@ -7,15 +7,15 @@
-- Suppress NOTICE messages when users/groups don't exist
SET client_min_messages TO ' warning ' ;
DROP ROLE IF EXISTS regress_group1 ;
DROP ROLE IF EXISTS regress_group2 ;
DROP ROLE IF EXISTS regress_priv_ group1 ;
DROP ROLE IF EXISTS regress_priv_ group2 ;
DROP ROLE IF EXISTS regress_user1 ;
DROP ROLE IF EXISTS regress_user2 ;
DROP ROLE IF EXISTS regress_user3 ;
DROP ROLE IF EXISTS regress_user4 ;
DROP ROLE IF EXISTS regress_user5 ;
DROP ROLE IF EXISTS regress_user6 ;
DROP ROLE IF EXISTS regress_priv_ user1 ;
DROP ROLE IF EXISTS regress_priv_ user2 ;
DROP ROLE IF EXISTS regress_priv_ user3 ;
DROP ROLE IF EXISTS regress_priv_ user4 ;
DROP ROLE IF EXISTS regress_priv_ user5 ;
DROP ROLE IF EXISTS regress_priv_ user6 ;
SELECT lo_unlink ( oid ) FROM pg_largeobject_metadata WHERE oid > = 1000 AND oid < 3000 ORDER BY oid ;
@ -23,25 +23,25 @@ RESET client_min_messages;
-- test proper begins here
CREATE USER regress_user1 ;
CREATE USER regress_user2 ;
CREATE USER regress_user3 ;
CREATE USER regress_user4 ;
CREATE USER regress_user5 ;
CREATE USER regress_user5 ; -- duplicate
CREATE USER regress_priv_ user1 ;
CREATE USER regress_priv_ user2 ;
CREATE USER regress_priv_ user3 ;
CREATE USER regress_priv_ user4 ;
CREATE USER regress_priv_ user5 ;
CREATE USER regress_priv_ user5 ; -- duplicate
CREATE GROUP regress_group1 ;
CREATE GROUP regress_group2 WITH USER regress_user1 , regress_user2 ;
CREATE GROUP regress_priv_ group1 ;
CREATE GROUP regress_priv_ group2 WITH USER regress_priv_ user1 , regress_priv _user2 ;
ALTER GROUP regress_group1 ADD USER regress_user4 ;
ALTER GROUP regress_priv_ group1 ADD USER regress_priv _user4 ;
ALTER GROUP regress_group2 ADD USER regress_user2 ; -- duplicate
ALTER GROUP regress_group2 DROP USER regress_user2 ;
GRANT regress_group2 TO regress_user4 WITH ADMIN OPTION ;
ALTER GROUP regress_priv_ group2 ADD USER regress_priv _user2 ; -- duplicate
ALTER GROUP regress_priv_ group2 DROP USER regress_priv _user2 ;
GRANT regress_priv_ group2 TO regress_priv _user4 WITH ADMIN OPTION ;
-- test owner privileges
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
SELECT session_user , current_user ;
CREATE TABLE atest1 ( a int , b text ) ;
@ -57,18 +57,18 @@ COMMIT;
REVOKE ALL ON atest1 FROM PUBLIC ;
SELECT * FROM atest1 ;
GRANT ALL ON atest1 TO regress_user2 ;
GRANT SELECT ON atest1 TO regress_user3 , regress_user4 ;
GRANT ALL ON atest1 TO regress_priv_ user2 ;
GRANT SELECT ON atest1 TO regress_priv_ user3 , regress_priv _user4 ;
SELECT * FROM atest1 ;
CREATE TABLE atest2 ( col1 varchar ( 10 ) , col2 boolean ) ;
GRANT SELECT ON atest2 TO regress_user2 ;
GRANT UPDATE ON atest2 TO regress_user3 ;
GRANT INSERT ON atest2 TO regress_user4 ;
GRANT TRUNCATE ON atest2 TO regress_user5 ;
GRANT SELECT ON atest2 TO regress_priv_ user2 ;
GRANT UPDATE ON atest2 TO regress_priv_ user3 ;
GRANT INSERT ON atest2 TO regress_priv_ user4 ;
GRANT TRUNCATE ON atest2 TO regress_priv_ user5 ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT session_user , current_user ;
-- try various combinations of queries on atest1 and atest2
@ -95,7 +95,7 @@ SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) ) ;
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
SELECT session_user , current_user ;
SELECT * FROM atest1 ; -- ok
@ -120,7 +120,7 @@ COPY atest2 FROM stdin; -- fail
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) ) ;
SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) ) ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
COPY atest2 FROM stdin ; -- ok
bar true
\ .
@ -129,8 +129,8 @@ SELECT * FROM atest1; -- ok
-- test leaky-function protections in selfuncs
-- regress_user1 will own a table and provide a view for it.
SET SESSION AUTHORIZATION regress_user1 ;
-- regress_priv_ user1 will own a table and provide a view for it.
SET SESSION AUTHORIZATION regress_priv_ user1 ;
CREATE TABLE atest12 as
SELECT x AS a , 10001 - x AS b FROM generate_series ( 1 , 10000 ) x ;
@ -156,8 +156,8 @@ EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;
EXPLAIN ( COSTS OFF ) SELECT * FROM atest12 x , atest12 y
WHERE x . a = y . b and abs ( y . a ) < < < 5 ;
-- Check if regress_user2 can break security.
SET SESSION AUTHORIZATION regress_user2 ;
-- Check if regress_priv_ user2 can break security.
SET SESSION AUTHORIZATION regress_priv_ user2 ;
CREATE FUNCTION leak2 ( integer , integer ) RETURNS boolean
AS $ $ begin raise notice ' leak % % ' , $ 1 , $ 2 ; return $ 1 > $ 2 ; end $ $
@ -171,12 +171,12 @@ EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0;
-- This plan should use hashjoin, as it will expect many rows to be selected.
