().

◆ ExecGrant_Type_check()

static void ExecGrant_Type_check	(	InternalGrant *	istmt,
		HeapTuple	tuple
	)

static

Definition at line 2388 of file aclchk.c.

{
    Form_pg_type pg_type_tuple;
 
    pg_type_tuple = (Form_pg_type) GETSTRUCT(tuple);
 
    /* Disallow GRANT on dependent types */
    if (IsTrueArrayType(pg_type_tuple))
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                 errmsg("cannot set privileges of array types"),
                 errhint("Set the privileges of the element type instead.")));
    if (pg_type_tuple->typtype == TYPTYPE_MULTIRANGE)
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                 errmsg("cannot set privileges of multirange types"),
                 errhint("Set the privileges of the range type instead.")));
}

References ereport, errcode(), errhint(), errmsg(), ERROR, and GETSTRUCT().

Referenced by ExecGrantStmt_oids().

◆ ExecGrantStmt_oids()

static void ExecGrantStmt_oids ( InternalGrant * istmt )

static

Definition at line 602 of file aclchk.c.

{
    switch (istmt->objtype)
    {
        case OBJECT_TABLE:
        case OBJECT_SEQUENCE:
            ExecGrant_Relation(istmt);
            break;
        case OBJECT_DATABASE:
            ExecGrant_common(istmt, DatabaseRelationId, ACL_ALL_RIGHTS_DATABASE, NULL);
            break;
        case OBJECT_DOMAIN:
        case OBJECT_TYPE:
            ExecGrant_common(istmt, TypeRelationId, ACL_ALL_RIGHTS_TYPE, ExecGrant_Type_check);
            break;
        case OBJECT_FDW:
            ExecGrant_common(istmt, ForeignDataWrapperRelationId, ACL_ALL_RIGHTS_FDW, NULL);
            break;
        case OBJECT_FOREIGN_SERVER:
            ExecGrant_common(istmt, ForeignServerRelationId, ACL_ALL_RIGHTS_FOREIGN_SERVER, NULL);
            break;
        case OBJECT_FUNCTION:
        case OBJECT_PROCEDURE:
        case OBJECT_ROUTINE:
            ExecGrant_common(istmt, ProcedureRelationId, ACL_ALL_RIGHTS_FUNCTION, NULL);
            break;
        case OBJECT_LANGUAGE:
            ExecGrant_common(istmt, LanguageRelationId, ACL_ALL_RIGHTS_LANGUAGE, ExecGrant_Language_check);
            break;
        case OBJECT_LARGEOBJECT:
            ExecGrant_Largeobject(istmt);
            break;
        case OBJECT_SCHEMA:
            ExecGrant_common(istmt, NamespaceRelationId, ACL_ALL_RIGHTS_SCHEMA, NULL);
            break;
        case OBJECT_TABLESPACE:
            ExecGrant_common(istmt, TableSpaceRelationId, ACL_ALL_RIGHTS_TABLESPACE, NULL);
            break;
        case OBJECT_PARAMETER_ACL:
            ExecGrant_Parameter(istmt);
            break;
        default:
            elog(ERROR, "unrecognized GrantStmt.objtype: %d",
                 (int) istmt->objtype);
    }
 
    /*
     * Pass the info to event triggers about the just-executed GRANT.  Note
     * that we prefer to do it after actually executing it, because that gives
     * the functions a chance to adjust the istmt with privileges actually
     * granted.
     */
    if (EventTriggerSupportsObjectType(istmt->objtype))
        EventTriggerCollectGrant(istmt);
}

References ACL_ALL_RIGHTS_DATABASE, ACL_ALL_RIGHTS_FDW, ACL_ALL_RIGHTS_FOREIGN_SERVER, ACL_ALL_RIGHTS_FUNCTION, ACL_ALL_RIGHTS_LANGUAGE, ACL_ALL_RIGHTS_SCHEMA, ACL_ALL_RIGHTS_TABLESPACE, ACL_ALL_RIGHTS_TYPE, elog, ERROR, EventTriggerCollectGrant(), EventTriggerSupportsObjectType(), ExecGrant_common(), ExecGrant_Language_check(), ExecGrant_Largeobject(), ExecGrant_Parameter(), ExecGrant_Relation(), ExecGrant_Type_check(), OBJECT_DATABASE, OBJECT_DOMAIN, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FUNCTION, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_PARAMETER_ACL, OBJECT_PROCEDURE, OBJECT_ROUTINE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TYPE, and InternalGrant::objtype.

Referenced by ExecuteGrantStmt(), and RemoveRoleFromObjectACL().

◆ ExecuteGrantStmt()

void ExecuteGrantStmt ( GrantStmt * stmt )

Definition at line 392 of file aclchk.c.

{
    InternalGrant istmt;
    ListCell   *cell;
    const char *errormsg;
    AclMode     all_privileges;
 
    if (stmt->grantor)
    {
        Oid         grantor;
 
        grantor = get_rolespec_oid(stmt->grantor, false);
 
        /*
         * Currently, this clause is only for SQL compatibility, not very
         * interesting otherwise.
         */
        if (grantor != GetUserId())
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("grantor must be current user")));
    }
 
    /*
     * Turn the regular GrantStmt into the InternalGrant form.
     */
    istmt.is_grant = stmt->is_grant;
    istmt.objtype = stmt->objtype;
 
    /* Collect the OIDs of the target objects */
    switch (stmt->targtype)
    {
        case ACL_TARGET_OBJECT:
            istmt.objects = objectNamesToOids(stmt->objtype, stmt->objects,
                                              stmt->is_grant);
            break;
        case ACL_TARGET_ALL_IN_SCHEMA:
            istmt.objects = objectsInSchemaToOids(stmt->objtype, stmt->objects);
            break;
            /* ACL_TARGET_DEFAULTS should not be seen here */
        default:
            elog(ERROR, "unrecognized GrantStmt.targtype: %d",
                 (int) stmt->targtype);
    }
 
    /* all_privs to be filled below */
    /* privileges to be filled below */
    istmt.col_privs = NIL;      /* may get filled below */
    istmt.grantees = NIL;       /* filled below */
    istmt.grant_option = stmt->grant_option;
    istmt.behavior = stmt->behavior;
 
    /*
     * Convert the RoleSpec list into an Oid list.  Note that at this point we
     * insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
     * there shouldn't be any additional work needed to support this case.
     */
    foreach(cell, stmt->grantees)
    {
        RoleSpec   *grantee = (RoleSpec *) lfirst(cell);
        Oid         grantee_uid;
 
        switch (grantee->roletype)
        {
            case ROLESPEC_PUBLIC:
                grantee_uid = ACL_ID_PUBLIC;
                break;
            default:
                grantee_uid = get_rolespec_oid(grantee, false);
                break;
        }
        istmt.grantees = lappend_oid(istmt.grantees, grantee_uid);
    }
 
    /*
     * Convert stmt->privileges, a list of AccessPriv nodes, into an AclMode
     * bitmask.  Note: objtype can't be OBJECT_COLUMN.
     */
    switch (stmt->objtype)
    {
        case OBJECT_TABLE:
 
            /*
             * Because this might be a sequence, we test both relation and
             * sequence bits, and later do a more limited test when we know
             * the object type.
             */
            all_privileges = ACL_ALL_RIGHTS_RELATION | ACL_ALL_RIGHTS_SEQUENCE;
            errormsg = gettext_noop("invalid privilege type %s for relation");
            break;
        case OBJECT_SEQUENCE:
            all_privileges = ACL_ALL_RIGHTS_SEQUENCE;
            errormsg = gettext_noop("invalid privilege type %s for sequence");
            break;
        case OBJECT_DATABASE:
            all_privileges = ACL_ALL_RIGHTS_DATABASE;
            errormsg = gettext_noop("invalid privilege type %s for database");
            break;
        case OBJECT_DOMAIN:
            all_privileges = ACL_ALL_RIGHTS_TYPE;
            errormsg = gettext_noop("invalid privilege type %s for domain");
            break;
        case OBJECT_FUNCTION:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for function");
            break;
        case OBJECT_LANGUAGE:
            all_privileges = ACL_ALL_RIGHTS_LANGUAGE;
            errormsg = gettext_noop("invalid privilege type %s for language");
            break;
        case OBJECT_LARGEOBJECT:
            all_privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
            errormsg = gettext_noop("invalid privilege type %s for large object");
            break;
        case OBJECT_SCHEMA:
            all_privileges = ACL_ALL_RIGHTS_SCHEMA;
            errormsg = gettext_noop("invalid privilege type %s for schema");
            break;
        case OBJECT_PROCEDURE:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for procedure");
            break;
        case OBJECT_ROUTINE:
            all_privileges = ACL_ALL_RIGHTS_FUNCTION;
            errormsg = gettext_noop("invalid privilege type %s for routine");
            break;
        case OBJECT_TABLESPACE:
            all_privileges = ACL_ALL_RIGHTS_TABLESPACE;
            errormsg = gettext_noop("invalid privilege type %s for tablespace");
            break;
        case OBJECT_TYPE:
            all_privileges = ACL_ALL_RIGHTS_TYPE;
            errormsg = gettext_noop("invalid privilege type %s for type");
            break;
        case OBJECT_FDW:
            all_privileges = ACL_ALL_RIGHTS_FDW;
            errormsg = gettext_noop("invalid privilege type %s for foreign-data wrapper");
            break;
        case OBJECT_FOREIGN_SERVER:
            all_privileges = ACL_ALL_RIGHTS_FOREIGN_SERVER;
            errormsg = gettext_noop("invalid privilege type %s for foreign server");
            break;
        case OBJECT_PARAMETER_ACL:
            all_privileges = ACL_ALL_RIGHTS_PARAMETER_ACL;
            errormsg = gettext_noop("invalid privilege type %s for parameter");
            break;
        default:
            elog(ERROR, "unrecognized GrantStmt.objtype: %d",
                 (int) stmt->objtype);
            /* keep compiler quiet */
            all_privileges = ACL_NO_RIGHTS;
            errormsg = NULL;
    }
 
    if (stmt->privileges == NIL)
    {
        istmt.all_privs = true;
 
        /*
         * will be turned into ACL_ALL_RIGHTS_* by the internal routines
         * depending on the object type
         */
        istmt.privileges = ACL_NO_RIGHTS;
    }
    else
    {
        istmt.all_privs = false;
        istmt.privileges = ACL_NO_RIGHTS;
 
        foreach(cell, stmt->privileges)
        {
            AccessPriv *privnode = (AccessPriv *) lfirst(cell);
            AclMode     priv;
 
            /*
             * If it's a column-level specification, we just set it aside in
             * col_privs for the moment; but insist it's for a relation.
             */
            if (privnode->cols)
            {
                if (stmt->objtype != OBJECT_TABLE)
                    ereport(ERROR,
                            (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                             errmsg("column privileges are only valid for relations")));
                istmt.col_privs = lappend(istmt.col_privs, privnode);
                continue;
            }
 
            if (privnode->priv_name == NULL)    /* parser mistake? */
                elog(ERROR, "AccessPriv node must specify privilege or columns");
            priv = string_to_privilege(privnode->priv_name);
 
            if (priv & ~((AclMode) all_privileges))
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg(errormsg, privilege_to_string(priv))));
 
            istmt.privileges |= priv;
        }
    }
 
    ExecGrantStmt_oids(&istmt);
}

References ACL_ALL_RIGHTS_DATABASE, ACL_ALL_RIGHTS_FDW, ACL_ALL_RIGHTS_FOREIGN_SERVER, ACL_ALL_RIGHTS_FUNCTION, ACL_ALL_RIGHTS_LANGUAGE, ACL_ALL_RIGHTS_LARGEOBJECT, ACL_ALL_RIGHTS_PARAMETER_ACL, ACL_ALL_RIGHTS_RELATION, ACL_ALL_RIGHTS_SCHEMA, ACL_ALL_RIGHTS_SEQUENCE, ACL_ALL_RIGHTS_TABLESPACE, ACL_ALL_RIGHTS_TYPE, ACL_ID_PUBLIC, ACL_NO_RIGHTS, ACL_TARGET_ALL_IN_SCHEMA, ACL_TARGET_OBJECT, InternalGrant::all_privs, InternalGrant::behavior, InternalGrant::col_privs, AccessPriv::cols, elog, ereport, errcode(), errmsg(), ERROR, ExecGrantStmt_oids(), get_rolespec_oid(), gettext_noop, GetUserId(), InternalGrant::grant_option, InternalGrant::grantees, InternalGrant::is_grant, lappend(), lappend_oid(), lfirst, NIL, OBJECT_DATABASE, OBJECT_DOMAIN, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FUNCTION, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_PARAMETER_ACL, OBJECT_PROCEDURE, OBJECT_ROUTINE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TYPE, objectNamesToOids(), InternalGrant::objects, objectsInSchemaToOids(), InternalGrant::objtype, AccessPriv::priv_name, privilege_to_string(), InternalGrant::privileges, ROLESPEC_PUBLIC, RoleSpec::roletype, stmt, and string_to_privilege().

Referenced by ProcessUtilitySlow(), and standard_ProcessUtility().

◆ expand_all_col_privileges()

static void expand_all_col_privileges	(	Oid	table_oid,
		Form_pg_class	classForm,
		AclMode	this_privileges,
		AclMode *	col_privileges,
		int	num_col_privileges
	)

static

Definition at line 1578 of file aclchk.c.

{
    AttrNumber  curr_att;
 
    Assert(classForm->relnatts - FirstLowInvalidHeapAttributeNumber < num_col_privileges);
    for (curr_att = FirstLowInvalidHeapAttributeNumber + 1;
         curr_att <= classForm->relnatts;
         curr_att++)
    {
        HeapTuple   attTuple;
        bool        isdropped;
 
        if (curr_att == InvalidAttrNumber)
            continue;
 
        /* Views don't have any system columns at all */
        if (classForm->relkind == RELKIND_VIEW && curr_att < 0)
            continue;
 
        attTuple = SearchSysCache2(ATTNUM,
                                   ObjectIdGetDatum(table_oid),
                                   Int16GetDatum(curr_att));
        if (!HeapTupleIsValid(attTuple))
            elog(ERROR, "cache lookup failed for attribute %d of relation %u",
                 curr_att, table_oid);
 
        isdropped = ((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped;
 
        ReleaseSysCache(attTuple);
 
        /* ignore dropped columns */
        if (isdropped)
            continue;
 
        col_privileges[curr_att - FirstLowInvalidHeapAttributeNumber] |= this_privileges;
    }
}

References Assert(), elog, ERROR, FirstLowInvalidHeapAttributeNumber, GETSTRUCT(), HeapTupleIsValid, Int16GetDatum(), InvalidAttrNumber, ObjectIdGetDatum(), ReleaseSysCache(), and SearchSysCache2().

Referenced by ExecGrant_Relation().

◆ expand_col_privileges()

static void expand_col_privileges	(	List *	colnames,
		Oid	table_oid,
		AclMode	this_privileges,
		AclMode *	col_privileges,
		int	num_col_privileges
	)

static

Definition at line 1545 of file aclchk.c.

