diff options
Diffstat (limited to 'src/backend/rewrite/rowsecurity.c')
| -rw-r--r-- | src/backend/rewrite/rowsecurity.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/src/backend/rewrite/rowsecurity.c b/src/backend/rewrite/rowsecurity.c index f49cfb6cc66..f03b36a6e4e 100644 --- a/src/backend/rewrite/rowsecurity.c +++ b/src/backend/rewrite/rowsecurity.c @@ -47,6 +47,7 @@ #include "nodes/pg_list.h" #include "nodes/plannodes.h" #include "parser/parsetree.h" +#include "parser/parse_relation.h" #include "rewrite/rewriteDefine.h" #include "rewrite/rewriteHandler.h" #include "rewrite/rewriteManip.h" @@ -115,6 +116,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, CmdType commandType; List *permissive_policies; List *restrictive_policies; + RTEPermissionInfo *perminfo; /* Defaults for the return values */ *securityQuals = NIL; @@ -122,16 +124,21 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, *hasRowSecurity = false; *hasSubLinks = false; + Assert(rte->rtekind == RTE_RELATION); + /* If this is not a normal relation, just return immediately */ if (rte->relkind != RELKIND_RELATION && rte->relkind != RELKIND_PARTITIONED_TABLE) return; + perminfo = getRTEPermissionInfo(root->rteperminfos, rte); + /* Switch to checkAsUser if it's set */ - user_id = OidIsValid(rte->checkAsUser) ? rte->checkAsUser : GetUserId(); + user_id = OidIsValid(perminfo->checkAsUser) ? + perminfo->checkAsUser : GetUserId(); /* Determine the state of RLS for this, pass checkAsUser explicitly */ - rls_status = check_enable_rls(rte->relid, rte->checkAsUser, false); + rls_status = check_enable_rls(rte->relid, perminfo->checkAsUser, false); /* If there is no RLS on this table at all, nothing to do */ if (rls_status == RLS_NONE) @@ -196,7 +203,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, * which the user does not have access to via the UPDATE USING policies, * similar to how we require normal UPDATE rights for these queries. */ - if (commandType == CMD_SELECT && rte->requiredPerms & ACL_UPDATE) + if (commandType == CMD_SELECT && perminfo->requiredPerms & ACL_UPDATE) { List *update_permissive_policies; List *update_restrictive_policies; @@ -243,7 +250,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, */ if ((commandType == CMD_UPDATE || commandType == CMD_DELETE || commandType == CMD_MERGE) && - rte->requiredPerms & ACL_SELECT) + perminfo->requiredPerms & ACL_SELECT) { List *select_permissive_policies; List *select_restrictive_policies; @@ -286,7 +293,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, * raised if a policy is violated; otherwise, we might end up silently * dropping rows to be added. */ - if (rte->requiredPerms & ACL_SELECT) + if (perminfo->requiredPerms & ACL_SELECT) { List *select_permissive_policies = NIL; List *select_restrictive_policies = NIL; @@ -342,7 +349,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, * for this relation, also as WCO policies, again, to avoid * silently dropping data. See above. */ - if (rte->requiredPerms & ACL_SELECT) + if (perminfo->requiredPerms & ACL_SELECT) { get_policies_for_relation(rel, CMD_SELECT, user_id, &conflict_select_permissive_policies, @@ -371,7 +378,7 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT rights * are required for this relation. */ - if (rte->requiredPerms & ACL_SELECT) + if (perminfo->requiredPerms & ACL_SELECT) add_with_check_options(rel, rt_index, WCO_RLS_UPDATE_CHECK, conflict_select_permissive_policies, @@ -474,8 +481,8 @@ get_row_security_policies(Query *root, RangeTblEntry *rte, int rt_index, * Copy checkAsUser to the row security quals and WithCheckOption checks, * in case they contain any subqueries referring to other relations. */ - setRuleCheckAsUser((Node *) *securityQuals, rte->checkAsUser); - setRuleCheckAsUser((Node *) *withCheckOptions, rte->checkAsUser); + setRuleCheckAsUser((Node *) *securityQuals, perminfo->checkAsUser); + setRuleCheckAsUser((Node *) *withCheckOptions, perminfo->checkAsUser); /* * Mark this query as having row security, so plancache can invalidate it |