EXPLAIN ( COSTS OFF ) SELECT * FROM atest12v x , atest12v y WHERE x . a = y . b ;
-- Now regress_user1 grants sufficient access to regress_user2.
SET SESSION AUTHORIZATION regress_user1 ;
-- Now regress_priv_ user1 grants sufficient access to regress_priv _user2.
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT SELECT ( a , b ) ON atest12 TO PUBLIC ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
-- Now regress_user2 will also get a good row estimate.
-- Now regress_priv_ user2 will also get a good row estimate.
EXPLAIN ( COSTS OFF ) SELECT * FROM atest12v x , atest12v y WHERE x . a = y . b ;
-- But not for this, due to lack of table-wide permissions needed
@ -184,17 +184,17 @@ EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;
EXPLAIN ( COSTS OFF ) SELECT * FROM atest12 x , atest12 y
WHERE x . a = y . b and abs ( y . a ) < < < 5 ;
-- clean up (regress_user1's objects are all dropped later)
-- clean up (regress_priv_ user1's objects are all dropped later)
DROP FUNCTION leak2 ( integer , integer ) CASCADE ;
-- groups
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
CREATE TABLE atest3 ( one int , two int , three int ) ;
GRANT DELETE ON atest3 TO GROUP regress_group2 ;
GRANT DELETE ON atest3 TO GROUP regress_priv_ group2 ;
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
SELECT * FROM atest3 ; -- fail
DELETE FROM atest3 ; -- ok
@ -202,7 +202,7 @@ DELETE FROM atest3; -- ok
-- views
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
CREATE VIEW atestv1 AS SELECT * FROM atest1 ; -- ok
/* The next * should * fail, but it's not implemented that way yet. */
@ -213,10 +213,10 @@ CREATE VIEW atestv0 AS SELECT 0 as x WHERE false; -- ok
SELECT * FROM atestv1 ; -- ok
SELECT * FROM atestv2 ; -- fail
GRANT SELECT ON atestv1 , atestv3 TO regress_user4 ;
GRANT SELECT ON atestv2 TO regress_user2 ;
GRANT SELECT ON atestv1 , atestv3 TO regress_priv_ user4 ;
GRANT SELECT ON atestv2 TO regress_priv_ user2 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT * FROM atestv1 ; -- ok
SELECT * FROM atestv2 ; -- fail
@ -240,29 +240,29 @@ reset constraint_exclusion;
CREATE VIEW atestv4 AS SELECT * FROM atestv3 ; -- nested view
SELECT * FROM atestv4 ; -- ok
GRANT SELECT ON atestv4 TO regress_user2 ;
GRANT SELECT ON atestv4 TO regress_priv_ user2 ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
-- Two complex cases:
SELECT * FROM atestv3 ; -- fail
SELECT * FROM atestv4 ; -- ok (even though regress_user2 cannot access underlying atestv3)
SELECT * FROM atestv4 ; -- ok (even though regress_priv_ user2 cannot access underlying atestv3)
SELECT * FROM atest2 ; -- ok
SELECT * FROM atestv2 ; -- fail (even though regress_user2 can access underlying atest2)
SELECT * FROM atestv2 ; -- fail (even though regress_priv_ user2 can access underlying atest2)
-- Test column level permissions
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
CREATE TABLE atest5 ( one int , two int unique , three int , four int unique ) ;
CREATE TABLE atest6 ( one int , two int , blue int ) ;
GRANT SELECT ( one ) , INSERT ( two ) , UPDATE ( three ) ON atest5 TO regress_user4 ;
GRANT ALL ( one ) ON atest5 TO regress_user3 ;
GRANT SELECT ( one ) , INSERT ( two ) , UPDATE ( three ) ON atest5 TO regress_priv_ user4 ;
GRANT ALL ( one ) ON atest5 TO regress_priv_ user3 ;
INSERT INTO atest5 VALUES ( 1 , 2 , 3 ) ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT * FROM atest5 ; -- fail
SELECT one FROM atest5 ; -- ok
COPY atest5 ( one ) TO stdout ; -- ok
@ -283,16 +283,16 @@ SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.two); -
SELECT atest1 . * , atest5 . one FROM atest1 JOIN atest5 ON ( atest1 . a = atest5 . one ) ; -- ok
SELECT one , two FROM atest5 ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
GRANT SELECT ( one , two ) ON atest6 TO regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT SELECT ( one , two ) ON atest6 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT one , two FROM atest5 NATURAL JOIN atest6 ; -- fail still
SET SESSION AUTHORIZATION regress_user1 ;
GRANT SELECT ( two ) ON atest5 TO regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT SELECT ( two ) ON atest5 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT one , two FROM atest5 NATURAL JOIN atest6 ; -- ok now
-- test column-level privileges for INSERT and UPDATE
@ -324,37 +324,37 @@ INSERT INTO atest5(three) VALUES (4) ON CONFLICT (two) DO UPDATE set three = 10;
-- Check that the columns in the inference require select privileges
INSERT INTO atest5 ( four ) VALUES ( 4 ) ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
GRANT INSERT ( four ) ON atest5 TO regress_user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT INSERT ( four ) ON atest5 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
INSERT INTO atest5 ( four ) VALUES ( 4 ) ON CONFLICT ( four ) DO UPDATE set three = 3 ; -- fails (due to SELECT)
INSERT INTO atest5 ( four ) VALUES ( 4 ) ON CONFLICT ON CONSTRAINT atest5_four_key DO UPDATE set three = 3 ; -- fails (due to SELECT)