{
    ListCell   *cell;
 
    foreach(cell, colnames)
    {
        char       *colname = strVal(lfirst(cell));
        AttrNumber  attnum;
 
        attnum = get_attnum(table_oid, colname);
        if (attnum == InvalidAttrNumber)
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_COLUMN),
                     errmsg("column \"%s\" of relation \"%s\" does not exist",
                            colname, get_rel_name(table_oid))));
        attnum -= FirstLowInvalidHeapAttributeNumber;
        if (attnum <= 0 || attnum >= num_col_privileges)
            elog(ERROR, "column number out of range");  /* safety check */
        col_privileges[attnum] |= this_privileges;
    }
}

References attnum, elog, ereport, errcode(), errmsg(), ERROR, FirstLowInvalidHeapAttributeNumber, get_attnum(), get_rel_name(), InvalidAttrNumber, lfirst, and strVal.

Referenced by ExecGrant_Relation().

◆ get_default_acl_internal()

static Acl * get_default_acl_internal	(	Oid	roleId,
		Oid	nsp_oid,
		char	objtype
	)

static

Definition at line 4197 of file aclchk.c.

{
    Acl        *result = NULL;
    HeapTuple   tuple;
 
    tuple = SearchSysCache3(DEFACLROLENSPOBJ,
                            ObjectIdGetDatum(roleId),
                            ObjectIdGetDatum(nsp_oid),
                            CharGetDatum(objtype));
 
    if (HeapTupleIsValid(tuple))
    {
        Datum       aclDatum;
        bool        isNull;
 
        aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
                                   Anum_pg_default_acl_defaclacl,
                                   &isNull);
        if (!isNull)
            result = DatumGetAclPCopy(aclDatum);
        ReleaseSysCache(tuple);
    }
 
    return result;
}

References CharGetDatum(), DatumGetAclPCopy, HeapTupleIsValid, ObjectIdGetDatum(), ReleaseSysCache(), SearchSysCache3(), and SysCacheGetAttr().

Referenced by get_user_default_acl().

◆ get_user_default_acl()

Acl * get_user_default_acl	(	ObjectType	objtype,
		Oid	ownerId,
		Oid	nsp_oid
	)

Definition at line 4232 of file aclchk.c.

{
    Acl        *result;
    Acl        *glob_acl;
    Acl        *schema_acl;
    Acl        *def_acl;
    char        defaclobjtype;
 
    /*
     * Use NULL during bootstrap, since pg_default_acl probably isn't there
     * yet.
     */
    if (IsBootstrapProcessingMode())
        return NULL;
 
    /* Check if object type is supported in pg_default_acl */
    switch (objtype)
    {
        case OBJECT_TABLE:
            defaclobjtype = DEFACLOBJ_RELATION;
            break;
 
        case OBJECT_SEQUENCE:
            defaclobjtype = DEFACLOBJ_SEQUENCE;
            break;
 
        case OBJECT_FUNCTION:
            defaclobjtype = DEFACLOBJ_FUNCTION;
            break;
 
        case OBJECT_TYPE:
            defaclobjtype = DEFACLOBJ_TYPE;
            break;
 
        case OBJECT_SCHEMA:
            defaclobjtype = DEFACLOBJ_NAMESPACE;
            break;
 
        case OBJECT_LARGEOBJECT:
            defaclobjtype = DEFACLOBJ_LARGEOBJECT;
            break;
 
        default:
            return NULL;
    }
 
    /* Look up the relevant pg_default_acl entries */
    glob_acl = get_default_acl_internal(ownerId, InvalidOid, defaclobjtype);
    schema_acl = get_default_acl_internal(ownerId, nsp_oid, defaclobjtype);
 
    /* Quick out if neither entry exists */
    if (glob_acl == NULL && schema_acl == NULL)
        return NULL;
 
    /* We need to know the hard-wired default value, too */
    def_acl = acldefault(objtype, ownerId);
 
    /* If there's no global entry, substitute the hard-wired default */
    if (glob_acl == NULL)
        glob_acl = def_acl;
 
    /* Merge in any per-schema privileges */
    result = aclmerge(glob_acl, schema_acl, ownerId);
 
    /*
     * For efficiency, we want to return NULL if the result equals default.
     * This requires sorting both arrays to get an accurate comparison.
     */
    aclitemsort(result);
    aclitemsort(def_acl);
    if (aclequal(result, def_acl))
        result = NULL;
 
    return result;
}

References acldefault(), aclequal(), aclitemsort(), aclmerge(), get_default_acl_internal(), InvalidOid, IsBootstrapProcessingMode, OBJECT_FUNCTION, OBJECT_LARGEOBJECT, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_TABLE, and OBJECT_TYPE.

Referenced by heap_create_with_catalog(), LargeObjectCreate(), NamespaceCreate(), ProcedureCreate(), and TypeCreate().

◆ getRelationsInNamespace()

static List * getRelationsInNamespace	(	Oid	namespaceId,
		char	relkind
	)

static

Definition at line 865 of file aclchk.c.

{
    List       *relations = NIL;
    ScanKeyData key[2];
    Relation    rel;
    TableScanDesc scan;
    HeapTuple   tuple;
 
    ScanKeyInit(&key[0],
                Anum_pg_class_relnamespace,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(namespaceId));
    ScanKeyInit(&key[1],
                Anum_pg_class_relkind,
                BTEqualStrategyNumber, F_CHAREQ,
                CharGetDatum(relkind));
 
    rel = table_open(RelationRelationId, AccessShareLock);
    scan = table_beginscan_catalog(rel, 2, key);
 
    while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
    {
        Oid         oid = ((Form_pg_class) GETSTRUCT(tuple))->oid;
 
        relations = lappend_oid(relations, oid);
    }
 
    table_endscan(scan);
    table_close(rel, AccessShareLock);
 
    return relations;
}

References AccessShareLock, BTEqualStrategyNumber, CharGetDatum(), ForwardScanDirection, GETSTRUCT(), heap_getnext(), sort-test::key, lappend_oid(), NIL, ObjectIdGetDatum(), ScanKeyInit(), table_beginscan_catalog(), table_close(), table_endscan(), and table_open().

Referenced by objectsInSchemaToOids().

◆ has_bypassrls_privilege()

bool has_bypassrls_privilege ( Oid roleid )

Definition at line 4173 of file aclchk.c.

{
    bool        result = false;
    HeapTuple   utup;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return true;
 
    utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
    if (HeapTupleIsValid(utup))
    {
        result = ((Form_pg_authid) GETSTRUCT(utup))->rolbypassrls;
        ReleaseSysCache(utup);
    }
    return result;
}

References GETSTRUCT(), HeapTupleIsValid, ObjectIdGetDatum(), ReleaseSysCache(), rolbypassrls, SearchSysCache1(), and superuser_arg().

Referenced by AlterRole(), check_enable_rls(), CreateRole(), and RI_Initial_Check().

◆ has_createrole_privilege()

bool has_createrole_privilege ( Oid roleid )

Definition at line 4154 of file aclchk.c.

{
    bool        result = false;
    HeapTuple   utup;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return true;
 
    utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
    if (HeapTupleIsValid(utup))
    {
        result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
        ReleaseSysCache(utup);
    }
    return result;
}

References GETSTRUCT(), HeapTupleIsValid, ObjectIdGetDatum(), ReleaseSysCache(), rolcreaterole, SearchSysCache1(), and superuser_arg().

Referenced by check_object_ownership(), CreateRole(), and have_createrole_privilege().

◆ merge_acl_with_grant()

static Acl * merge_acl_with_grant	(	Acl *	old_acl,
		bool	is_grant,
		bool	grant_option,
		DropBehavior	behavior,
		List *	grantees,
		AclMode	privileges,
		Oid	grantorId,
		Oid	ownerId
	)

static

Definition at line 182 of file aclchk.c.

{
    unsigned    modechg;
    ListCell   *j;
    Acl        *new_acl;
 
    modechg = is_grant ? ACL_MODECHG_ADD : ACL_MODECHG_DEL;
 
    new_acl = old_acl;
 
    foreach(j, grantees)
    {
        AclItem     aclitem;
        Acl        *newer_acl;
 
        aclitem.ai_grantee = lfirst_oid(j);
 
        /*
         * Grant options can only be granted to individual roles, not PUBLIC.
         * The reason is that if a user would re-grant a privilege that he
         * held through PUBLIC, and later the user is removed, the situation
         * is impossible to clean up.
         */
        if (is_grant && grant_option && aclitem.ai_grantee == ACL_ID_PUBLIC)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                     errmsg("grant options can only be granted to roles")));
 
        aclitem.ai_grantor = grantorId;
 
        /*
         * The asymmetry in the conditions here comes from the spec.  In
         * GRANT, the grant_option flag signals WITH GRANT OPTION, which means
         * to grant both the basic privilege and its grant option. But in
         * REVOKE, plain revoke revokes both the basic privilege and its grant
         * option, while REVOKE GRANT OPTION revokes only the option.
         */
        ACLITEM_SET_PRIVS_GOPTIONS(aclitem,
                                   (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
                                   (!is_grant || grant_option) ? privileges : ACL_NO_RIGHTS);
 
        newer_acl = aclupdate(new_acl, &aclitem, modechg, ownerId, behavior);
 
        /* avoid memory leak when there are many grantees */
        pfree(new_acl);
        new_acl = newer_acl;
    }
 
    return new_acl;
}

References ACL_ID_PUBLIC, ACL_MODECHG_ADD, ACL_MODECHG_DEL, ACL_NO_RIGHTS, ACLITEM_SET_PRIVS_GOPTIONS, aclupdate(), AclItem::ai_grantee, AclItem::ai_grantor, ereport, errcode(), errmsg(), ERROR, j, lfirst_oid, and pfree().

Referenced by ExecGrant_Attribute(), ExecGrant_common(), ExecGrant_Largeobject(), ExecGrant_Parameter(), ExecGrant_Relation(), RemoveRoleFromInitPriv(), and SetDefaultACL().

◆ object_aclcheck()

AclResult object_aclcheck	(	Oid	classid,
		Oid	objectid,
		Oid	roleid,
		AclMode	mode
	)

Definition at line 3821 of file aclchk.c.

{
    return object_aclcheck_ext(classid, objectid, roleid, mode, NULL);
}

References mode, and object_aclcheck_ext().

◆ object_aclcheck_ext()

AclResult object_aclcheck_ext	(	Oid	classid,
		Oid	objectid,
		Oid	roleid,
		AclMode	mode,
		bool *	is_missing
	)

Definition at line 3831 of file aclchk.c.

{
    if (object_aclmask_ext(classid, objectid, roleid, mode, ACLMASK_ANY,
                           is_missing) != 0)
        return ACLCHECK_OK;
    else
        return ACLCHECK_NO_PRIV;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, ACLMASK_ANY, mode, and object_aclmask_ext().

Referenced by has_database_privilege_id(), has_database_privilege_id_id(), has_database_privilege_name_id(), has_foreign_data_wrapper_privilege_id(), has_foreign_data_wrapper_privilege_id_id(), has_foreign_data_wrapper_privilege_name_id(), has_function_privilege_id(), has_function_privilege_id_id(), has_function_privilege_name_id(), has_language_privilege_id(), has_language_privilege_id_id(), has_language_privilege_name_id(), has_schema_privilege_id(), has_schema_privilege_id_id(), has_schema_privilege_name_id(), has_server_privilege_id(), has_server_privilege_id_id(), has_server_privilege_name_id(), has_tablespace_privilege_id(), has_tablespace_privilege_id_id(), has_tablespace_privilege_name_id(), has_type_privilege_id(), has_type_privilege_id_id(), has_type_privilege_name_id(), object_aclcheck(), and pg_namespace_aclmask_ext().

◆ object_aclmask()

static AclMode object_aclmask	(	Oid	classid,
		Oid	objectid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

static

Definition at line 3031 of file aclchk.c.

{
    return object_aclmask_ext(classid, objectid, roleid, mask, how, NULL);
}

References object_aclmask_ext().

Referenced by pg_aclmask().

◆ object_aclmask_ext()

static AclMode object_aclmask_ext	(	Oid	classid,
		Oid	objectid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		bool *	is_missing
	)

static

Definition at line 3042 of file aclchk.c.

{
    int         cacheid;
    AclMode     result;
    HeapTuple   tuple;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /* Special cases */
    switch (classid)
    {
        case NamespaceRelationId:
            return pg_namespace_aclmask_ext(objectid, roleid, mask, how,
                                            is_missing);
        case TypeRelationId:
            return pg_type_aclmask_ext(objectid, roleid, mask, how,
                                       is_missing);
    }
 
    /* Even more special cases */
    Assert(classid != RelationRelationId);  /* should use pg_class_acl* */
    Assert(classid != LargeObjectMetadataRelationId);   /* should use
                                                         * pg_largeobject_acl* */
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return mask;
 
    /*
     * Get the object's ACL from its catalog
     */
 
    cacheid = get_object_catcache_oid(classid);
 
    tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid));
    if (!HeapTupleIsValid(tuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            elog(ERROR, "cache lookup failed for %s %u",
                 get_object_class_descr(classid), objectid);
    }
 
    ownerId = DatumGetObjectId(SysCacheGetAttrNotNull(cacheid,
                                                      tuple,
                                                      get_object_attnum_owner(classid)));
 
    aclDatum = SysCacheGetAttr(cacheid, tuple, get_object_attnum_acl(classid),
                               &isNull);
    if (isNull)
    {
        /* No ACL, so build default ACL */
        acl = acldefault(get_object_type(classid, objectid), ownerId);
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(tuple);
 
    return result;
}

References acldefault(), aclmask(), Assert(), DatumGetAclP, DatumGetObjectId(), DatumGetPointer(), elog, ERROR, get_object_attnum_acl(), get_object_attnum_owner(), get_object_catcache_oid(), get_object_class_descr(), get_object_type(), HeapTupleIsValid, ObjectIdGetDatum(), pfree(), pg_namespace_aclmask_ext(), pg_type_aclmask_ext(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), SysCacheGetAttr(), and SysCacheGetAttrNotNull().

Referenced by object_aclcheck_ext(), and object_aclmask().

◆ object_ownercheck()

bool object_ownercheck	(	Oid	classid,
		Oid	objectid,
		Oid	roleid
	)

Definition at line 4075 of file aclchk.c.

