diff options
| author | Joe Conway <mail@joeconway.com> | 2022-03-28 15:10:04 -0400 |
|---|---|---|
| committer | Joe Conway <mail@joeconway.com> | 2022-03-28 15:10:04 -0400 |
| commit | 6198420ad8a72e37f4fe4964616b17e0fd33b808 (patch) | |
| tree | 48b9bf9c3997840958f3290ff8a1a2330a5b55b8 /src/backend/utils/adt/dbsize.c | |
| parent | 79de9842ab03259325ee4055fb0a7ebd2e4372ff (diff) | |
| download | postgresql-6198420ad8a72e37f4fe4964616b17e0fd33b808.tar.gz postgresql-6198420ad8a72e37f4fe4964616b17e0fd33b808.zip | |
Use has_privs_for_roles for predefined role checks
Generally if a role is granted membership to another role with NOINHERIT
they must use SET ROLE to access the privileges of that role, however
with predefined roles the membership and privilege is conflated. Fix that
by replacing is_member_of_role with has_privs_for_role for predefined
roles. Patch does not remove is_member_of_role from acl.h, but it does
add a warning not to use that function for privilege checking. Not
backpatched based on hackers list discussion.
Author: Joshua Brindle
Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway
Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com
Diffstat (limited to 'src/backend/utils/adt/dbsize.c')
| -rw-r--r-- | src/backend/utils/adt/dbsize.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/backend/utils/adt/dbsize.c b/src/backend/utils/adt/dbsize.c index 3a2f2e1f99d..0576764ac4b 100644 --- a/src/backend/utils/adt/dbsize.c +++ b/src/backend/utils/adt/dbsize.c @@ -112,12 +112,12 @@ calculate_database_size(Oid dbOid) AclResult aclresult; /* - * User must have connect privilege for target database or be a member of + * User must have connect privilege for target database or have privileges of * pg_read_all_stats */ aclresult = pg_database_aclcheck(dbOid, GetUserId(), ACL_CONNECT); if (aclresult != ACLCHECK_OK && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclcheck_error(aclresult, OBJECT_DATABASE, get_database_name(dbOid)); @@ -196,12 +196,12 @@ calculate_tablespace_size(Oid tblspcOid) AclResult aclresult; /* - * User must be a member of pg_read_all_stats or have CREATE privilege for + * User must have privileges of pg_read_all_stats or have CREATE privilege for * target tablespace, either explicitly granted or implicitly because it * is default for current database. */ if (tblspcOid != MyDatabaseTableSpace && - !is_member_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) + !has_privs_of_role(GetUserId(), ROLE_PG_READ_ALL_STATS)) { aclresult = pg_tablespace_aclcheck(tblspcOid, GetUserId(), ACL_CREATE); if (aclresult != ACLCHECK_OK) |