INSERT INTO atest5 ( four ) VALUES ( 4 ) ; -- ok
SET SESSION AUTHORIZATION regress_user1 ;
GRANT SELECT ( four ) ON atest5 TO regress_user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT SELECT ( four ) ON atest5 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
INSERT INTO atest5 ( four ) VALUES ( 4 ) ON CONFLICT ( four ) DO UPDATE set three = 3 ; -- ok
INSERT INTO atest5 ( four ) VALUES ( 4 ) ON CONFLICT ON CONSTRAINT atest5_four_key DO UPDATE set three = 3 ; -- ok
SET SESSION AUTHORIZATION regress_user1 ;
REVOKE ALL ( one ) ON atest5 FROM regress_user4 ;
GRANT SELECT ( one , two , blue ) ON atest6 TO regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
REVOKE ALL ( one ) ON atest5 FROM regress_priv_ user4 ;
GRANT SELECT ( one , two , blue ) ON atest6 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT one FROM atest5 ; -- fail
UPDATE atest5 SET one = 1 ; -- fail
SELECT atest6 FROM atest6 ; -- ok
COPY atest6 TO stdout ; -- ok
-- check error reporting with column privs
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
CREATE TABLE t1 ( c1 int , c2 int , c3 int check ( c3 < 5 ) , primary key ( c1 , c2 ) ) ;
GRANT SELECT ( c1 ) ON t1 TO regress_user2 ;
GRANT INSERT ( c1 , c2 , c3 ) ON t1 TO regress_user2 ;
GRANT UPDATE ( c1 , c2 , c3 ) ON t1 TO regress_user2 ;
GRANT SELECT ( c1 ) ON t1 TO regress_priv_ user2 ;
GRANT INSERT ( c1 , c2 , c3 ) ON t1 TO regress_priv_ user2 ;
GRANT UPDATE ( c1 , c2 , c3 ) ON t1 TO regress_priv_ user2 ;
-- seed data
INSERT INTO t1 VALUES ( 1 , 1 , 1 ) ;
@ -363,7 +363,7 @@ INSERT INTO t1 VALUES (2, 1, 2);
INSERT INTO t1 VALUES ( 2 , 2 , 2 ) ;
INSERT INTO t1 VALUES ( 3 , 1 , 3 ) ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
INSERT INTO t1 ( c1 , c2 ) VALUES ( 1 , 1 ) ; -- fail, but row not shown
UPDATE t1 SET c2 = 1 ; -- fail, but row not shown
INSERT INTO t1 ( c1 , c2 ) VALUES ( null , null ) ; -- fail, but see columns being inserted
@ -371,59 +371,59 @@ INSERT INTO t1 (c3) VALUES (null); -- fail, but see columns being inserted or ha
INSERT INTO t1 ( c1 ) VALUES ( 5 ) ; -- fail, but see columns being inserted or have SELECT
UPDATE t1 SET c3 = 10 ; -- fail, but see columns with SELECT rights, or being modified
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
DROP TABLE t1 ;
-- test column-level privileges when involved with DELETE
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
ALTER TABLE atest6 ADD COLUMN three integer ;
GRANT DELETE ON atest5 TO regress_user3 ;
GRANT SELECT ( two ) ON atest5 TO regress_user3 ;
REVOKE ALL ( one ) ON atest5 FROM regress_user3 ;
GRANT SELECT ( one ) ON atest5 TO regress_user4 ;
GRANT DELETE ON atest5 TO regress_priv_ user3 ;
GRANT SELECT ( two ) ON atest5 TO regress_priv_ user3 ;
REVOKE ALL ( one ) ON atest5 FROM regress_priv_ user3 ;
GRANT SELECT ( one ) ON atest5 TO regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT atest6 FROM atest6 ; -- fail
SELECT one FROM atest5 NATURAL JOIN atest6 ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
ALTER TABLE atest6 DROP COLUMN three ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT atest6 FROM atest6 ; -- ok
SELECT one FROM atest5 NATURAL JOIN atest6 ; -- ok
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
ALTER TABLE atest6 DROP COLUMN two ;
REVOKE SELECT ( one , blue ) ON atest6 FROM regress_user4 ;
REVOKE SELECT ( one , blue ) ON atest6 FROM regress_priv_ user4 ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT * FROM atest6 ; -- fail
SELECT 1 FROM atest6 ; -- fail
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
DELETE FROM atest5 WHERE one = 1 ; -- fail
DELETE FROM atest5 WHERE two = 2 ; -- ok
-- check inheritance cases
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
CREATE TABLE atestp1 ( f1 int , f2 int ) WITH OIDS ;
CREATE TABLE atestp2 ( fx int , fy int ) WITH OIDS ;
CREATE TABLE atestc ( fz int ) INHERITS ( atestp1 , atestp2 ) ;
GRANT SELECT ( fx , fy , oid ) ON atestp2 TO regress_user2 ;
GRANT SELECT ( fx ) ON atestc TO regress_user2 ;
GRANT SELECT ( fx , fy , oid ) ON atestp2 TO regress_priv_ user2 ;
GRANT SELECT ( fx ) ON atestc TO regress_priv_ user2 ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT fx FROM atestp2 ; -- ok
SELECT fy FROM atestp2 ; -- ok
SELECT atestp2 FROM atestp2 ; -- ok
SELECT oid FROM atestp2 ; -- ok
SELECT fy FROM atestc ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
GRANT SELECT ( fy , oid ) ON atestc TO regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT SELECT ( fy , oid ) ON atestc TO regress_priv_ user2 ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT fx FROM atestp2 ; -- still ok
SELECT fy FROM atestp2 ; -- ok
SELECT atestp2 FROM atestp2 ; -- ok
@ -435,48 +435,48 @@ SELECT oid FROM atestp2; -- ok
\ c -
REVOKE ALL PRIVILEGES ON LANGUAGE sql FROM PUBLIC ;
GRANT USAGE ON LANGUAGE sql TO regress_user1 ; -- ok
GRANT USAGE ON LANGUAGE sql TO regress_priv_ user1 ; -- ok
GRANT USAGE ON LANGUAGE c TO PUBLIC ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