{
    int         cacheid;
    Oid         ownerId;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return true;
 
    /* For large objects, the catalog to consult is pg_largeobject_metadata */
    if (classid == LargeObjectRelationId)
        classid = LargeObjectMetadataRelationId;
 
    cacheid = get_object_catcache_oid(classid);
    if (cacheid != -1)
    {
        /* we can get the object's tuple from the syscache */
        HeapTuple   tuple;
 
        tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objectid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for %s %u",
                 get_object_class_descr(classid), objectid);
 
        ownerId = DatumGetObjectId(SysCacheGetAttrNotNull(cacheid,
                                                          tuple,
                                                          get_object_attnum_owner(classid)));
        ReleaseSysCache(tuple);
    }
    else
    {
        /* for catalogs without an appropriate syscache */
        Relation    rel;
        ScanKeyData entry[1];
        SysScanDesc scan;
        HeapTuple   tuple;
        bool        isnull;
 
        rel = table_open(classid, AccessShareLock);
 
        ScanKeyInit(&entry[0],
                    get_object_attnum_oid(classid),
                    BTEqualStrategyNumber, F_OIDEQ,
                    ObjectIdGetDatum(objectid));
 
        scan = systable_beginscan(rel,
                                  get_object_oid_index(classid), true,
                                  NULL, 1, entry);
 
        tuple = systable_getnext(scan);
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "could not find tuple for %s %u",
                 get_object_class_descr(classid), objectid);
 
        ownerId = DatumGetObjectId(heap_getattr(tuple,
                                                get_object_attnum_owner(classid),
                                                RelationGetDescr(rel),
                                                &isnull));
        Assert(!isnull);
 
        systable_endscan(scan);
        table_close(rel, AccessShareLock);
    }
 
    return has_privs_of_role(roleid, ownerId);
}

References AccessShareLock, Assert(), BTEqualStrategyNumber, DatumGetObjectId(), elog, ERROR, get_object_attnum_oid(), get_object_attnum_owner(), get_object_catcache_oid(), get_object_class_descr(), get_object_oid_index(), has_privs_of_role(), heap_getattr(), HeapTupleIsValid, ObjectIdGetDatum(), RelationGetDescr, ReleaseSysCache(), ScanKeyInit(), SearchSysCache1(), superuser_arg(), SysCacheGetAttrNotNull(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by AlterCollation(), AlterDatabase(), AlterDatabaseOwner(), AlterDatabaseRefreshColl(), AlterDatabaseSet(), AlterEventTrigger(), AlterEventTriggerOwner_internal(), AlterExtensionNamespace(), AlterForeignServer(), AlterForeignServerOwner_internal(), AlterFunction(), AlterOperator(), AlterOpFamilyAdd(), AlterPublication(), AlterPublicationOwner_internal(), AlterRoleSet(), AlterSchemaOwner_internal(), AlterStatistics(), AlterSubscription(), AlterSubscriptionOwner_internal(), AlterTableMoveAll(), AlterTableSpaceOptions(), AlterTSConfiguration(), AlterTSDictionary(), AlterType(), AlterTypeNamespace_oid(), AlterTypeOwner(), ATExecChangeOwner(), ATSimplePermissions(), be_lo_unlink(), brin_desummarize_range(), brin_summarize_range(), check_enable_rls(), check_object_ownership(), checkDomainOwner(), checkEnumOwner(), CreateCast(), createdb(), CreateProceduralLanguage(), CreateStatistics(), CreateTransform(), DefineOpClass(), DefineQueryRewrite(), DefineType(), dropdb(), DropSubscription(), DropTableSpace(), EnableDisableRule(), ExecAlterExtensionContentsStmt(), ExecAlterExtensionStmt(), ExecuteTruncateGuts(), gin_clean_pending_list(), heap_force_common(), MergeAttributes(), movedb(), OperatorCreate(), ProcedureCreate(), PublicationAddTables(), RangeVarCallbackForAlterRelation(), RangeVarCallbackForDropRelation(), RangeVarCallbackForPolicy(), RangeVarCallbackForRenameRule(), RangeVarCallbackForRenameTrigger(), RangeVarCallbackOwnsRelation(), RangeVarGetAndCheckCreationNamespace(), ReindexMultipleTables(), RemoveObjects(), renameatt_check(), RenameDatabase(), RenameSchema(), RenameTableSpace(), RenameType(), RI_Initial_Check(), stats_lock_check_privileges(), user_mapping_ddl_aclcheck(), vacuum_is_permitted_for_relation(), and ValidateOperatorReference().

◆ objectNamesToOids()

static List * objectNamesToOids	(	ObjectType	objtype,
		List *	objnames,
		bool	is_grant
	)

static

Definition at line 664 of file aclchk.c.

{
    List       *objects = NIL;
    ListCell   *cell;
    const LOCKMODE lockmode = AccessShareLock;
 
    Assert(objnames != NIL);
 
    switch (objtype)
    {
        default:
 
            /*
             * For most object types, we use get_object_address() directly.
             */
            foreach(cell, objnames)
            {
                ObjectAddress address;
 
                address = get_object_address(objtype, lfirst(cell), NULL, lockmode, false);
                objects = lappend_oid(objects, address.objectId);
            }
            break;
 
        case OBJECT_TABLE:
        case OBJECT_SEQUENCE:
 
            /*
             * Here, we don't use get_object_address().  It requires that the
             * specified object type match the actual type of the object, but
             * in GRANT/REVOKE, all table-like things are addressed as TABLE.
             */
            foreach(cell, objnames)
            {
                RangeVar   *relvar = (RangeVar *) lfirst(cell);
                Oid         relOid;
 
                relOid = RangeVarGetRelid(relvar, lockmode, false);
                objects = lappend_oid(objects, relOid);
            }
            break;
 
        case OBJECT_DOMAIN:
        case OBJECT_TYPE:
 
            /*
             * The parse representation of types and domains in privilege
             * targets is different from that expected by get_object_address()
             * (for parse conflict reasons), so we have to do a bit of
             * conversion here.
             */
            foreach(cell, objnames)
            {
                List       *typname = (List *) lfirst(cell);
                TypeName   *tn = makeTypeNameFromNameList(typname);
                ObjectAddress address;
                Relation    relation;
 
                address = get_object_address(objtype, (Node *) tn, &relation, lockmode, false);
                Assert(relation == NULL);
                objects = lappend_oid(objects, address.objectId);
            }
            break;
 
        case OBJECT_PARAMETER_ACL:
 
            /*
             * Parameters are handled completely differently.
             */
            foreach(cell, objnames)
            {
                /*
                 * In this code we represent a GUC by the OID of its entry in
                 * pg_parameter_acl, which we have to manufacture here if it
                 * doesn't exist yet.  (That's a hack for sure, but it avoids
                 * messing with all the GRANT/REVOKE infrastructure that
                 * expects to use OIDs for object identities.)  However, if
                 * this is a REVOKE, we can instead just ignore any GUCs that
                 * don't have such an entry, as they must not have any
                 * privileges needing removal.
                 */
                char       *parameter = strVal(lfirst(cell));
                Oid         parameterId = ParameterAclLookup(parameter, true);
 
                if (!OidIsValid(parameterId) && is_grant)
                {
                    parameterId = ParameterAclCreate(parameter);
 
                    /*
                     * Prevent error when processing duplicate objects, and
                     * make this new entry visible so that ExecGrant_Parameter
                     * can update it.
                     */
                    CommandCounterIncrement();
                }
                if (OidIsValid(parameterId))
                    objects = lappend_oid(objects, parameterId);
            }
            break;
    }
 
    return objects;
}

References AccessShareLock, Assert(), CommandCounterIncrement(), get_object_address(), lappend_oid(), lfirst, makeTypeNameFromNameList(), NIL, OBJECT_DOMAIN, OBJECT_PARAMETER_ACL, OBJECT_SEQUENCE, OBJECT_TABLE, OBJECT_TYPE, ObjectAddress::objectId, OidIsValid, ParameterAclCreate(), ParameterAclLookup(), RangeVarGetRelid, strVal, and typname.

Referenced by ExecuteGrantStmt().

◆ objectsInSchemaToOids()

static List * objectsInSchemaToOids	(	ObjectType	objtype,
		List *	nspnames
	)

static

Definition at line 776 of file aclchk.c.

{
    List       *objects = NIL;
    ListCell   *cell;
 
    foreach(cell, nspnames)
    {
        char       *nspname = strVal(lfirst(cell));
        Oid         namespaceId;
        List       *objs;
 
        namespaceId = LookupExplicitNamespace(nspname, false);
 
        switch (objtype)
        {
            case OBJECT_TABLE:
                objs = getRelationsInNamespace(namespaceId, RELKIND_RELATION);
                objects = list_concat(objects, objs);
                objs = getRelationsInNamespace(namespaceId, RELKIND_VIEW);
                objects = list_concat(objects, objs);
                objs = getRelationsInNamespace(namespaceId, RELKIND_MATVIEW);
                objects = list_concat(objects, objs);
                objs = getRelationsInNamespace(namespaceId, RELKIND_FOREIGN_TABLE);
                objects = list_concat(objects, objs);
                objs = getRelationsInNamespace(namespaceId, RELKIND_PARTITIONED_TABLE);
                objects = list_concat(objects, objs);
                break;
            case OBJECT_SEQUENCE:
                objs = getRelationsInNamespace(namespaceId, RELKIND_SEQUENCE);
                objects = list_concat(objects, objs);
                break;
            case OBJECT_FUNCTION:
            case OBJECT_PROCEDURE:
            case OBJECT_ROUTINE:
                {
                    ScanKeyData key[2];
                    int         keycount;
                    Relation    rel;
                    TableScanDesc scan;
                    HeapTuple   tuple;
 
                    keycount = 0;
                    ScanKeyInit(&key[keycount++],
                                Anum_pg_proc_pronamespace,
                                BTEqualStrategyNumber, F_OIDEQ,
                                ObjectIdGetDatum(namespaceId));
 
                    if (objtype == OBJECT_FUNCTION)
                        /* includes aggregates and window functions */
                        ScanKeyInit(&key[keycount++],
                                    Anum_pg_proc_prokind,
                                    BTEqualStrategyNumber, F_CHARNE,
                                    CharGetDatum(PROKIND_PROCEDURE));
                    else if (objtype == OBJECT_PROCEDURE)
                        ScanKeyInit(&key[keycount++],
                                    Anum_pg_proc_prokind,
                                    BTEqualStrategyNumber, F_CHAREQ,
                                    CharGetDatum(PROKIND_PROCEDURE));
 
                    rel = table_open(ProcedureRelationId, AccessShareLock);
                    scan = table_beginscan_catalog(rel, keycount, key);
 
                    while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
                    {
                        Oid         oid = ((Form_pg_proc) GETSTRUCT(tuple))->oid;
 
                        objects = lappend_oid(objects, oid);
                    }
 
                    table_endscan(scan);
                    table_close(rel, AccessShareLock);
                }
                break;
            default:
                /* should not happen */
                elog(ERROR, "unrecognized GrantStmt.objtype: %d",
                     (int) objtype);
        }
    }
 
    return objects;
}

References AccessShareLock, BTEqualStrategyNumber, CharGetDatum(), elog, ERROR, ForwardScanDirection, getRelationsInNamespace(), GETSTRUCT(), heap_getnext(), sort-test::key, lappend_oid(), lfirst, list_concat(), LookupExplicitNamespace(), NIL, OBJECT_FUNCTION, OBJECT_PROCEDURE, OBJECT_ROUTINE, OBJECT_SEQUENCE, OBJECT_TABLE, ObjectIdGetDatum(), ScanKeyInit(), strVal, table_beginscan_catalog(), table_close(), table_endscan(), and table_open().

Referenced by ExecuteGrantStmt().

◆ pg_aclmask()

static AclMode pg_aclmask	(	ObjectType	objtype,
		Oid	object_oid,
		AttrNumber	attnum,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

static

Definition at line 2970 of file aclchk.c.

{
    switch (objtype)
    {
        case OBJECT_COLUMN:
            return
                pg_class_aclmask(object_oid, roleid, mask, how) |
                pg_attribute_aclmask(object_oid, attnum, roleid, mask, how);
        case OBJECT_TABLE:
        case OBJECT_SEQUENCE:
            return pg_class_aclmask(object_oid, roleid, mask, how);
        case OBJECT_DATABASE:
            return object_aclmask(DatabaseRelationId, object_oid, roleid, mask, how);
        case OBJECT_FUNCTION:
            return object_aclmask(ProcedureRelationId, object_oid, roleid, mask, how);
        case OBJECT_LANGUAGE:
            return object_aclmask(LanguageRelationId, object_oid, roleid, mask, how);
        case OBJECT_LARGEOBJECT:
            return pg_largeobject_aclmask_snapshot(object_oid, roleid,
                                                   mask, how, NULL);
        case OBJECT_PARAMETER_ACL:
            return pg_parameter_acl_aclmask(object_oid, roleid, mask, how);
        case OBJECT_SCHEMA:
            return object_aclmask(NamespaceRelationId, object_oid, roleid, mask, how);
        case OBJECT_STATISTIC_EXT:
            elog(ERROR, "grantable rights not supported for statistics objects");
            /* not reached, but keep compiler quiet */
            return ACL_NO_RIGHTS;
        case OBJECT_TABLESPACE:
            return object_aclmask(TableSpaceRelationId, object_oid, roleid, mask, how);
        case OBJECT_FDW:
            return object_aclmask(ForeignDataWrapperRelationId, object_oid, roleid, mask, how);
        case OBJECT_FOREIGN_SERVER:
            return object_aclmask(ForeignServerRelationId, object_oid, roleid, mask, how);
        case OBJECT_EVENT_TRIGGER:
            elog(ERROR, "grantable rights not supported for event triggers");
            /* not reached, but keep compiler quiet */
            return ACL_NO_RIGHTS;
        case OBJECT_TYPE:
            return object_aclmask(TypeRelationId, object_oid, roleid, mask, how);
        default:
            elog(ERROR, "unrecognized object type: %d",
                 (int) objtype);
            /* not reached, but keep compiler quiet */
            return ACL_NO_RIGHTS;
    }
}

References ACL_NO_RIGHTS, attnum, elog, ERROR, object_aclmask(), OBJECT_COLUMN, OBJECT_DATABASE, OBJECT_EVENT_TRIGGER, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FUNCTION, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_PARAMETER_ACL, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_STATISTIC_EXT, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TYPE, pg_attribute_aclmask(), pg_class_aclmask(), pg_largeobject_aclmask_snapshot(), and pg_parameter_acl_aclmask().

Referenced by restrict_and_check_grant().

◆ pg_attribute_aclcheck()

AclResult pg_attribute_aclcheck	(	Oid	table_oid,
		AttrNumber	attnum,
		Oid	roleid,
		AclMode	mode
	)

Definition at line 3853 of file aclchk.c.

{
    return pg_attribute_aclcheck_ext(table_oid, attnum, roleid, mode, NULL);
}

References attnum, mode, and pg_attribute_aclcheck_ext().

Referenced by BuildIndexValueDescription(), checkFkeyPermissions(), examine_simple_variable(), ExecBuildSlotPartitionKeyDescription(), ExecBuildSlotValueDescription(), ExecCheckOneRelPerms(), ExecCheckPermissionsModified(), ri_ReportViolation(), and statext_is_compatible_clause().

◆ pg_attribute_aclcheck_all()

AclResult pg_attribute_aclcheck_all	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mode,
		AclMaskHow	how
	)

Definition at line 3895 of file aclchk.c.

{
    return pg_attribute_aclcheck_all_ext(table_oid, roleid, mode, how, NULL);
}

References mode, and pg_attribute_aclcheck_all_ext().

Referenced by ExecCheckOneRelPerms(), ExecCheckPermissionsModified(), has_any_column_privilege_id_name(), has_any_column_privilege_name(), has_any_column_privilege_name_name(), and statext_is_compatible_clause().

◆ pg_attribute_aclcheck_all_ext()

AclResult pg_attribute_aclcheck_all_ext	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mode,
		AclMaskHow	how,
		bool *	is_missing
	)

Definition at line 3906 of file aclchk.c.

{
    AclResult   result;
    HeapTuple   classTuple;
    Form_pg_class classForm;
    Oid         ownerId;
    AttrNumber  nattrs;
    AttrNumber  curr_att;
 
    /*
     * Must fetch pg_class row to get owner ID and number of attributes.
     */
    classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
    if (!HeapTupleIsValid(classTuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return ACLCHECK_NO_PRIV;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_TABLE),
                     errmsg("relation with OID %u does not exist",
                            table_oid)));
    }
    classForm = (Form_pg_class) GETSTRUCT(classTuple);
 
    ownerId = classForm->relowner;
    nattrs = classForm->relnatts;
 
    ReleaseSysCache(classTuple);
 
    /*
     * Initialize result in case there are no non-dropped columns.  We want to
     * report failure in such cases for either value of 'how'.
     */
    result = ACLCHECK_NO_PRIV;
 
    for (curr_att = 1; curr_att <= nattrs; curr_att++)
    {
        HeapTuple   attTuple;
        Datum       aclDatum;
        bool        isNull;
        Acl        *acl;
        AclMode     attmask;
 
        attTuple = SearchSysCache2(ATTNUM,
                                   ObjectIdGetDatum(table_oid),
                                   Int16GetDatum(curr_att));
 
        /*
         * Lookup failure probably indicates that the table was just dropped,
         * but we'll treat it the same as a dropped column rather than
         * throwing error.
         */
        if (!HeapTupleIsValid(attTuple))
            continue;
 
        /* ignore dropped columns */
        if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
        {
            ReleaseSysCache(attTuple);
            continue;
        }
 
        aclDatum = SysCacheGetAttr(ATTNUM, attTuple, Anum_pg_attribute_attacl,
                                   &isNull);
 
        /*
         * Here we hard-wire knowledge that the default ACL for a column
         * grants no privileges, so that we can fall out quickly in the very
         * common case where attacl is null.
         */
        if (isNull)
            attmask = 0;
        else
        {
            /* detoast column's ACL if necessary */
            acl = DatumGetAclP(aclDatum);
 
            attmask = aclmask(acl, roleid, ownerId, mode, ACLMASK_ANY);
 
            /* if we have a detoasted copy, free it */
            if ((Pointer) acl != DatumGetPointer(aclDatum))
                pfree(acl);
        }
 
        ReleaseSysCache(attTuple);
 
        if (attmask != 0)
        {
            result = ACLCHECK_OK;
            if (how == ACLMASK_ANY)
                break;          /* succeed on any success */
        }
        else
        {
            result = ACLCHECK_NO_PRIV;
            if (how == ACLMASK_ALL)
                break;          /* fail on any failure */
        }
    }
 
    return result;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, aclmask(), ACLMASK_ALL, ACLMASK_ANY, DatumGetAclP, DatumGetPointer(), ereport, errcode(), ERRCODE_UNDEFINED_TABLE, errmsg(), ERROR, GETSTRUCT(), HeapTupleIsValid, Int16GetDatum(), mode, ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), SearchSysCache2(), and SysCacheGetAttr().

Referenced by has_any_column_privilege_id(), has_any_column_privilege_id_id(), has_any_column_privilege_name_id(), and pg_attribute_aclcheck_all().

◆ pg_attribute_aclcheck_ext()

AclResult pg_attribute_aclcheck_ext	(	Oid	table_oid,
		AttrNumber	attnum,
		Oid	roleid,
		AclMode	mode,
		bool *	is_missing
	)

Definition at line 3865 of file aclchk.c.

{
    if (pg_attribute_aclmask_ext(table_oid, attnum, roleid, mode,
                                 ACLMASK_ANY, is_missing) != 0)
        return ACLCHECK_OK;
    else
        return ACLCHECK_NO_PRIV;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, ACLMASK_ANY, attnum, mode, and pg_attribute_aclmask_ext().

Referenced by column_privilege_check(), and pg_attribute_aclcheck().

◆ pg_attribute_aclmask()

static AclMode pg_attribute_aclmask	(	Oid	table_oid,
		AttrNumber	attnum,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

static

Definition at line 3132 of file aclchk.c.

{
    return pg_attribute_aclmask_ext(table_oid, attnum, roleid,
                                    mask, how, NULL);
}

References attnum, and pg_attribute_aclmask_ext().

Referenced by pg_aclmask().

◆ pg_attribute_aclmask_ext()

static AclMode pg_attribute_aclmask_ext	(	Oid	table_oid,
		AttrNumber	attnum,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		bool *	is_missing
	)

static

Definition at line 3143 of file aclchk.c.

{
    AclMode     result;
    HeapTuple   classTuple;
    HeapTuple   attTuple;
    Form_pg_class classForm;
    Form_pg_attribute attributeForm;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /*
     * First, get the column's ACL from its pg_attribute entry
     */
    attTuple = SearchSysCache2(ATTNUM,
                               ObjectIdGetDatum(table_oid),
                               Int16GetDatum(attnum));
    if (!HeapTupleIsValid(attTuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_COLUMN),
                     errmsg("attribute %d of relation with OID %u does not exist",
                            attnum, table_oid)));
    }
 
    attributeForm = (Form_pg_attribute) GETSTRUCT(attTuple);
 
    /* Check dropped columns, too */
    if (attributeForm->attisdropped)
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            ReleaseSysCache(attTuple);
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_COLUMN),
                     errmsg("attribute %d of relation with OID %u does not exist",
                            attnum, table_oid)));
    }
 
    aclDatum = SysCacheGetAttr(ATTNUM, attTuple, Anum_pg_attribute_attacl,
                               &isNull);
 
    /*
     * Here we hard-wire knowledge that the default ACL for a column grants no
     * privileges, so that we can fall out quickly in the very common case
     * where attacl is null.
     */
    if (isNull)
    {
        ReleaseSysCache(attTuple);
        return 0;
    }
 
    /*
     * Must get the relation's ownerId from pg_class.  Since we already found
     * a pg_attribute entry, the only likely reason for this to fail is that a
     * concurrent DROP of the relation committed since then (which could only
     * happen if we don't have lock on the relation).  Treat that similarly to
     * not finding the attribute entry.
     */
    classTuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
    if (!HeapTupleIsValid(classTuple))
    {
        ReleaseSysCache(attTuple);
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_TABLE),
                     errmsg("relation with OID %u does not exist",
                            table_oid)));
    }
    classForm = (Form_pg_class) GETSTRUCT(classTuple);
 
    ownerId = classForm->relowner;
 
    ReleaseSysCache(classTuple);
 
    /* detoast column's ACL if necessary */
    acl = DatumGetAclP(aclDatum);
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(attTuple);
 
    return result;
}

References aclmask(), attnum, DatumGetAclP, DatumGetPointer(), ereport, errcode(), ERRCODE_UNDEFINED_TABLE, errmsg(), ERROR, GETSTRUCT(), HeapTupleIsValid, Int16GetDatum(), ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), SearchSysCache2(), and SysCacheGetAttr().

Referenced by pg_attribute_aclcheck_ext(), and pg_attribute_aclmask().

◆ pg_class_aclcheck()

AclResult pg_class_aclcheck	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mode
	)

Definition at line 4024 of file aclchk.c.

{
    return pg_class_aclcheck_ext(table_oid, roleid, mode, NULL);
}

References mode, and pg_class_aclcheck_ext().

Referenced by BuildIndexValueDescription(), checkFkeyPermissions(), cluster_is_permitted_for_relation(), CreateTriggerFiringOn(), currtid_internal(), currval_oid(), do_setval(), examine_simple_variable(), examine_variable(), ExecBuildSlotPartitionKeyDescription(), ExecBuildSlotValueDescription(), get_rel_from_relname(), has_any_column_privilege_id_name(), has_any_column_privilege_name(), has_any_column_privilege_name_name(), has_sequence_privilege_id_name(), has_sequence_privilege_name(), has_sequence_privilege_name_name(), has_table_privilege_id_name(), has_table_privilege_name(), has_table_privilege_name_name(), lastval(), LockTableAclCheck(), LogicalRepSyncTableStart(), nextval_internal(), pg_get_sequence_data(), pg_prewarm(), pg_sequence_last_value(), pg_sequence_parameters(), pgrowlocks(), RangeVarCallbackForReindexIndex(), RangeVarCallbackMaintainsTable(), ReindexMultipleTables(), ri_ReportViolation(), statext_is_compatible_clause(), stats_lock_check_privileges(), TargetPrivilegesCheck(), transformTableLikeClause(), truncate_check_perms(), and vacuum_is_permitted_for_relation().

◆ pg_class_aclcheck_ext()

AclResult pg_class_aclcheck_ext	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mode,
		bool *	is_missing
	)

Definition at line 4034 of file aclchk.c.

{
    if (pg_class_aclmask_ext(table_oid, roleid, mode,
                             ACLMASK_ANY, is_missing) != 0)
        return ACLCHECK_OK;
    else
        return ACLCHECK_NO_PRIV;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, ACLMASK_ANY, mode, and pg_class_aclmask_ext().

Referenced by column_privilege_check(), has_any_column_privilege_id(), has_any_column_privilege_id_id(), has_any_column_privilege_name_id(), has_sequence_privilege_id(), has_sequence_privilege_id_id(), has_sequence_privilege_name_id(), has_table_privilege_id(), has_table_privilege_id_id(), has_table_privilege_name_id(), and pg_class_aclcheck().

◆ pg_class_aclmask()

AclMode pg_class_aclmask	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

Definition at line 3257 of file aclchk.c.

{
    return pg_class_aclmask_ext(table_oid, roleid, mask, how, NULL);
}

References pg_class_aclmask_ext().

Referenced by ExecCheckOneRelPerms(), and pg_aclmask().

◆ pg_class_aclmask_ext()

static AclMode pg_class_aclmask_ext	(	Oid	table_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		bool *	is_missing
	)

static

Definition at line 3267 of file aclchk.c.

{
    AclMode     result;
    HeapTuple   tuple;
    Form_pg_class classForm;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /*
     * Must get the relation's tuple from pg_class
     */
    tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(table_oid));
    if (!HeapTupleIsValid(tuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_TABLE),
                     errmsg("relation with OID %u does not exist",
                            table_oid)));
    }
 
    classForm = (Form_pg_class) GETSTRUCT(tuple);
 
    /*
     * Deny anyone permission to update a system catalog unless
     * pg_authid.rolsuper is set.
     *
     * As of 7.4 we have some updatable system views; those shouldn't be
     * protected in this way.  Assume the view rules can take care of
     * themselves.  ACL_USAGE is if we ever have system sequences.
     */
    if ((mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) &&
        IsSystemClass(table_oid, classForm) &&
        classForm->relkind != RELKIND_VIEW &&
        !superuser_arg(roleid))
        mask &= ~(ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE);
 
    /*
     * Otherwise, superusers bypass all permission-checking.
     */
    if (superuser_arg(roleid))
    {
        ReleaseSysCache(tuple);
        return mask;
    }
 
    /*
     * Normal case: get the relation's ACL from pg_class
     */
    ownerId = classForm->relowner;
 
    aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
                               &isNull);
    if (isNull)
    {
        /* No ACL, so build default ACL */
        switch (classForm->relkind)
        {
            case RELKIND_SEQUENCE:
                acl = acldefault(OBJECT_SEQUENCE, ownerId);
                break;
            default:
                acl = acldefault(OBJECT_TABLE, ownerId);
                break;
        }
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast rel's ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(tuple);
 
    /*
     * Check if ACL_SELECT is being checked and, if so, and not set already as
     * part of the result, then check if the user is a member of the
     * pg_read_all_data role, which allows read access to all relations.
     */
    if (mask & ACL_SELECT && !(result & ACL_SELECT) &&
        has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
        result |= ACL_SELECT;
 
    /*
     * Check if ACL_INSERT, ACL_UPDATE, or ACL_DELETE is being checked and, if
     * so, and not set already as part of the result, then check if the user
     * is a member of the pg_write_all_data role, which allows
     * INSERT/UPDATE/DELETE access to all relations (except system catalogs,
     * which requires superuser, see above).
     */
    if (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE) &&
        !(result & (ACL_INSERT | ACL_UPDATE | ACL_DELETE)) &&
        has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
        result |= (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE));
 
    /*
     * Check if ACL_MAINTAIN is being checked and, if so, and not already set
     * as part of the result, then check if the user is a member of the
     * pg_maintain role, which allows VACUUM, ANALYZE, CLUSTER, REFRESH
     * MATERIALIZED VIEW, REINDEX, and LOCK TABLE on all relations.
     */
    if (mask & ACL_MAINTAIN &&
        !(result & ACL_MAINTAIN) &&
        has_privs_of_role(roleid, ROLE_PG_MAINTAIN))
        result |= ACL_MAINTAIN;
 
    return result;
}

References ACL_DELETE, ACL_INSERT, ACL_MAINTAIN, ACL_SELECT, ACL_TRUNCATE, ACL_UPDATE, ACL_USAGE, acldefault(), aclmask(), DatumGetAclP, DatumGetPointer(), ereport, errcode(), ERRCODE_UNDEFINED_TABLE, errmsg(), ERROR, GETSTRUCT(), has_privs_of_role(), HeapTupleIsValid, IsSystemClass(), OBJECT_SEQUENCE, OBJECT_TABLE, ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), and SysCacheGetAttr().

Referenced by pg_class_aclcheck_ext(), and pg_class_aclmask().

◆ pg_largeobject_aclcheck_snapshot()

AclResult pg_largeobject_aclcheck_snapshot	(	Oid	lobj_oid,
		Oid	roleid,
		AclMode	mode,
		Snapshot	snapshot
	)

Definition at line 4061 of file aclchk.c.

{
    if (pg_largeobject_aclmask_snapshot(lobj_oid, roleid, mode,
                                        ACLMASK_ANY, snapshot) != 0)
        return ACLCHECK_OK;
    else
        return ACLCHECK_NO_PRIV;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, ACLMASK_ANY, mode, and pg_largeobject_aclmask_snapshot().

Referenced by has_lo_priv_byid(), and inv_open().

◆ pg_largeobject_aclmask_snapshot()

static AclMode pg_largeobject_aclmask_snapshot	(	Oid	lobj_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		Snapshot	snapshot
	)

static

Definition at line 3520 of file aclchk.c.

{
    AclMode     result;
    Relation    pg_lo_meta;
    ScanKeyData entry[1];
    SysScanDesc scan;
    HeapTuple   tuple;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return mask;
 
    /*
     * Get the largeobject's ACL from pg_largeobject_metadata
     */
    pg_lo_meta = table_open(LargeObjectMetadataRelationId,
                            AccessShareLock);
 
    ScanKeyInit(&entry[0],
                Anum_pg_largeobject_metadata_oid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(lobj_oid));
 
    scan = systable_beginscan(pg_lo_meta,
                              LargeObjectMetadataOidIndexId, true,
                              snapshot, 1, entry);
 
    tuple = systable_getnext(scan);
    if (!HeapTupleIsValid(tuple))
        ereport(ERROR,
                (errcode(ERRCODE_UNDEFINED_OBJECT),
                 errmsg("large object %u does not exist", lobj_oid)));
 
    ownerId = ((Form_pg_largeobject_metadata) GETSTRUCT(tuple))->lomowner;
 
    aclDatum = heap_getattr(tuple, Anum_pg_largeobject_metadata_lomacl,
                            RelationGetDescr(pg_lo_meta), &isNull);
 
    if (isNull)
    {
        /* No ACL, so build default ACL */
        acl = acldefault(OBJECT_LARGEOBJECT, ownerId);
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    systable_endscan(scan);
 
    table_close(pg_lo_meta, AccessShareLock);
 
    return result;
}

References AccessShareLock, acldefault(), aclmask(), BTEqualStrategyNumber, DatumGetAclP, DatumGetPointer(), ereport, errcode(), errmsg(), ERROR, GETSTRUCT(), heap_getattr(), HeapTupleIsValid, OBJECT_LARGEOBJECT, ObjectIdGetDatum(), pfree(), RelationGetDescr, ScanKeyInit(), superuser_arg(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by pg_aclmask(), and pg_largeobject_aclcheck_snapshot().