GRANT USAGE ON LANGUAGE sql TO regress_user2 ; -- fail
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT USAGE ON LANGUAGE sql TO regress_priv_ user2 ; -- fail
CREATE FUNCTION testfunc1 ( int ) RETURNS int AS ' select 2 * $1; ' LANGUAGE sql ;
CREATE FUNCTION testfunc2 ( int ) RETURNS int AS ' select 3 * $1; ' LANGUAGE sql ;
CREATE AGGREGATE testagg1 ( int ) ( sfunc = int4pl , stype = int4 ) ;
CREATE PROCEDURE testproc1 ( int ) AS ' select $1; ' LANGUAGE sql ;
REVOKE ALL ON FUNCTION testfunc1 ( int ) , testfunc2 ( int ) , testagg1 ( int ) FROM PUBLIC ;
GRANT EXECUTE ON FUNCTION testfunc1 ( int ) , testfunc2 ( int ) , testagg1 ( int ) TO regress_user2 ;
GRANT EXECUTE ON FUNCTION testfunc1 ( int ) , testfunc2 ( int ) , testagg1 ( int ) TO regress_priv_ user2 ;
REVOKE ALL ON FUNCTION testproc1 ( int ) FROM PUBLIC ; -- fail, not a function
REVOKE ALL ON PROCEDURE testproc1 ( int ) FROM PUBLIC ;
GRANT EXECUTE ON PROCEDURE testproc1 ( int ) TO regress_user2 ;
GRANT USAGE ON FUNCTION testfunc1 ( int ) TO regress_user3 ; -- semantic error
GRANT USAGE ON FUNCTION testagg1 ( int ) TO regress_user3 ; -- semantic error
GRANT USAGE ON PROCEDURE testproc1 ( int ) TO regress_user3 ; -- semantic error
GRANT ALL PRIVILEGES ON FUNCTION testfunc1 ( int ) TO regress_user4 ;
GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch ( int ) TO regress_user4 ;
GRANT ALL PRIVILEGES ON FUNCTION testagg1 ( int ) TO regress_user4 ;
GRANT ALL PRIVILEGES ON PROCEDURE testproc1 ( int ) TO regress_user4 ;
GRANT EXECUTE ON PROCEDURE testproc1 ( int ) TO regress_priv_ user2 ;
GRANT USAGE ON FUNCTION testfunc1 ( int ) TO regress_priv_ user3 ; -- semantic error
GRANT USAGE ON FUNCTION testagg1 ( int ) TO regress_priv_ user3 ; -- semantic error
GRANT USAGE ON PROCEDURE testproc1 ( int ) TO regress_priv_ user3 ; -- semantic error
GRANT ALL PRIVILEGES ON FUNCTION testfunc1 ( int ) TO regress_priv_ user4 ;
GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch ( int ) TO regress_priv_ user4 ;
GRANT ALL PRIVILEGES ON FUNCTION testagg1 ( int ) TO regress_priv_ user4 ;
GRANT ALL PRIVILEGES ON PROCEDURE testproc1 ( int ) TO regress_priv_ user4 ;
CREATE FUNCTION testfunc4 ( boolean ) RETURNS text
AS ' select col1 from atest2 where col2 = $1; '
LANGUAGE sql SECURITY DEFINER ;
GRANT EXECUTE ON FUNCTION testfunc4 ( boolean ) TO regress_user3 ;
GRANT EXECUTE ON FUNCTION testfunc4 ( boolean ) TO regress_priv_ user3 ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT testfunc1 ( 5 ) , testfunc2 ( 5 ) ; -- ok
CREATE FUNCTION testfunc3 ( int ) RETURNS int AS ' select 2 * $1; ' LANGUAGE sql ; -- fail
SELECT testagg1 ( x ) FROM ( VALUES ( 1 ) , ( 2 ) , ( 3 ) ) _ ( x ) ; -- ok
CALL testproc1 ( 6 ) ; -- ok
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
SELECT testfunc1 ( 5 ) ; -- fail
SELECT testagg1 ( x ) FROM ( VALUES ( 1 ) , ( 2 ) , ( 3 ) ) _ ( x ) ; -- fail
CALL testproc1 ( 6 ) ; -- fail
SELECT col1 FROM atest2 WHERE col2 = true ; -- fail
SELECT testfunc4 ( true ) ; -- ok
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT testfunc1 ( 5 ) ; -- ok
SELECT testagg1 ( x ) FROM ( VALUES ( 1 ) , ( 2 ) , ( 3 ) ) _ ( x ) ; -- ok
CALL testproc1 ( 6 ) ; -- ok
@ -496,7 +496,7 @@ BEGIN;
SELECT ' {1} ' : : int4 [ ] : : int8 [ ] ;
REVOKE ALL ON FUNCTION int8 ( integer ) FROM PUBLIC ;
SELECT ' {1} ' : : int4 [ ] : : int8 [ ] ; - - superuser , suceed
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT ' {1} ' : : int4 [ ] : : int8 [ ] ; - - other user , fail
ROLLBACK ;
@ -507,16 +507,16 @@ ROLLBACK;
CREATE TYPE testtype1 AS ( a int , b text ) ;
REVOKE USAGE ON TYPE testtype1 FROM PUBLIC ;
GRANT USAGE ON TYPE testtype1 TO regress_user2 ;
GRANT USAGE ON TYPE _testtype1 TO regress_user2 ; -- fail
GRANT USAGE ON DOMAIN testtype1 TO regress_user2 ; -- fail
GRANT USAGE ON TYPE testtype1 TO regress_priv_ user2 ;
GRANT USAGE ON TYPE _testtype1 TO regress_priv_ user2 ; -- fail
GRANT USAGE ON DOMAIN testtype1 TO regress_priv_ user2 ; -- fail
CREATE DOMAIN testdomain1 AS int ;
REVOKE USAGE on DOMAIN testdomain1 FROM PUBLIC ;
GRANT USAGE ON DOMAIN testdomain1 TO regress_user2 ;
GRANT USAGE ON TYPE testdomain1 TO regress_user2 ; -- ok
GRANT USAGE ON DOMAIN testdomain1 TO regress_priv_ user2 ;
GRANT USAGE ON TYPE testdomain1 TO regress_priv_ user2 ; -- ok
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
-- commands that should fail
@ -553,7 +553,7 @@ CREATE TABLE test11a AS (SELECT 1::testdomain1 AS a);
REVOKE ALL ON TYPE testtype1 FROM PUBLIC ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
-- commands that should succeed
@ -610,7 +610,7 @@ DROP DOMAIN testdomain1; -- ok
-- truncate
SET SESSION AUTHORIZATION regress_user5 ;
SET SESSION AUTHORIZATION regress_priv_ user5 ;
TRUNCATE atest2 ; -- ok
TRUNCATE atest3 ; -- fail
@ -659,7 +659,7 @@ select has_table_privilege(t1.oid,'trigger')
from ( select oid from pg_class where relname = ' pg_authid ' ) as t1 ;
-- non-superuser
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