◆ pg_namespace_aclmask_ext()

static AclMode pg_namespace_aclmask_ext	(	Oid	nsp_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		bool *	is_missing
	)

static

Definition at line 3593 of file aclchk.c.

{
    AclMode     result;
    HeapTuple   tuple;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return mask;
 
    /*
     * If we have been assigned this namespace as a temp namespace, check to
     * make sure we have CREATE TEMP permission on the database, and if so act
     * as though we have all standard (but not GRANT OPTION) permissions on
     * the namespace.  If we don't have CREATE TEMP, act as though we have
     * only USAGE (and not CREATE) rights.
     *
     * This may seem redundant given the check in InitTempTableNamespace, but
     * it really isn't since current user ID may have changed since then. The
     * upshot of this behavior is that a SECURITY DEFINER function can create
     * temp tables that can then be accessed (if permission is granted) by
     * code in the same session that doesn't have permissions to create temp
     * tables.
     *
     * XXX Would it be safe to ereport a special error message as
     * InitTempTableNamespace does?  Returning zero here means we'll get a
     * generic "permission denied for schema pg_temp_N" message, which is not
     * remarkably user-friendly.
     */
    if (isTempNamespace(nsp_oid))
    {
        if (object_aclcheck_ext(DatabaseRelationId, MyDatabaseId, roleid,
                                ACL_CREATE_TEMP, is_missing) == ACLCHECK_OK)
            return mask & ACL_ALL_RIGHTS_SCHEMA;
        else
            return mask & ACL_USAGE;
    }
 
    /*
     * Get the schema's ACL from pg_namespace
     */
    tuple = SearchSysCache1(NAMESPACEOID, ObjectIdGetDatum(nsp_oid));
    if (!HeapTupleIsValid(tuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_SCHEMA),
                     errmsg("schema with OID %u does not exist", nsp_oid)));
    }
 
    ownerId = ((Form_pg_namespace) GETSTRUCT(tuple))->nspowner;
 
    aclDatum = SysCacheGetAttr(NAMESPACEOID, tuple, Anum_pg_namespace_nspacl,
                               &isNull);
    if (isNull)
    {
        /* No ACL, so build default ACL */
        acl = acldefault(OBJECT_SCHEMA, ownerId);
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(tuple);
 
    /*
     * Check if ACL_USAGE is being checked and, if so, and not set already as
     * part of the result, then check if the user is a member of the
     * pg_read_all_data or pg_write_all_data roles, which allow usage access
     * to all schemas.
     */
    if (mask & ACL_USAGE && !(result & ACL_USAGE) &&
        (has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
         has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))
        result |= ACL_USAGE;
    return result;
}

References ACL_ALL_RIGHTS_SCHEMA, ACL_CREATE_TEMP, ACL_USAGE, ACLCHECK_OK, acldefault(), aclmask(), DatumGetAclP, DatumGetPointer(), ereport, errcode(), errmsg(), ERROR, GETSTRUCT(), has_privs_of_role(), HeapTupleIsValid, isTempNamespace(), MyDatabaseId, object_aclcheck_ext(), OBJECT_SCHEMA, ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), and SysCacheGetAttr().

Referenced by object_aclmask_ext().

◆ pg_parameter_acl_aclmask()

static AclMode pg_parameter_acl_aclmask	(	Oid	acl_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

static

Definition at line 3461 of file aclchk.c.

{
    AclMode     result;
    HeapTuple   tuple;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return mask;
 
    /* Get the ACL from pg_parameter_acl */
    tuple = SearchSysCache1(PARAMETERACLOID, ObjectIdGetDatum(acl_oid));
    if (!HeapTupleIsValid(tuple))
        ereport(ERROR,
                (errcode(ERRCODE_UNDEFINED_OBJECT),
                 errmsg("parameter ACL with OID %u does not exist",
                        acl_oid)));
 
    aclDatum = SysCacheGetAttr(PARAMETERACLOID, tuple,
                               Anum_pg_parameter_acl_paracl,
                               &isNull);
    if (isNull)
    {
        /* No ACL, so build default ACL */
        acl = acldefault(OBJECT_PARAMETER_ACL, BOOTSTRAP_SUPERUSERID);
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, BOOTSTRAP_SUPERUSERID, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(tuple);
 
    return result;
}

References acldefault(), aclmask(), DatumGetAclP, DatumGetPointer(), ereport, errcode(), errmsg(), ERROR, HeapTupleIsValid, OBJECT_PARAMETER_ACL, ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), and SysCacheGetAttr().

Referenced by pg_aclmask().

◆ pg_parameter_aclcheck()

AclResult pg_parameter_aclcheck	(	const char *	name,
		Oid	roleid,
		AclMode	mode
	)

Definition at line 4049 of file aclchk.c.

{
    if (pg_parameter_aclmask(name, roleid, mode, ACLMASK_ANY) != 0)
        return ACLCHECK_OK;
    else
        return ACLCHECK_NO_PRIV;
}

References ACLCHECK_NO_PRIV, ACLCHECK_OK, ACLMASK_ANY, mode, name, and pg_parameter_aclmask().

Referenced by AlterSystemSetConfigFile(), has_param_priv_byname(), set_config_with_handle(), and validate_option_array_item().

◆ pg_parameter_aclmask()

static AclMode pg_parameter_aclmask	(	const char *	name,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how
	)

static

Definition at line 3397 of file aclchk.c.

{
    AclMode     result;
    char       *parname;
    text       *partext;
    HeapTuple   tuple;
 
    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return mask;
 
    /* Convert name to the form it should have in pg_parameter_acl... */
    parname = convert_GUC_name_for_parameter_acl(name);
    partext = cstring_to_text(parname);
 
    /* ... and look it up */
    tuple = SearchSysCache1(PARAMETERACLNAME, PointerGetDatum(partext));
 
    if (!HeapTupleIsValid(tuple))
    {
        /* If no entry, GUC has no permissions for non-superusers */
        result = ACL_NO_RIGHTS;
    }
    else
    {
        Datum       aclDatum;
        bool        isNull;
        Acl        *acl;
 
        aclDatum = SysCacheGetAttr(PARAMETERACLNAME, tuple,
                                   Anum_pg_parameter_acl_paracl,
                                   &isNull);
        if (isNull)
        {
            /* No ACL, so build default ACL */
            acl = acldefault(OBJECT_PARAMETER_ACL, BOOTSTRAP_SUPERUSERID);
            aclDatum = (Datum) 0;
        }
        else
        {
            /* detoast ACL if necessary */
            acl = DatumGetAclP(aclDatum);
        }
 
        result = aclmask(acl, roleid, BOOTSTRAP_SUPERUSERID, mask, how);
 
        /* if we have a detoasted copy, free it */
        if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
            pfree(acl);
 
        ReleaseSysCache(tuple);
    }
 
    pfree(parname);
    pfree(partext);
 
    return result;
}

References ACL_NO_RIGHTS, acldefault(), aclmask(), convert_GUC_name_for_parameter_acl(), cstring_to_text(), DatumGetAclP, DatumGetPointer(), HeapTupleIsValid, name, OBJECT_PARAMETER_ACL, pfree(), PointerGetDatum(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), and SysCacheGetAttr().

Referenced by pg_parameter_aclcheck().

◆ pg_type_aclmask_ext()

static AclMode pg_type_aclmask_ext	(	Oid	type_oid,
		Oid	roleid,
		AclMode	mask,
		AclMaskHow	how,
		bool *	is_missing
	)

static

Definition at line 3695 of file aclchk.c.

{
    AclMode     result;
    HeapTuple   tuple;
    Form_pg_type typeForm;
    Datum       aclDatum;
    bool        isNull;
    Acl        *acl;
    Oid         ownerId;
 
    /* Bypass permission checks for superusers */
    if (superuser_arg(roleid))
        return mask;
 
    /*
     * Must get the type's tuple from pg_type
     */
    tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(type_oid));
    if (!HeapTupleIsValid(tuple))
    {
        if (is_missing != NULL)
        {
            /* return "no privileges" instead of throwing an error */
            *is_missing = true;
            return 0;
        }
        else
            ereport(ERROR,
                    (errcode(ERRCODE_UNDEFINED_OBJECT),
                     errmsg("type with OID %u does not exist",
                            type_oid)));
    }
    typeForm = (Form_pg_type) GETSTRUCT(tuple);
 
    /*
     * "True" array types don't manage permissions of their own; consult the
     * element type instead.
     */
    if (IsTrueArrayType(typeForm))
    {
        Oid         elttype_oid = typeForm->typelem;
 
        ReleaseSysCache(tuple);
 
        tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(elttype_oid));
        if (!HeapTupleIsValid(tuple))
        {
            if (is_missing != NULL)
            {
                /* return "no privileges" instead of throwing an error */
                *is_missing = true;
                return 0;
            }
            else
                ereport(ERROR,
                        (errcode(ERRCODE_UNDEFINED_OBJECT),
                         errmsg("type with OID %u does not exist",
                                elttype_oid)));
        }
        typeForm = (Form_pg_type) GETSTRUCT(tuple);
    }
 
    /*
     * Likewise, multirange types don't manage their own permissions; consult
     * the associated range type.  (Note we must do this after the array step
     * to get the right answer for arrays of multiranges.)
     */
    if (typeForm->typtype == TYPTYPE_MULTIRANGE)
    {
        Oid         rangetype = get_multirange_range(typeForm->oid);
 
        ReleaseSysCache(tuple);
 
        tuple = SearchSysCache1(TYPEOID, ObjectIdGetDatum(rangetype));
        if (!HeapTupleIsValid(tuple))
        {
            if (is_missing != NULL)
            {
                /* return "no privileges" instead of throwing an error */
                *is_missing = true;
                return 0;
            }
            else
                ereport(ERROR,
                        (errcode(ERRCODE_UNDEFINED_OBJECT),
                         errmsg("type with OID %u does not exist",
                                rangetype)));
        }
        typeForm = (Form_pg_type) GETSTRUCT(tuple);
    }
 
    /*
     * Now get the type's owner and ACL from the tuple
     */
    ownerId = typeForm->typowner;
 
    aclDatum = SysCacheGetAttr(TYPEOID, tuple,
                               Anum_pg_type_typacl, &isNull);
    if (isNull)
    {
        /* No ACL, so build default ACL */
        acl = acldefault(OBJECT_TYPE, ownerId);
        aclDatum = (Datum) 0;
    }
    else
    {
        /* detoast rel's ACL if necessary */
        acl = DatumGetAclP(aclDatum);
    }
 
    result = aclmask(acl, roleid, ownerId, mask, how);
 
    /* if we have a detoasted copy, free it */
    if (acl && (Pointer) acl != DatumGetPointer(aclDatum))
        pfree(acl);
 
    ReleaseSysCache(tuple);
 
    return result;
}

References acldefault(), aclmask(), DatumGetAclP, DatumGetPointer(), ereport, errcode(), errmsg(), ERROR, get_multirange_range(), GETSTRUCT(), HeapTupleIsValid, OBJECT_TYPE, ObjectIdGetDatum(), pfree(), ReleaseSysCache(), SearchSysCache1(), superuser_arg(), and SysCacheGetAttr().

Referenced by object_aclmask_ext().

◆ privilege_to_string()

static const char * privilege_to_string ( AclMode privilege )

static

Definition at line 2592 of file aclchk.c.

{
    switch (privilege)
    {
        case ACL_INSERT:
            return "INSERT";
        case ACL_SELECT:
            return "SELECT";
        case ACL_UPDATE:
            return "UPDATE";
        case ACL_DELETE:
            return "DELETE";
        case ACL_TRUNCATE:
            return "TRUNCATE";
        case ACL_REFERENCES:
            return "REFERENCES";
        case ACL_TRIGGER:
            return "TRIGGER";
        case ACL_EXECUTE:
            return "EXECUTE";
        case ACL_USAGE:
            return "USAGE";
        case ACL_CREATE:
            return "CREATE";
        case ACL_CREATE_TEMP:
            return "TEMP";
        case ACL_CONNECT:
            return "CONNECT";
        case ACL_SET:
            return "SET";
        case ACL_ALTER_SYSTEM:
            return "ALTER SYSTEM";
        case ACL_MAINTAIN:
            return "MAINTAIN";
        default:
            elog(ERROR, "unrecognized privilege: %d", (int) privilege);
    }
    return NULL;                /* appease compiler */
}

References ACL_ALTER_SYSTEM, ACL_CONNECT, ACL_CREATE, ACL_CREATE_TEMP, ACL_DELETE, ACL_EXECUTE, ACL_INSERT, ACL_MAINTAIN, ACL_REFERENCES, ACL_SELECT, ACL_SET, ACL_TRIGGER, ACL_TRUNCATE, ACL_UPDATE, ACL_USAGE, elog, and ERROR.

Referenced by ExecAlterDefaultPrivilegesStmt(), ExecGrant_Relation(), and ExecuteGrantStmt().

◆ recordDependencyOnNewAcl()

void recordDependencyOnNewAcl	(	Oid	classId,
		Oid	objectId,
		int32	objsubId,
		Oid	ownerId,
		Acl *	acl
	)

Definition at line 4312 of file aclchk.c.

{
    int         nmembers;
    Oid        *members;
 
    /* Nothing to do if ACL is defaulted */
    if (acl == NULL)
        return;
 
    /* Extract roles mentioned in ACL */
    nmembers = aclmembers(acl, &members);
 
    /* Update the shared dependency ACL info */
    updateAclDependencies(classId, objectId, objsubId,
                          ownerId,
                          0, NULL,
                          nmembers, members);
}

References aclmembers(), and updateAclDependencies().

Referenced by GenerateTypeDependencies(), heap_create_with_catalog(), LargeObjectCreate(), NamespaceCreate(), and ProcedureCreate().

◆ recordExtensionInitPriv()

static void recordExtensionInitPriv	(	Oid	objoid,
		Oid	classoid,
		int	objsubid,
		Acl *	new_acl
	)

static

Definition at line 4586 of file aclchk.c.

{
    /*
     * Generally, we only record the initial privileges when an extension is
     * being created, but because we don't actually use CREATE EXTENSION
     * during binary upgrades with pg_upgrade, there is a variable to let us
     * know that the GRANT and REVOKE statements being issued, while this
     * variable is true, are for the initial privileges of the extension
     * object and therefore we need to record them.
     */
    if (!creating_extension && !binary_upgrade_record_init_privs)
        return;
 
    recordExtensionInitPrivWorker(objoid, classoid, objsubid, new_acl);
}

References binary_upgrade_record_init_privs, creating_extension, and recordExtensionInitPrivWorker().

Referenced by ExecGrant_Attribute(), ExecGrant_common(), ExecGrant_Largeobject(), ExecGrant_Parameter(), and ExecGrant_Relation().

◆ recordExtensionInitPrivWorker()

static void recordExtensionInitPrivWorker	(	Oid	objoid,
		Oid	classoid,
		int	objsubid,
		Acl *	new_acl
	)

static

Definition at line 4615 of file aclchk.c.

{
    Relation    relation;
    ScanKeyData key[3];
    SysScanDesc scan;
    HeapTuple   tuple;
    HeapTuple   oldtuple;
    int         noldmembers;
    int         nnewmembers;
    Oid        *oldmembers;
    Oid        *newmembers;
 
    /* We'll need the role membership of the new ACL. */
    nnewmembers = aclmembers(new_acl, &newmembers);
 
    /* Search pg_init_privs for an existing entry. */
    relation = table_open(InitPrivsRelationId, RowExclusiveLock);
 
    ScanKeyInit(&key[0],
                Anum_pg_init_privs_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(objoid));
    ScanKeyInit(&key[1],
                Anum_pg_init_privs_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(classoid));
    ScanKeyInit(&key[2],
                Anum_pg_init_privs_objsubid,
                BTEqualStrategyNumber, F_INT4EQ,
                Int32GetDatum(objsubid));
 
    scan = systable_beginscan(relation, InitPrivsObjIndexId, true,
                              NULL, 3, key);
 
    /* There should exist only one entry or none. */
    oldtuple = systable_getnext(scan);
 
    /* If we find an entry, update it with the latest ACL. */
    if (HeapTupleIsValid(oldtuple))
    {
        Datum       values[Natts_pg_init_privs] = {0};
        bool        nulls[Natts_pg_init_privs] = {0};
        bool        replace[Natts_pg_init_privs] = {0};
        Datum       oldAclDatum;
        bool        isNull;
        Acl        *old_acl;
 
        /* Update pg_shdepend for roles mentioned in the old/new ACLs. */
        oldAclDatum = heap_getattr(oldtuple, Anum_pg_init_privs_initprivs,
                                   RelationGetDescr(relation), &isNull);
        Assert(!isNull);
        old_acl = DatumGetAclP(oldAclDatum);
        noldmembers = aclmembers(old_acl, &oldmembers);
 
        updateInitAclDependencies(classoid, objoid, objsubid,
                                  noldmembers, oldmembers,
                                  nnewmembers, newmembers);
 
        /* If we have a new ACL to set, then update the row with it. */
        if (new_acl && ACL_NUM(new_acl) != 0)
        {
            values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
            replace[Anum_pg_init_privs_initprivs - 1] = true;
 
            oldtuple = heap_modify_tuple(oldtuple, RelationGetDescr(relation),
                                         values, nulls, replace);
 
            CatalogTupleUpdate(relation, &oldtuple->t_self, oldtuple);
        }
        else
        {
            /* new_acl is NULL/empty, so delete the entry we found. */
            CatalogTupleDelete(relation, &oldtuple->t_self);
        }
    }
    else
    {
        Datum       values[Natts_pg_init_privs] = {0};
        bool        nulls[Natts_pg_init_privs] = {0};
 
        /*
         * Only add a new entry if the new ACL is non-NULL.
         *
         * If we are passed in a NULL ACL and no entry exists, we can just
         * fall through and do nothing.
         */
        if (new_acl && ACL_NUM(new_acl) != 0)
        {
            /* No entry found, so add it. */
            values[Anum_pg_init_privs_objoid - 1] = ObjectIdGetDatum(objoid);
            values[Anum_pg_init_privs_classoid - 1] = ObjectIdGetDatum(classoid);
            values[Anum_pg_init_privs_objsubid - 1] = Int32GetDatum(objsubid);
 
            /* This function only handles initial privileges of extensions */
            values[Anum_pg_init_privs_privtype - 1] =
                CharGetDatum(INITPRIVS_EXTENSION);
 
            values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
 
            tuple = heap_form_tuple(RelationGetDescr(relation), values, nulls);
 
            CatalogTupleInsert(relation, tuple);
 
            /* Update pg_shdepend, too. */
            noldmembers = 0;
            oldmembers = NULL;
 
            updateInitAclDependencies(classoid, objoid, objsubid,
                                      noldmembers, oldmembers,
                                      nnewmembers, newmembers);
        }
    }
 
    systable_endscan(scan);
 
    /* prevent error when processing objects multiple times */
    CommandCounterIncrement();
 
    table_close(relation, RowExclusiveLock);
}

References ACL_NUM, aclmembers(), Assert(), BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), CharGetDatum(), CommandCounterIncrement(), DatumGetAclP, heap_form_tuple(), heap_getattr(), heap_modify_tuple(), HeapTupleIsValid, INITPRIVS_EXTENSION, Int32GetDatum(), sort-test::key, ObjectIdGetDatum(), PointerGetDatum(), RelationGetDescr, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), updateInitAclDependencies(), and values.

Referenced by recordExtensionInitPriv(), recordExtObjInitPriv(), and removeExtObjInitPriv().

◆ recordExtObjInitPriv()

void recordExtObjInitPriv	(	Oid	objoid,
		Oid	classoid
	)

Definition at line 4339 of file aclchk.c.

{
    /*
     * pg_class / pg_attribute
     *
     * If this is a relation then we need to see if there are any sub-objects
     * (eg: columns) for it and, if so, be sure to call
     * recordExtensionInitPrivWorker() for each one.
     */
    if (classoid == RelationRelationId)
    {
        Form_pg_class pg_class_tuple;
        Datum       aclDatum;
        bool        isNull;
        HeapTuple   tuple;
 
        tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(objoid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for relation %u", objoid);
        pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
 
        /*
         * Indexes don't have permissions, neither do the pg_class rows for
         * composite types.  (These cases are unreachable given the
         * restrictions in ALTER EXTENSION ADD, but let's check anyway.)
         */
        if (pg_class_tuple->relkind == RELKIND_INDEX ||
            pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX ||
            pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
        {
            ReleaseSysCache(tuple);
            return;
        }
 
        /*
         * If this isn't a sequence then it's possibly going to have
         * column-level ACLs associated with it.
         */
        if (pg_class_tuple->relkind != RELKIND_SEQUENCE)
        {
            AttrNumber  curr_att;
            AttrNumber  nattrs = pg_class_tuple->relnatts;
 
            for (curr_att = 1; curr_att <= nattrs; curr_att++)
            {
                HeapTuple   attTuple;
                Datum       attaclDatum;
 
                attTuple = SearchSysCache2(ATTNUM,
                                           ObjectIdGetDatum(objoid),
                                           Int16GetDatum(curr_att));
 
                if (!HeapTupleIsValid(attTuple))
                    continue;
 
                /* ignore dropped columns */
                if (((Form_pg_attribute) GETSTRUCT(attTuple))->attisdropped)
                {
                    ReleaseSysCache(attTuple);
                    continue;
                }
 
                attaclDatum = SysCacheGetAttr(ATTNUM, attTuple,
                                              Anum_pg_attribute_attacl,
                                              &isNull);
 
                /* no need to do anything for a NULL ACL */
                if (isNull)
                {
                    ReleaseSysCache(attTuple);
                    continue;
                }
 
                recordExtensionInitPrivWorker(objoid, classoid, curr_att,
                                              DatumGetAclP(attaclDatum));
 
                ReleaseSysCache(attTuple);
            }
        }
 
        aclDatum = SysCacheGetAttr(RELOID, tuple, Anum_pg_class_relacl,
                                   &isNull);
 
        /* Add the record, if any, for the top-level object */
        if (!isNull)
            recordExtensionInitPrivWorker(objoid, classoid, 0,
                                          DatumGetAclP(aclDatum));
 
        ReleaseSysCache(tuple);
    }
    else if (classoid == LargeObjectRelationId)
    {
        /* For large objects, we must consult pg_largeobject_metadata */
        Datum       aclDatum;
        bool        isNull;
        HeapTuple   tuple;
        ScanKeyData entry[1];
        SysScanDesc scan;
        Relation    relation;
 
        /*
         * Note: this is dead code, given that we don't allow large objects to
         * be made extension members.  But it seems worth carrying in case
         * some future caller of this function has need for it.
         */
        relation = table_open(LargeObjectMetadataRelationId, RowExclusiveLock);
 
        /* There's no syscache for pg_largeobject_metadata */
        ScanKeyInit(&entry[0],
                    Anum_pg_largeobject_metadata_oid,
                    BTEqualStrategyNumber, F_OIDEQ,
                    ObjectIdGetDatum(objoid));
 
        scan = systable_beginscan(relation,
                                  LargeObjectMetadataOidIndexId, true,
                                  NULL, 1, entry);
 
        tuple = systable_getnext(scan);
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "could not find tuple for large object %u", objoid);
 
        aclDatum = heap_getattr(tuple,
                                Anum_pg_largeobject_metadata_lomacl,
                                RelationGetDescr(relation), &isNull);
 
        /* Add the record, if any, for the top-level object */
        if (!isNull)
            recordExtensionInitPrivWorker(objoid, classoid, 0,
                                          DatumGetAclP(aclDatum));
 
        systable_endscan(scan);
    }
    /* This will error on unsupported classoid. */
    else if (get_object_attnum_acl(classoid) != InvalidAttrNumber)
    {
        int         cacheid;
        Datum       aclDatum;
        bool        isNull;
        HeapTuple   tuple;
 
        cacheid = get_object_catcache_oid(classoid);
        tuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objoid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for %s %u",
                 get_object_class_descr(classoid), objoid);
 
        aclDatum = SysCacheGetAttr(cacheid, tuple,
                                   get_object_attnum_acl(classoid),
                                   &isNull);
 
        /* Add the record, if any, for the top-level object */
        if (!isNull)
            recordExtensionInitPrivWorker(objoid, classoid, 0,
                                          DatumGetAclP(aclDatum));
 
        ReleaseSysCache(tuple);
    }
}

References BTEqualStrategyNumber, DatumGetAclP, elog, ERROR, get_object_attnum_acl(), get_object_catcache_oid(), get_object_class_descr(), GETSTRUCT(), heap_getattr(), HeapTupleIsValid, Int16GetDatum(), InvalidAttrNumber, ObjectIdGetDatum(), recordExtensionInitPrivWorker(), RelationGetDescr, ReleaseSysCache(), RowExclusiveLock, ScanKeyInit(), SearchSysCache1(), SearchSysCache2(), SysCacheGetAttr(), systable_beginscan(), systable_endscan(), systable_getnext(), and table_open().

Referenced by ExecAlterExtensionContentsRecurse().

◆ removeExtObjInitPriv()

void removeExtObjInitPriv	(	Oid	objoid,
		Oid	classoid
	)

Definition at line 4503 of file aclchk.c.

{
    /*
     * If this is a relation then we need to see if there are any sub-objects
     * (eg: columns) for it and, if so, be sure to call
     * recordExtensionInitPrivWorker() for each one.
     */
    if (classoid == RelationRelationId)
    {
        Form_pg_class pg_class_tuple;
        HeapTuple   tuple;
 
        tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(objoid));
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "cache lookup failed for relation %u", objoid);
        pg_class_tuple = (Form_pg_class) GETSTRUCT(tuple);
 
        /*
         * Indexes don't have permissions, neither do the pg_class rows for
         * composite types.  (These cases are unreachable given the
         * restrictions in ALTER EXTENSION DROP, but let's check anyway.)
         */
        if (pg_class_tuple->relkind == RELKIND_INDEX ||
            pg_class_tuple->relkind == RELKIND_PARTITIONED_INDEX ||
            pg_class_tuple->relkind == RELKIND_COMPOSITE_TYPE)
        {
            ReleaseSysCache(tuple);
            return;
        }
 
        /*
         * If this isn't a sequence then it's possibly going to have
         * column-level ACLs associated with it.
         */
        if (pg_class_tuple->relkind != RELKIND_SEQUENCE)
        {
            AttrNumber  curr_att;
            AttrNumber  nattrs = pg_class_tuple->relnatts;
 
            for (curr_att = 1; curr_att <= nattrs; curr_att++)
            {
                HeapTuple   attTuple;
 
                attTuple = SearchSysCache2(ATTNUM,
                                           ObjectIdGetDatum(objoid),
                                           Int16GetDatum(curr_att));
 
                if (!HeapTupleIsValid(attTuple))
                    continue;
 
                /* when removing, remove all entries, even dropped columns */
 
                recordExtensionInitPrivWorker(objoid, classoid, curr_att, NULL);
 
                ReleaseSysCache(attTuple);
            }
        }
 
        ReleaseSysCache(tuple);
    }
 
    /* Remove the record, if any, for the top-level object */
    recordExtensionInitPrivWorker(objoid, classoid, 0, NULL);
}

References elog, ERROR, GETSTRUCT(), HeapTupleIsValid, Int16GetDatum(), ObjectIdGetDatum(), recordExtensionInitPrivWorker(), ReleaseSysCache(), SearchSysCache1(), and SearchSysCache2().

Referenced by ExecAlterExtensionContentsRecurse().

◆ RemoveRoleFromInitPriv()

void RemoveRoleFromInitPriv	(	Oid	roleid,
		Oid	classid,
		Oid	objid,
		int32	objsubid
	)

Definition at line 4852 of file aclchk.c.

{
    Relation    rel;
    ScanKeyData key[3];
    SysScanDesc scan;
    HeapTuple   oldtuple;
    int         cacheid;
    HeapTuple   objtuple;
    Oid         ownerId;
    Datum       oldAclDatum;
    bool        isNull;
    Acl        *old_acl;
    Acl        *new_acl;
    HeapTuple   newtuple;
    int         noldmembers;
    int         nnewmembers;
    Oid        *oldmembers;
    Oid        *newmembers;
 
    /* Search for existing pg_init_privs entry for the target object. */
    rel = table_open(InitPrivsRelationId, RowExclusiveLock);
 
    ScanKeyInit(&key[0],
                Anum_pg_init_privs_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(objid));
    ScanKeyInit(&key[1],
                Anum_pg_init_privs_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(classid));
    ScanKeyInit(&key[2],
                Anum_pg_init_privs_objsubid,
                BTEqualStrategyNumber, F_INT4EQ,
                Int32GetDatum(objsubid));
 
    scan = systable_beginscan(rel, InitPrivsObjIndexId, true,
                              NULL, 3, key);
 
    /* There should exist only one entry or none. */
    oldtuple = systable_getnext(scan);
 
    if (!HeapTupleIsValid(oldtuple))
    {
        /*
         * Hmm, why are we here if there's no entry?  But pack up and go away
         * quietly.
         */
        systable_endscan(scan);
        table_close(rel, RowExclusiveLock);
        return;
    }
 
    /* Get a writable copy of the existing ACL. */
    oldAclDatum = heap_getattr(oldtuple, Anum_pg_init_privs_initprivs,
                               RelationGetDescr(rel), &isNull);
    Assert(!isNull);
    old_acl = DatumGetAclPCopy(oldAclDatum);
 
    /*
     * We need the members of both old and new ACLs so we can correct the
     * shared dependency information.  Collect data before
     * merge_acl_with_grant throws away old_acl.
     */
    noldmembers = aclmembers(old_acl, &oldmembers);
 
    /* Must find out the owner's OID the hard way. */
    cacheid = get_object_catcache_oid(classid);
    objtuple = SearchSysCache1(cacheid, ObjectIdGetDatum(objid));
    if (!HeapTupleIsValid(objtuple))
        elog(ERROR, "cache lookup failed for %s %u",
             get_object_class_descr(classid), objid);
 
    ownerId = DatumGetObjectId(SysCacheGetAttrNotNull(cacheid,
                                                      objtuple,
                                                      get_object_attnum_owner(classid)));
    ReleaseSysCache(objtuple);
 
    /*
     * Generate new ACL.  Grantor of rights is always the same as the owner.
     */
    if (old_acl != NULL)
        new_acl = merge_acl_with_grant(old_acl,
                                       false,   /* is_grant */
                                       false,   /* grant_option */
                                       DROP_RESTRICT,
                                       list_make1_oid(roleid),
                                       ACLITEM_ALL_PRIV_BITS,
                                       ownerId,
                                       ownerId);
    else
        new_acl = NULL;         /* this case shouldn't happen, probably */
 
    /* If we end with an empty ACL, delete the pg_init_privs entry. */
    if (new_acl == NULL || ACL_NUM(new_acl) == 0)
    {
        CatalogTupleDelete(rel, &oldtuple->t_self);
    }
    else
    {
        Datum       values[Natts_pg_init_privs] = {0};
        bool        nulls[Natts_pg_init_privs] = {0};
        bool        replaces[Natts_pg_init_privs] = {0};
 
        /* Update existing entry. */
        values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
        replaces[Anum_pg_init_privs_initprivs - 1] = true;
 
        newtuple = heap_modify_tuple(oldtuple, RelationGetDescr(rel),
                                     values, nulls, replaces);
        CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
    }
 
    /*
     * Update the shared dependency ACL info.
     */
    nnewmembers = aclmembers(new_acl, &newmembers);
 
    updateInitAclDependencies(classid, objid, objsubid,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
    systable_endscan(scan);
 
    /* prevent error when processing objects multiple times */
    CommandCounterIncrement();
 
    table_close(rel, RowExclusiveLock);
}

References ACL_NUM, ACLITEM_ALL_PRIV_BITS, aclmembers(), Assert(), BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleUpdate(), CommandCounterIncrement(), DatumGetAclPCopy, DatumGetObjectId(), DROP_RESTRICT, elog, ERROR, get_object_attnum_owner(), get_object_catcache_oid(), get_object_class_descr(), heap_getattr(), heap_modify_tuple(), HeapTupleIsValid, Int32GetDatum(), sort-test::key, list_make1_oid, merge_acl_with_grant(), ObjectIdGetDatum(), PointerGetDatum(), RelationGetDescr, ReleaseSysCache(), RowExclusiveLock, ScanKeyInit(), SearchSysCache1(), SysCacheGetAttrNotNull(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), updateInitAclDependencies(), and values.