select has_table_privilege ( current_user , ' pg_class ' , ' select ' ) ;
select has_table_privilege ( current_user , ' pg_class ' , ' insert ' ) ;
@ -718,56 +718,56 @@ from (select oid from pg_class where relname = 'atest1') as t1;
-- Grant options
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
CREATE TABLE atest4 ( a int ) ;
GRANT SELECT ON atest4 TO regress_user2 WITH GRANT OPTION ;
GRANT UPDATE ON atest4 TO regress_user2 ;
GRANT SELECT ON atest4 TO GROUP regress_group1 WITH GRANT OPTION ;
GRANT SELECT ON atest4 TO regress_priv_ user2 WITH GRANT OPTION ;
GRANT UPDATE ON atest4 TO regress_priv_ user2 ;
GRANT SELECT ON atest4 TO GROUP regress_priv_ group1 WITH GRANT OPTION ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
GRANT SELECT ON atest4 TO regress_user3 ;
GRANT UPDATE ON atest4 TO regress_user3 ; -- fail
GRANT SELECT ON atest4 TO regress_priv_ user3 ;
GRANT UPDATE ON atest4 TO regress_priv_ user3 ; -- fail
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
REVOKE SELECT ON atest4 FROM regress_user3 ; -- does nothing
SELECT has_table_privilege ( ' regress_user3 ' , ' atest4 ' , ' SELECT ' ) ; -- true
REVOKE SELECT ON atest4 FROM regress_user2 ; -- fail
REVOKE GRANT OPTION FOR SELECT ON atest4 FROM regress_user2 CASCADE ; -- ok
SELECT has_table_privilege ( ' regress_user2 ' , ' atest4 ' , ' SELECT ' ) ; -- true
SELECT has_table_privilege ( ' regress_user3 ' , ' atest4 ' , ' SELECT ' ) ; -- false
REVOKE SELECT ON atest4 FROM regress_priv_ user3 ; -- does nothing
SELECT has_table_privilege ( ' regress_priv_ user3 ' , ' atest4 ' , ' SELECT ' ) ; -- true
REVOKE SELECT ON atest4 FROM regress_priv_ user2 ; -- fail
REVOKE GRANT OPTION FOR SELECT ON atest4 FROM regress_priv_ user2 CASCADE ; -- ok
SELECT has_table_privilege ( ' regress_priv_ user2 ' , ' atest4 ' , ' SELECT ' ) ; -- true
SELECT has_table_privilege ( ' regress_priv_ user3 ' , ' atest4 ' , ' SELECT ' ) ; -- false
SELECT has_table_privilege ( ' regress_user1 ' , ' atest4 ' , ' SELECT WITH GRANT OPTION ' ) ; -- true
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' atest4 ' , ' SELECT WITH GRANT OPTION ' ) ; -- true
-- Admin options
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
CREATE FUNCTION dogrant_ok ( ) RETURNS void LANGUAGE sql SECURITY DEFINER AS
' GRANT regress_group2 TO regress_user5 ' ;
GRANT regress_group2 TO regress_user5 ; -- ok: had ADMIN OPTION
SET ROLE regress_group2 ;
GRANT regress_group2 TO regress_user5 ; -- fails: SET ROLE suspended privilege
' GRANT regress_priv_ group2 TO regress_priv _user5 ' ;
GRANT regress_priv_ group2 TO regress_priv _user5 ; -- ok: had ADMIN OPTION
SET ROLE regress_priv_ group2 ;
GRANT regress_priv_ group2 TO regress_priv _user5 ; -- fails: SET ROLE suspended privilege
SET SESSION AUTHORIZATION regress_user1 ;
GRANT regress_group2 TO regress_user5 ; -- fails: no ADMIN OPTION
SET SESSION AUTHORIZATION regress_priv_ user1 ;
GRANT regress_priv_ group2 TO regress_priv _user5 ; -- fails: no ADMIN OPTION
SELECT dogrant_ok ( ) ; -- ok: SECURITY DEFINER conveys ADMIN
SET ROLE regress_group2 ;
GRANT regress_group2 TO regress_user5 ; -- fails: SET ROLE did not help
SET ROLE regress_priv_ group2 ;
GRANT regress_priv_ group2 TO regress_priv _user5 ; -- fails: SET ROLE did not help
SET SESSION AUTHORIZATION regress_group2 ;
GRANT regress_group2 TO regress_user5 ; -- ok: a role can self-admin
SET SESSION AUTHORIZATION regress_priv_ group2 ;
GRANT regress_priv_ group2 TO regress_priv _user5 ; -- ok: a role can self-admin
CREATE FUNCTION dogrant_fails ( ) RETURNS void LANGUAGE sql SECURITY DEFINER AS
' GRANT regress_group2 TO regress_user5 ' ;
' GRANT regress_priv_ group2 TO regress_priv _user5 ' ;
SELECT dogrant_fails ( ) ; -- fails: no self-admin in SECURITY DEFINER
DROP FUNCTION dogrant_fails ( ) ;
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
DROP FUNCTION dogrant_ok ( ) ;
REVOKE regress_group2 FROM regress_user5 ;
REVOKE regress_priv_ group2 FROM regress_priv _user5 ;
-- has_sequence_privilege tests
@ -775,19 +775,19 @@ REVOKE regress_group2 FROM regress_user5;
CREATE SEQUENCE x_seq ;
GRANT USAGE on x_seq to regress_user2 ;
GRANT USAGE on x_seq to regress_priv_ user2 ;
SELECT has_sequence_privilege ( ' regress_user1 ' , ' atest1 ' , ' SELECT ' ) ;
SELECT has_sequence_privilege ( ' regress_user1 ' , ' x_seq ' , ' INSERT ' ) ;
SELECT has_sequence_privilege ( ' regress_user1 ' , ' x_seq ' , ' SELECT ' ) ;
SELECT has_sequence_privilege ( ' regress_priv_ user1 ' , ' atest1 ' , ' SELECT ' ) ;
SELECT has_sequence_privilege ( ' regress_priv_ user1 ' , ' x_seq ' , ' INSERT ' ) ;
SELECT has_sequence_privilege ( ' regress_priv_ user1 ' , ' x_seq ' , ' SELECT ' ) ;
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT has_sequence_privilege ( ' x_seq ' , ' USAGE ' ) ;
-- largeobject privilege tests
\ c -
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
SELECT lo_create ( 1001 ) ;
SELECT lo_create ( 1002 ) ;
@ -796,17 +796,17 @@ SELECT lo_create(1004);
SELECT lo_create ( 1005 ) ;
GRANT ALL ON LARGE OBJECT 1001 TO PUBLIC ;
GRANT SELECT ON LARGE OBJECT 1003 TO regress_user2 ;
GRANT SELECT , UPDATE ON LARGE OBJECT 1004 TO regress_user2 ;
GRANT ALL ON LARGE OBJECT 1005 TO regress_user2 ;
GRANT SELECT ON LARGE OBJECT 1005 TO regress_user2 WITH GRANT OPTION ;
GRANT SELECT ON LARGE OBJECT 1003 TO regress_priv_ user2 ;
GRANT SELECT , UPDATE ON LARGE OBJECT 1004 TO regress_priv_ user2 ;
GRANT ALL ON LARGE OBJECT 1005 TO regress_priv_ user2 ;
GRANT SELECT ON LARGE OBJECT 1005 TO regress_priv_ user2 WITH GRANT OPTION ;
GRANT SELECT , INSERT ON LARGE OBJECT 1001 TO PUBLIC ; -- to be failed
GRANT SELECT , UPDATE ON LARGE OBJECT 1001 TO nosuchuser ; -- to be failed
GRANT SELECT , UPDATE ON LARGE OBJECT 999 TO PUBLIC ; -- to be failed
\ c -
SET SESSION AUTHORIZATION regress_user2 ;
SET SESSION AUTHORIZATION regress_priv_ user2 ;
SELECT lo_create ( 2001 ) ;
SELECT lo_create ( 2002 ) ;
@ -824,10 +824,10 @@ SELECT lowrite(lo_open(1002, x'20000'::int), 'abcd'); -- to be denied
SELECT lowrite ( lo_open ( 1003 , x ' 20000 ' : : int ) , ' abcd ' ) ; -- to be denied
SELECT lowrite ( lo_open ( 1004 , x ' 20000 ' : : int ) , ' abcd ' ) ;
GRANT SELECT ON LARGE OBJECT 1005 TO regress_user3 ;
GRANT UPDATE ON LARGE OBJECT 1006 TO regress_user3 ; -- to be denied
GRANT SELECT ON LARGE OBJECT 1005 TO regress_priv_ user3 ;
GRANT UPDATE ON LARGE OBJECT 1006 TO regress_priv_ user3 ; -- to be denied
REVOKE ALL ON LARGE OBJECT 2001 , 2002 FROM PUBLIC ;
GRANT ALL ON LARGE OBJECT 2001 TO regress_user3 ;
GRANT ALL ON LARGE OBJECT 2001 TO regress_priv_ user3 ;
SELECT lo_unlink ( 1001 ) ; -- to be denied
SELECT lo_unlink ( 2002 ) ;
@ -836,7 +836,7 @@ SELECT lo_unlink(2002);
-- confirm ACL setting
SELECT oid , pg_get_userbyid ( lomowner ) ownername , lomacl FROM pg_largeobject_metadata WHERE oid > = 1000 AND oid < 3000 ORDER BY oid ;
SET SESSION AUTHORIZATION regress_user3 ;
SET SESSION AUTHORIZATION regress_priv_ user3 ;
SELECT loread ( lo_open ( 1001 , x ' 40000 ' : : int ) , 32 ) ;
SELECT loread ( lo_open ( 1003 , x ' 40000 ' : : int ) , 32 ) ; -- to be denied
@ -848,7 +848,7 @@ SELECT lo_truncate(lo_open(2001, x'20000'::int), 10);
-- compatibility mode in largeobject permission
\ c -
SET lo_compat_privileges = false ; -- default setting
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT loread ( lo_open ( 1002 , x ' 40000 ' : : int ) , 32 ) ; -- to be denied
SELECT lowrite ( lo_open ( 1002 , x ' 20000 ' : : int ) , ' abcd ' ) ; -- to be denied
@ -861,7 +861,7 @@ SELECT lo_import('/dev/null', 2003); -- to be denied
\ c -
SET lo_compat_privileges = true ; -- compatibility mode
SET SESSION AUTHORIZATION regress_user4 ;
SET SESSION AUTHORIZATION regress_priv_ user4 ;
SELECT loread ( lo_open ( 1002 , x ' 40000 ' : : int ) , 32 ) ;
SELECT lowrite ( lo_open ( 1002 , x ' 20000 ' : : int ) , ' abcd ' ) ;
@ -873,87 +873,87 @@ SELECT lo_export(1001, '/dev/null'); -- to be denied
\ c -
SELECT * FROM pg_largeobject LIMIT 0 ;
SET SESSION AUTHORIZATION regress_user1 ;
SET SESSION AUTHORIZATION regress_priv_ user1 ;
SELECT * FROM pg_largeobject LIMIT 0 ; -- to be denied
-- test default ACLs
\ c -
CREATE SCHEMA testns ;
GRANT ALL ON SCHEMA testns TO regress_user1 ;
GRANT ALL ON SCHEMA testns TO regress_priv_ user1 ;
CREATE TABLE testns . acltest1 ( x int ) ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- no
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT SELECT ON TABLES TO public ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- no
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
DROP TABLE testns . acltest1 ;
CREATE TABLE testns . acltest1 ( x int ) ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT INSERT ON TABLES TO regress_user1 ;
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT INSERT ON TABLES TO regress_priv_ user1 ;
DROP TABLE testns . acltest1 ;
CREATE TABLE testns . acltest1 ( x int ) ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- yes
ALTER DEFAULT PRIVILEGES IN SCHEMA testns REVOKE INSERT ON TABLES FROM regress_user1 ;
ALTER DEFAULT PRIVILEGES IN SCHEMA testns REVOKE INSERT ON TABLES FROM regress_priv_ user1 ;
DROP TABLE testns . acltest1 ;
CREATE TABLE testns . acltest1 ( x int ) ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' SELECT ' ) ; -- yes
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.acltest1 ' , ' INSERT ' ) ; -- no
ALTER DEFAULT PRIVILEGES FOR ROLE regress_user1 REVOKE EXECUTE ON FUNCTIONS FROM public ;
ALTER DEFAULT PRIVILEGES FOR ROLE regress_priv_ user1 REVOKE EXECUTE ON FUNCTIONS FROM public ;
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON SCHEMAS TO regress_user2 ; -- error
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON SCHEMAS TO regress_priv_ user2 ; -- error
ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO regress_user2 ;
ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO regress_priv_ user2 ;
CREATE SCHEMA testns2 ;
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns2 ' , ' USAGE ' ) ; -- yes