Referenced by shdepDropOwned().

◆ RemoveRoleFromObjectACL()

void RemoveRoleFromObjectACL	(	Oid	roleid,
		Oid	classid,
		Oid	objid
	)

Definition at line 1407 of file aclchk.c.

{
    if (classid == DefaultAclRelationId)
    {
        InternalDefaultACL iacls;
        Form_pg_default_acl pg_default_acl_tuple;
        Relation    rel;
        ScanKeyData skey[1];
        SysScanDesc scan;
        HeapTuple   tuple;
 
        /* first fetch info needed by SetDefaultACL */
        rel = table_open(DefaultAclRelationId, AccessShareLock);
 
        ScanKeyInit(&skey[0],
                    Anum_pg_default_acl_oid,
                    BTEqualStrategyNumber, F_OIDEQ,
                    ObjectIdGetDatum(objid));
 
        scan = systable_beginscan(rel, DefaultAclOidIndexId, true,
                                  NULL, 1, skey);
 
        tuple = systable_getnext(scan);
 
        if (!HeapTupleIsValid(tuple))
            elog(ERROR, "could not find tuple for default ACL %u", objid);
 
        pg_default_acl_tuple = (Form_pg_default_acl) GETSTRUCT(tuple);
 
        iacls.roleid = pg_default_acl_tuple->defaclrole;
        iacls.nspid = pg_default_acl_tuple->defaclnamespace;
 
        switch (pg_default_acl_tuple->defaclobjtype)
        {
            case DEFACLOBJ_RELATION:
                iacls.objtype = OBJECT_TABLE;
                break;
            case DEFACLOBJ_SEQUENCE:
                iacls.objtype = OBJECT_SEQUENCE;
                break;
            case DEFACLOBJ_FUNCTION:
                iacls.objtype = OBJECT_FUNCTION;
                break;
            case DEFACLOBJ_TYPE:
                iacls.objtype = OBJECT_TYPE;
                break;
            case DEFACLOBJ_NAMESPACE:
                iacls.objtype = OBJECT_SCHEMA;
                break;
            case DEFACLOBJ_LARGEOBJECT:
                iacls.objtype = OBJECT_LARGEOBJECT;
                break;
            default:
                /* Shouldn't get here */
                elog(ERROR, "unexpected default ACL type: %d",
                     (int) pg_default_acl_tuple->defaclobjtype);
                break;
        }
 
        systable_endscan(scan);
        table_close(rel, AccessShareLock);
 
        iacls.is_grant = false;
        iacls.all_privs = true;
        iacls.privileges = ACL_NO_RIGHTS;
        iacls.grantees = list_make1_oid(roleid);
        iacls.grant_option = false;
        iacls.behavior = DROP_CASCADE;
 
        /* Do it */
        SetDefaultACL(&iacls);
    }
    else
    {
        InternalGrant istmt;
 
        switch (classid)
        {
            case RelationRelationId:
                /* it's OK to use TABLE for a sequence */
                istmt.objtype = OBJECT_TABLE;
                break;
            case DatabaseRelationId:
                istmt.objtype = OBJECT_DATABASE;
                break;
            case TypeRelationId:
                istmt.objtype = OBJECT_TYPE;
                break;
            case ProcedureRelationId:
                istmt.objtype = OBJECT_ROUTINE;
                break;
            case LanguageRelationId:
                istmt.objtype = OBJECT_LANGUAGE;
                break;
            case LargeObjectRelationId:
                istmt.objtype = OBJECT_LARGEOBJECT;
                break;
            case NamespaceRelationId:
                istmt.objtype = OBJECT_SCHEMA;
                break;
            case TableSpaceRelationId:
                istmt.objtype = OBJECT_TABLESPACE;
                break;
            case ForeignServerRelationId:
                istmt.objtype = OBJECT_FOREIGN_SERVER;
                break;
            case ForeignDataWrapperRelationId:
                istmt.objtype = OBJECT_FDW;
                break;
            case ParameterAclRelationId:
                istmt.objtype = OBJECT_PARAMETER_ACL;
                break;
            default:
                elog(ERROR, "unexpected object class %u", classid);
                break;
        }
        istmt.is_grant = false;
        istmt.objects = list_make1_oid(objid);
        istmt.all_privs = true;
        istmt.privileges = ACL_NO_RIGHTS;
        istmt.col_privs = NIL;
        istmt.grantees = list_make1_oid(roleid);
        istmt.grant_option = false;
        istmt.behavior = DROP_CASCADE;
 
        ExecGrantStmt_oids(&istmt);
    }
}

Referenced by shdepDropOwned().

◆ ReplaceRoleInInitPriv()

void ReplaceRoleInInitPriv	(	Oid	oldroleid,
		Oid	newroleid,
		Oid	classid,
		Oid	objid,
		int32	objsubid
	)

Definition at line 4743 of file aclchk.c.

{
    Relation    rel;
    ScanKeyData key[3];
    SysScanDesc scan;
    HeapTuple   oldtuple;
    Datum       oldAclDatum;
    bool        isNull;
    Acl        *old_acl;
    Acl        *new_acl;
    HeapTuple   newtuple;
    int         noldmembers;
    int         nnewmembers;
    Oid        *oldmembers;
    Oid        *newmembers;
 
    /* Search for existing pg_init_privs entry for the target object. */
    rel = table_open(InitPrivsRelationId, RowExclusiveLock);
 
    ScanKeyInit(&key[0],
                Anum_pg_init_privs_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(objid));
    ScanKeyInit(&key[1],
                Anum_pg_init_privs_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(classid));
    ScanKeyInit(&key[2],
                Anum_pg_init_privs_objsubid,
                BTEqualStrategyNumber, F_INT4EQ,
                Int32GetDatum(objsubid));
 
    scan = systable_beginscan(rel, InitPrivsObjIndexId, true,
                              NULL, 3, key);
 
    /* There should exist only one entry or none. */
    oldtuple = systable_getnext(scan);
 
    if (!HeapTupleIsValid(oldtuple))
    {
        /*
         * Hmm, why are we here if there's no entry?  But pack up and go away
         * quietly.
         */
        systable_endscan(scan);
        table_close(rel, RowExclusiveLock);
        return;
    }
 
    /* Get a writable copy of the existing ACL. */
    oldAclDatum = heap_getattr(oldtuple, Anum_pg_init_privs_initprivs,
                               RelationGetDescr(rel), &isNull);
    Assert(!isNull);
    old_acl = DatumGetAclPCopy(oldAclDatum);
 
    /*
     * Generate new ACL.  This usage of aclnewowner is a bit off-label when
     * oldroleid isn't the owner; but it does the job fine.
     */
    new_acl = aclnewowner(old_acl, oldroleid, newroleid);
 
    /*
     * If we end with an empty ACL, delete the pg_init_privs entry.  (That
     * probably can't happen here, but we may as well cover the case.)
     */
    if (new_acl == NULL || ACL_NUM(new_acl) == 0)
    {
        CatalogTupleDelete(rel, &oldtuple->t_self);
    }
    else
    {
        Datum       values[Natts_pg_init_privs] = {0};
        bool        nulls[Natts_pg_init_privs] = {0};
        bool        replaces[Natts_pg_init_privs] = {0};
 
        /* Update existing entry. */
        values[Anum_pg_init_privs_initprivs - 1] = PointerGetDatum(new_acl);
        replaces[Anum_pg_init_privs_initprivs - 1] = true;
 
        newtuple = heap_modify_tuple(oldtuple, RelationGetDescr(rel),
                                     values, nulls, replaces);
        CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
    }
 
    /*
     * Update the shared dependency ACL info.
     */
    noldmembers = aclmembers(old_acl, &oldmembers);
    nnewmembers = aclmembers(new_acl, &newmembers);
 
    updateInitAclDependencies(classid, objid, objsubid,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
    systable_endscan(scan);
 
    /* prevent error when processing objects multiple times */
    CommandCounterIncrement();
 
    table_close(rel, RowExclusiveLock);
}

References ACL_NUM, aclmembers(), aclnewowner(), Assert(), BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleUpdate(), CommandCounterIncrement(), DatumGetAclPCopy, heap_getattr(), heap_modify_tuple(), HeapTupleIsValid, Int32GetDatum(), sort-test::key, ObjectIdGetDatum(), PointerGetDatum(), RelationGetDescr, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), updateInitAclDependencies(), and values.

Referenced by shdepReassignOwned_InitAcl().

◆ restrict_and_check_grant()

static AclMode restrict_and_check_grant	(	bool	is_grant,
		AclMode	avail_goptions,
		bool	all_privs,
		AclMode	privileges,
		Oid	objectId,
		Oid	grantorId,
		ObjectType	objtype,
		const char *	objname,
		AttrNumber	att_number,
		const char *	colname
	)

static

Definition at line 241 of file aclchk.c.

{
    AclMode     this_privileges;
    AclMode     whole_mask;
 
    switch (objtype)
    {
        case OBJECT_COLUMN:
            whole_mask = ACL_ALL_RIGHTS_COLUMN;
            break;
        case OBJECT_TABLE:
            whole_mask = ACL_ALL_RIGHTS_RELATION;
            break;
        case OBJECT_SEQUENCE:
            whole_mask = ACL_ALL_RIGHTS_SEQUENCE;
            break;
        case OBJECT_DATABASE:
            whole_mask = ACL_ALL_RIGHTS_DATABASE;
            break;
        case OBJECT_FUNCTION:
            whole_mask = ACL_ALL_RIGHTS_FUNCTION;
            break;
        case OBJECT_LANGUAGE:
            whole_mask = ACL_ALL_RIGHTS_LANGUAGE;
            break;
        case OBJECT_LARGEOBJECT:
            whole_mask = ACL_ALL_RIGHTS_LARGEOBJECT;
            break;
        case OBJECT_SCHEMA:
            whole_mask = ACL_ALL_RIGHTS_SCHEMA;
            break;
        case OBJECT_TABLESPACE:
            whole_mask = ACL_ALL_RIGHTS_TABLESPACE;
            break;
        case OBJECT_FDW:
            whole_mask = ACL_ALL_RIGHTS_FDW;
            break;
        case OBJECT_FOREIGN_SERVER:
            whole_mask = ACL_ALL_RIGHTS_FOREIGN_SERVER;
            break;
        case OBJECT_EVENT_TRIGGER:
            elog(ERROR, "grantable rights not supported for event triggers");
            /* not reached, but keep compiler quiet */
            return ACL_NO_RIGHTS;
        case OBJECT_TYPE:
            whole_mask = ACL_ALL_RIGHTS_TYPE;
            break;
        case OBJECT_PARAMETER_ACL:
            whole_mask = ACL_ALL_RIGHTS_PARAMETER_ACL;
            break;
        default:
            elog(ERROR, "unrecognized object type: %d", objtype);
            /* not reached, but keep compiler quiet */
            return ACL_NO_RIGHTS;
    }
 
    /*
     * If we found no grant options, consider whether to issue a hard error.
     * Per spec, having any privilege at all on the object will get you by
     * here.
     */
    if (avail_goptions == ACL_NO_RIGHTS)
    {
        if (pg_aclmask(objtype, objectId, att_number, grantorId,
                       whole_mask | ACL_GRANT_OPTION_FOR(whole_mask),
                       ACLMASK_ANY) == ACL_NO_RIGHTS)
        {
            if (objtype == OBJECT_COLUMN && colname)
                aclcheck_error_col(ACLCHECK_NO_PRIV, objtype, objname, colname);
            else
                aclcheck_error(ACLCHECK_NO_PRIV, objtype, objname);
        }
    }
 
    /*
     * Restrict the operation to what we can actually grant or revoke, and
     * issue a warning if appropriate.  (For REVOKE this isn't quite what the
     * spec says to do: the spec seems to want a warning only if no privilege
     * bits actually change in the ACL. In practice that behavior seems much
     * too noisy, as well as inconsistent with the GRANT case.)
     */
    this_privileges = privileges & ACL_OPTION_TO_PRIVS(avail_goptions);
    if (is_grant)
    {
        if (this_privileges == 0)
        {
            if (objtype == OBJECT_COLUMN && colname)
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
                         errmsg("no privileges were granted for column \"%s\" of relation \"%s\"",
                                colname, objname)));
            else
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
                         errmsg("no privileges were granted for \"%s\"",
                                objname)));
        }
        else if (!all_privs && this_privileges != privileges)
        {
            if (objtype == OBJECT_COLUMN && colname)
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
                         errmsg("not all privileges were granted for column \"%s\" of relation \"%s\"",
                                colname, objname)));
            else
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_GRANTED),
                         errmsg("not all privileges were granted for \"%s\"",
                                objname)));
        }
    }
    else
    {
        if (this_privileges == 0)
        {
            if (objtype == OBJECT_COLUMN && colname)
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
                         errmsg("no privileges could be revoked for column \"%s\" of relation \"%s\"",
                                colname, objname)));
            else
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
                         errmsg("no privileges could be revoked for \"%s\"",
                                objname)));
        }
        else if (!all_privs && this_privileges != privileges)
        {
            if (objtype == OBJECT_COLUMN && colname)
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
                         errmsg("not all privileges could be revoked for column \"%s\" of relation \"%s\"",
                                colname, objname)));
            else
                ereport(WARNING,
                        (errcode(ERRCODE_WARNING_PRIVILEGE_NOT_REVOKED),
                         errmsg("not all privileges could be revoked for \"%s\"",
                                objname)));
        }
    }
 
    return this_privileges;
}

References ACL_ALL_RIGHTS_COLUMN, ACL_ALL_RIGHTS_DATABASE, ACL_ALL_RIGHTS_FDW, ACL_ALL_RIGHTS_FOREIGN_SERVER, ACL_ALL_RIGHTS_FUNCTION, ACL_ALL_RIGHTS_LANGUAGE, ACL_ALL_RIGHTS_LARGEOBJECT, ACL_ALL_RIGHTS_PARAMETER_ACL, ACL_ALL_RIGHTS_RELATION, ACL_ALL_RIGHTS_SCHEMA, ACL_ALL_RIGHTS_SEQUENCE, ACL_ALL_RIGHTS_TABLESPACE, ACL_ALL_RIGHTS_TYPE, ACL_GRANT_OPTION_FOR, ACL_NO_RIGHTS, ACL_OPTION_TO_PRIVS, aclcheck_error(), aclcheck_error_col(), ACLCHECK_NO_PRIV, ACLMASK_ANY, elog, ereport, errcode(), errmsg(), ERROR, OBJECT_COLUMN, OBJECT_DATABASE, OBJECT_EVENT_TRIGGER, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FUNCTION, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_PARAMETER_ACL, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TYPE, pg_aclmask(), and WARNING.