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns2 ' , ' CREATE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns2 ' , ' USAGE ' ) ; -- yes
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns2 ' , ' CREATE ' ) ; -- no
ALTER DEFAULT PRIVILEGES REVOKE USAGE ON SCHEMAS FROM regress_user2 ;
ALTER DEFAULT PRIVILEGES REVOKE USAGE ON SCHEMAS FROM regress_priv_ user2 ;
CREATE SCHEMA testns3 ;
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns3 ' , ' USAGE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns3 ' , ' CREATE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns3 ' , ' USAGE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns3 ' , ' CREATE ' ) ; -- no
ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO regress_user2 ;
ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO regress_priv_ user2 ;
CREATE SCHEMA testns4 ;
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns4 ' , ' USAGE ' ) ; -- yes
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns4 ' , ' CREATE ' ) ; -- yes
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns4 ' , ' USAGE ' ) ; -- yes
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns4 ' , ' CREATE ' ) ; -- yes
ALTER DEFAULT PRIVILEGES REVOKE ALL ON SCHEMAS FROM regress_user2 ;
ALTER DEFAULT PRIVILEGES REVOKE ALL ON SCHEMAS FROM regress_priv_ user2 ;
CREATE SCHEMA testns5 ;
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns5 ' , ' USAGE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_user2 ' , ' testns5 ' , ' CREATE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns5 ' , ' USAGE ' ) ; -- no
SELECT has_schema_privilege ( ' regress_priv_ user2 ' , ' testns5 ' , ' CREATE ' ) ; -- no
SET ROLE regress_user1 ;
SET ROLE regress_priv_ user1 ;
CREATE FUNCTION testns . foo ( ) RETURNS int AS ' select 1 ' LANGUAGE sql ;
CREATE AGGREGATE testns . agg1 ( int ) ( sfunc = int4pl , stype = int4 ) ;
CREATE PROCEDURE testns . bar ( ) AS ' select 1 ' LANGUAGE sql ;
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.foo() ' , ' EXECUTE ' ) ; -- no
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.agg1(int) ' , ' EXECUTE ' ) ; -- no
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.bar() ' , ' EXECUTE ' ) ; -- no
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.foo() ' , ' EXECUTE ' ) ; -- no
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.agg1(int) ' , ' EXECUTE ' ) ; -- no
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.bar() ' , ' EXECUTE ' ) ; -- no
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT EXECUTE ON ROUTINES to public ;
@ -964,26 +964,26 @@ CREATE AGGREGATE testns.agg1(int) (sfunc = int4pl, stype = int4);
DROP PROCEDURE testns . bar ( ) ;
CREATE PROCEDURE testns . bar ( ) AS ' select 1 ' LANGUAGE sql ;
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.foo() ' , ' EXECUTE ' ) ; -- yes
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.agg1(int) ' , ' EXECUTE ' ) ; -- yes
SELECT has_function_privilege ( ' regress_user2 ' , ' testns.bar() ' , ' EXECUTE ' ) ; -- yes (counts as function here)
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.foo() ' , ' EXECUTE ' ) ; -- yes
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.agg1(int) ' , ' EXECUTE ' ) ; -- yes
SELECT has_function_privilege ( ' regress_priv_ user2 ' , ' testns.bar() ' , ' EXECUTE ' ) ; -- yes (counts as function here)
DROP FUNCTION testns . foo ( ) ;
DROP AGGREGATE testns . agg1 ( int ) ;
DROP PROCEDURE testns . bar ( ) ;
ALTER DEFAULT PRIVILEGES FOR ROLE regress_user1 REVOKE USAGE ON TYPES FROM public ;
ALTER DEFAULT PRIVILEGES FOR ROLE regress_priv_ user1 REVOKE USAGE ON TYPES FROM public ;
CREATE DOMAIN testns . testdomain1 AS int ;
SELECT has_type_privilege ( ' regress_user2 ' , ' testns.testdomain1 ' , ' USAGE ' ) ; -- no
SELECT has_type_privilege ( ' regress_priv_ user2 ' , ' testns.testdomain1 ' , ' USAGE ' ) ; -- no
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON TYPES to public ;
DROP DOMAIN testns . testdomain1 ;
CREATE DOMAIN testns . testdomain1 AS int ;
SELECT has_type_privilege ( ' regress_user2 ' , ' testns.testdomain1 ' , ' USAGE ' ) ; -- yes
SELECT has_type_privilege ( ' regress_priv_ user2 ' , ' testns.testdomain1 ' , ' USAGE ' ) ; -- yes
DROP DOMAIN testns . testdomain1 ;
@ -1011,41 +1011,41 @@ CREATE SCHEMA testns;
CREATE TABLE testns . t1 ( f1 int ) ;
CREATE TABLE testns . t2 ( f1 int ) ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- false
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- false
GRANT ALL ON ALL TABLES IN SCHEMA testns TO regress_user1 ;
GRANT ALL ON ALL TABLES IN SCHEMA testns TO regress_priv_ user1 ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- true
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.t2 ' , ' SELECT ' ) ; -- true
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- true
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.t2 ' , ' SELECT ' ) ; -- true
REVOKE ALL ON ALL TABLES IN SCHEMA testns FROM regress_user1 ;
REVOKE ALL ON ALL TABLES IN SCHEMA testns FROM regress_priv_ user1 ;
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- false
SELECT has_table_privilege ( ' regress_user1 ' , ' testns.t2 ' , ' SELECT ' ) ; -- false
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.t1 ' , ' SELECT ' ) ; -- false
SELECT has_table_privilege ( ' regress_priv_ user1 ' , ' testns.t2 ' , ' SELECT ' ) ; -- false
CREATE FUNCTION testns . testfunc ( int ) RETURNS int AS ' select 3 * $1; ' LANGUAGE sql ;
CREATE AGGREGATE testns . testagg ( int ) ( sfunc = int4pl , stype = int4 ) ;
CREATE PROCEDURE testns . testproc ( int ) AS ' select 3 ' LANGUAGE sql ;
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- true by default
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- true by default
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- true by default
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- true by default
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- true by default
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- true by default
REVOKE ALL ON ALL FUNCTIONS IN SCHEMA testns FROM PUBLIC ;
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- false
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- false
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- still true, not a function
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- false
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- false
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- still true, not a function
REVOKE ALL ON ALL PROCEDURES IN SCHEMA testns FROM PUBLIC ;
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- now false
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- now false
GRANT ALL ON ALL ROUTINES IN SCHEMA testns TO PUBLIC ;
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- true
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- true
SELECT has_function_privilege ( ' regress_user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- true
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testfunc(int) ' , ' EXECUTE ' ) ; -- true
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testagg(int) ' , ' EXECUTE ' ) ; -- true
SELECT has_function_privilege ( ' regress_priv_ user1 ' , ' testns.testproc(int) ' , ' EXECUTE ' ) ; -- true
\ set VERBOSITY terse \ \ -- suppress cascade details
DROP SCHEMA testns CASCADE ;
@ -1082,24 +1082,24 @@ DROP ROLE regress_schemauser_renamed;
-- test that dependent privileges are revoked (or not) properly
\ c -
set session role regress_user1 ;
set session role regress_priv_ user1 ;
create table dep_priv_test ( a int ) ;
grant select on dep_priv_test to regress_user2 with grant option ;
grant select on dep_priv_test to regress_user3 with grant option ;
set session role regress_user2 ;
grant select on dep_priv_test to regress_user4 with grant option ;
set session role regress_user3 ;
grant select on dep_priv_test to regress_user4 with grant option ;
set session role regress_user4 ;
grant select on dep_priv_test to regress_user5 ;
grant select on dep_priv_test to regress_priv_ user2 with grant option ;
grant select on dep_priv_test to regress_priv_ user3 with grant option ;
set session role regress_priv_ user2 ;
grant select on dep_priv_test to regress_priv_ user4 with grant option ;
set session role regress_priv_ user3 ;
grant select on dep_priv_test to regress_priv_ user4 with grant option ;
set session role regress_priv_ user4 ;
grant select on dep_priv_test to regress_priv_ user5 ;
\ dp dep_priv_test
set session role regress_user2 ;
revoke select on dep_priv_test from regress_user4 cascade ;
set session role regress_priv_ user2 ;
revoke select on dep_priv_test from regress_priv_ user4 cascade ;
\ dp dep_priv_test
set session role regress_user3 ;
revoke select on dep_priv_test from regress_user4 cascade ;
set session role regress_priv_ user3 ;
revoke select on dep_priv_test from regress_priv_ user4 cascade ;
\ dp dep_priv_test
set session role regress_user1 ;
set session role regress_priv_ user1 ;
drop table dep_priv_test ;
@ -1134,19 +1134,19 @@ DROP TABLE atestp2;
SELECT lo_unlink ( oid ) FROM pg_largeobject_metadata WHERE oid > = 1000 AND oid < 3000 ORDER BY oid ;
DROP GROUP regress_group1 ;
DROP GROUP regress_group2 ;
DROP GROUP regress_priv_ group1 ;
DROP GROUP regress_priv_ group2 ;
-- these are needed to clean up permissions
REVOKE USAGE ON LANGUAGE sql FROM regress_user1 ;
DROP OWNED BY regress_user1 ;
DROP USER regress_user1 ;
DROP USER regress_user2 ;
DROP USER regress_user3 ;
DROP USER regress_user4 ;
DROP USER regress_user5 ;
DROP USER regress_user6 ;
REVOKE USAGE ON LANGUAGE sql FROM regress_priv_ user1 ;
DROP OWNED BY regress_priv_ user1 ;
DROP USER regress_priv_ user1 ;
DROP USER regress_priv_ user2 ;
DROP USER regress_priv_ user3 ;
DROP USER regress_priv_ user4 ;
DROP USER regress_priv_ user5 ;
DROP USER regress_priv_ user6 ;
-- permissions with LOCK TABLE
Tom Lane
8 years ago