Referenced by ExecGrant_Attribute(), ExecGrant_common(), ExecGrant_Largeobject(), ExecGrant_Parameter(), and ExecGrant_Relation().

◆ SetDefaultACL()

static void SetDefaultACL ( InternalDefaultACL * iacls )

static

Definition at line 1134 of file aclchk.c.

{
    AclMode     this_privileges = iacls->privileges;
    char        objtype;
    Relation    rel;
    HeapTuple   tuple;
    bool        isNew;
    Acl        *def_acl;
    Acl        *old_acl;
    Acl        *new_acl;
    HeapTuple   newtuple;
    int         noldmembers;
    int         nnewmembers;
    Oid        *oldmembers;
    Oid        *newmembers;
 
    rel = table_open(DefaultAclRelationId, RowExclusiveLock);
 
    /*
     * The default for a global entry is the hard-wired default ACL for the
     * particular object type.  The default for non-global entries is an empty
     * ACL.  This must be so because global entries replace the hard-wired
     * defaults, while others are added on.
     */
    if (!OidIsValid(iacls->nspid))
        def_acl = acldefault(iacls->objtype, iacls->roleid);
    else
        def_acl = make_empty_acl();
 
    /*
     * Convert ACL object type to pg_default_acl object type and handle
     * all_privs option
     */
    switch (iacls->objtype)
    {
        case OBJECT_TABLE:
            objtype = DEFACLOBJ_RELATION;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_RELATION;
            break;
 
        case OBJECT_SEQUENCE:
            objtype = DEFACLOBJ_SEQUENCE;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_SEQUENCE;
            break;
 
        case OBJECT_FUNCTION:
            objtype = DEFACLOBJ_FUNCTION;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_FUNCTION;
            break;
 
        case OBJECT_TYPE:
            objtype = DEFACLOBJ_TYPE;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_TYPE;
            break;
 
        case OBJECT_SCHEMA:
            if (OidIsValid(iacls->nspid))
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS")));
            objtype = DEFACLOBJ_NAMESPACE;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_SCHEMA;
            break;
 
        case OBJECT_LARGEOBJECT:
            if (OidIsValid(iacls->nspid))
                ereport(ERROR,
                        (errcode(ERRCODE_INVALID_GRANT_OPERATION),
                         errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON LARGE OBJECTS")));
            objtype = DEFACLOBJ_LARGEOBJECT;
            if (iacls->all_privs && this_privileges == ACL_NO_RIGHTS)
                this_privileges = ACL_ALL_RIGHTS_LARGEOBJECT;
            break;
 
        default:
            elog(ERROR, "unrecognized object type: %d",
                 (int) iacls->objtype);
            objtype = 0;        /* keep compiler quiet */
            break;
    }
 
    /* Search for existing row for this object type in catalog */
    tuple = SearchSysCache3(DEFACLROLENSPOBJ,
                            ObjectIdGetDatum(iacls->roleid),
                            ObjectIdGetDatum(iacls->nspid),
                            CharGetDatum(objtype));
 
    if (HeapTupleIsValid(tuple))
    {
        Datum       aclDatum;
        bool        isNull;
 
        aclDatum = SysCacheGetAttr(DEFACLROLENSPOBJ, tuple,
                                   Anum_pg_default_acl_defaclacl,
                                   &isNull);
        if (!isNull)
            old_acl = DatumGetAclPCopy(aclDatum);
        else
            old_acl = NULL;     /* this case shouldn't happen, probably */
        isNew = false;
    }
    else
    {
        old_acl = NULL;
        isNew = true;
    }
 
    if (old_acl != NULL)
    {
        /*
         * We need the members of both old and new ACLs so we can correct the
         * shared dependency information.  Collect data before
         * merge_acl_with_grant throws away old_acl.
         */
        noldmembers = aclmembers(old_acl, &oldmembers);
    }
    else
    {
        /* If no or null entry, start with the default ACL value */
        old_acl = aclcopy(def_acl);
        /* There are no old member roles according to the catalogs */
        noldmembers = 0;
        oldmembers = NULL;
    }
 
    /*
     * Generate new ACL.  Grantor of rights is always the same as the target
     * role.
     */
    new_acl = merge_acl_with_grant(old_acl,
                                   iacls->is_grant,
                                   iacls->grant_option,
                                   iacls->behavior,
                                   iacls->grantees,
                                   this_privileges,
                                   iacls->roleid,
                                   iacls->roleid);
 
    /*
     * If the result is the same as the default value, we do not need an
     * explicit pg_default_acl entry, and should in fact remove the entry if
     * it exists.  Must sort both arrays to compare properly.
     */
    aclitemsort(new_acl);
    aclitemsort(def_acl);
    if (aclequal(new_acl, def_acl))
    {
        /* delete old entry, if indeed there is one */
        if (!isNew)
        {
            ObjectAddress myself;
 
            /*
             * The dependency machinery will take care of removing all
             * associated dependency entries.  We use DROP_RESTRICT since
             * there shouldn't be anything depending on this entry.
             */
            myself.classId = DefaultAclRelationId;
            myself.objectId = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
            myself.objectSubId = 0;
 
            performDeletion(&myself, DROP_RESTRICT, 0);
        }
    }
    else
    {
        Datum       values[Natts_pg_default_acl] = {0};
        bool        nulls[Natts_pg_default_acl] = {0};
        bool        replaces[Natts_pg_default_acl] = {0};
        Oid         defAclOid;
 
        if (isNew)
        {
            /* insert new entry */
            defAclOid = GetNewOidWithIndex(rel, DefaultAclOidIndexId,
                                           Anum_pg_default_acl_oid);
            values[Anum_pg_default_acl_oid - 1] = ObjectIdGetDatum(defAclOid);
            values[Anum_pg_default_acl_defaclrole - 1] = ObjectIdGetDatum(iacls->roleid);
            values[Anum_pg_default_acl_defaclnamespace - 1] = ObjectIdGetDatum(iacls->nspid);
            values[Anum_pg_default_acl_defaclobjtype - 1] = CharGetDatum(objtype);
            values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
 
            newtuple = heap_form_tuple(RelationGetDescr(rel), values, nulls);
            CatalogTupleInsert(rel, newtuple);
        }
        else
        {
            defAclOid = ((Form_pg_default_acl) GETSTRUCT(tuple))->oid;
 
            /* update existing entry */
            values[Anum_pg_default_acl_defaclacl - 1] = PointerGetDatum(new_acl);
            replaces[Anum_pg_default_acl_defaclacl - 1] = true;
 
            newtuple = heap_modify_tuple(tuple, RelationGetDescr(rel),
                                         values, nulls, replaces);
            CatalogTupleUpdate(rel, &newtuple->t_self, newtuple);
        }
 
        /* these dependencies don't change in an update */
        if (isNew)
        {
            /* dependency on role */
            recordDependencyOnOwner(DefaultAclRelationId, defAclOid,
                                    iacls->roleid);
 
            /* dependency on namespace */
            if (OidIsValid(iacls->nspid))
            {
                ObjectAddress myself,
                            referenced;
 
                myself.classId = DefaultAclRelationId;
                myself.objectId = defAclOid;
                myself.objectSubId = 0;
 
                referenced.classId = NamespaceRelationId;
                referenced.objectId = iacls->nspid;
                referenced.objectSubId = 0;
 
                recordDependencyOn(&myself, &referenced, DEPENDENCY_AUTO);
            }
        }
 
        /*
         * Update the shared dependency ACL info
         */
        nnewmembers = aclmembers(new_acl, &newmembers);
 
        updateAclDependencies(DefaultAclRelationId,
                              defAclOid, 0,
                              iacls->roleid,
                              noldmembers, oldmembers,
                              nnewmembers, newmembers);
 
        if (isNew)
            InvokeObjectPostCreateHook(DefaultAclRelationId, defAclOid, 0);
        else
            InvokeObjectPostAlterHook(DefaultAclRelationId, defAclOid, 0);
    }
 
    if (HeapTupleIsValid(tuple))
        ReleaseSysCache(tuple);
 
    table_close(rel, RowExclusiveLock);
 
    /* prevent error when processing duplicate objects */
    CommandCounterIncrement();
}

Referenced by RemoveRoleFromObjectACL(), and SetDefaultACLsInSchemas().

◆ SetDefaultACLsInSchemas()

static void SetDefaultACLsInSchemas	(	InternalDefaultACL *	iacls,
		List *	nspnames
	)

static

Definition at line 1092 of file aclchk.c.

{
    if (nspnames == NIL)
    {
        /* Set database-wide permissions if no schema was specified */
        iacls->nspid = InvalidOid;
 
        SetDefaultACL(iacls);
    }
    else
    {
        /* Look up the schema OIDs and set permissions for each one */
        ListCell   *nspcell;
 
        foreach(nspcell, nspnames)
        {
            char       *nspname = strVal(lfirst(nspcell));
 
            iacls->nspid = get_namespace_oid(nspname, false);
 
            /*
             * We used to insist that the target role have CREATE privileges
             * on the schema, since without that it wouldn't be able to create
             * an object for which these default privileges would apply.
             * However, this check proved to be more confusing than helpful,
             * and it also caused certain database states to not be
             * dumpable/restorable, since revoking CREATE doesn't cause
             * default privileges for the schema to go away.  So now, we just
             * allow the ALTER; if the user lacks CREATE he'll find out when
             * he tries to create an object.
             */
 
            SetDefaultACL(iacls);
        }
    }
}

References get_namespace_oid(), InvalidOid, lfirst, NIL, InternalDefaultACL::nspid, SetDefaultACL(), and strVal.

Referenced by ExecAlterDefaultPrivilegesStmt().

◆ string_to_privilege()

static AclMode string_to_privilege ( const char * privname )

static

Definition at line 2551 of file aclchk.c.

{
    if (strcmp(privname, "insert") == 0)
        return ACL_INSERT;
    if (strcmp(privname, "select") == 0)
        return ACL_SELECT;
    if (strcmp(privname, "update") == 0)
        return ACL_UPDATE;
    if (strcmp(privname, "delete") == 0)
        return ACL_DELETE;
    if (strcmp(privname, "truncate") == 0)
        return ACL_TRUNCATE;
    if (strcmp(privname, "references") == 0)
        return ACL_REFERENCES;
    if (strcmp(privname, "trigger") == 0)
        return ACL_TRIGGER;
    if (strcmp(privname, "execute") == 0)
        return ACL_EXECUTE;
    if (strcmp(privname, "usage") == 0)
        return ACL_USAGE;
    if (strcmp(privname, "create") == 0)
        return ACL_CREATE;
    if (strcmp(privname, "temporary") == 0)
        return ACL_CREATE_TEMP;
    if (strcmp(privname, "temp") == 0)
        return ACL_CREATE_TEMP;
    if (strcmp(privname, "connect") == 0)
        return ACL_CONNECT;
    if (strcmp(privname, "set") == 0)
        return ACL_SET;
    if (strcmp(privname, "alter system") == 0)
        return ACL_ALTER_SYSTEM;
    if (strcmp(privname, "maintain") == 0)
        return ACL_MAINTAIN;
    ereport(ERROR,
            (errcode(ERRCODE_SYNTAX_ERROR),
             errmsg("unrecognized privilege type \"%s\"", privname)));
    return 0;                   /* appease compiler */
}

References ACL_ALTER_SYSTEM, ACL_CONNECT, ACL_CREATE, ACL_CREATE_TEMP, ACL_DELETE, ACL_EXECUTE, ACL_INSERT, ACL_MAINTAIN, ACL_REFERENCES, ACL_SELECT, ACL_SET, ACL_TRIGGER, ACL_TRUNCATE, ACL_UPDATE, ACL_USAGE, ereport, errcode(), errmsg(), and ERROR.

Referenced by ExecAlterDefaultPrivilegesStmt(), ExecGrant_Relation(), and ExecuteGrantStmt().

Variable Documentation

◆ binary_upgrade_record_init_privs

bool binary_upgrade_record_init_privs = false

Definition at line 110 of file aclchk.c.

Referenced by binary_upgrade_set_record_init_privs(), and recordExtensionInitPriv().

Data Structures

Functions

Variables

Function Documentation

◆ aclcheck_error()

◆ aclcheck_error_col()

◆ aclcheck_error_type()

◆ ExecAlterDefaultPrivilegesStmt()

◆ ExecGrant_Attribute()

◆ ExecGrant_common()

◆ ExecGrant_Language_check()

◆ ExecGrant_Largeobject()

◆ ExecGrant_Parameter()

◆ ExecGrant_Relation()

◆ ExecGrant_Type_check()

◆ ExecGrantStmt_oids()

◆ ExecuteGrantStmt()

◆ expand_all_col_privileges()

◆ expand_col_privileges()

◆ get_default_acl_internal()

◆ get_user_default_acl()

◆ getRelationsInNamespace()

◆ has_bypassrls_privilege()

◆ has_createrole_privilege()

◆ merge_acl_with_grant()

◆ object_aclcheck()

◆ object_aclcheck_ext()

◆ object_aclmask()

◆ object_aclmask_ext()

◆ object_ownercheck()

◆ objectNamesToOids()

◆ objectsInSchemaToOids()

◆ pg_aclmask()

◆ pg_attribute_aclcheck()

◆ pg_attribute_aclcheck_all()

◆ pg_attribute_aclcheck_all_ext()

◆ pg_attribute_aclcheck_ext()

◆ pg_attribute_aclmask()

◆ pg_attribute_aclmask_ext()

◆ pg_class_aclcheck()

◆ pg_class_aclcheck_ext()

◆ pg_class_aclmask()

◆ pg_class_aclmask_ext()

◆ pg_largeobject_aclcheck_snapshot()

◆ pg_largeobject_aclmask_snapshot()

◆ pg_namespace_aclmask_ext()

◆ pg_parameter_acl_aclmask()

◆ pg_parameter_aclcheck()

◆ pg_parameter_aclmask()

◆ pg_type_aclmask_ext()

◆ privilege_to_string()

◆ recordDependencyOnNewAcl()

◆ recordExtensionInitPriv()

◆ recordExtensionInitPrivWorker()

◆ recordExtObjInitPriv()

◆ removeExtObjInitPriv()

◆ RemoveRoleFromInitPriv()

◆ RemoveRoleFromObjectACL()

◆ ReplaceRoleInInitPriv()

◆ restrict_and_check_grant()

◆ SetDefaultACL()

◆ SetDefaultACLsInSchemas()

◆ string_to_privilege()

Variable Documentation

◆ binary_upgrade_record_init_privs