Skip to content

Commit

Permalink
Omit columns permissions from "column_permissions" if the correspondi…
Browse files Browse the repository at this point in the history 
…ng table privilege is granted

This is probably what users expect, since these column privileges are
implied, even if they were explicitly granted.

Per suggestion from Antonin Houska.
  • Loading branch information
@laurenz
laurenz committed Dec 12, 2018
1 parent 0c45ef6 commit 7d38dcf
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 29 deletions.
31 changes: 4 additions & 27 deletions expected/sample.out
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ VALUES (13, 'user2', ARRAY['DELETE']::perm_type[], 'COLUMN', 'appschema', 'appta
ERROR: new row for relation "permission_target" violates check constraint "permission_target_valid"
DETAIL: Failing row contains (13, user2, {DELETE}, COLUMN, appschema, apptable2, val).
-- actual permissions
GRANT REFERENCES (val) ON appschema.apptable2 TO user1; -- missing SELECT, INSERT, UPDATE
-- missing REFERENCES for user1 on apptable2.val
GRANT UPDATE (val) ON appschema.apptable2 TO user2; -- extra privilege UPDATE
/* view */
-- desired permissions
Expand Down Expand Up @@ -133,31 +133,7 @@ ORDER BY object_type, role_name, schema_name, object_name, column_name, permissi
VIEW | user1 | appschema | appview | | DELETE
VIEW | user2 | appschema | appview | | SELECT
VIEW | users | appschema | appview | | SELECT
COLUMN | user1 | appschema | apptable | created | SELECT
COLUMN | user1 | appschema | apptable | created | INSERT
COLUMN | user1 | appschema | apptable | created | UPDATE
COLUMN | user1 | appschema | apptable | id | SELECT
COLUMN | user1 | appschema | apptable | id | INSERT
COLUMN | user1 | appschema | apptable | id | UPDATE
COLUMN | user1 | appschema | apptable | val | SELECT
COLUMN | user1 | appschema | apptable | val | INSERT
COLUMN | user1 | appschema | apptable | val | UPDATE
COLUMN | user1 | appschema | apptable2 | val | REFERENCES
COLUMN | user1 | appschema | appview | id | SELECT
COLUMN | user1 | appschema | appview | id | INSERT
COLUMN | user1 | appschema | appview | val | SELECT
COLUMN | user1 | appschema | appview | val | INSERT
COLUMN | user2 | appschema | apptable | created | SELECT
COLUMN | user2 | appschema | apptable | created | INSERT
COLUMN | user2 | appschema | apptable | id | SELECT
COLUMN | user2 | appschema | apptable | id | INSERT
COLUMN | user2 | appschema | apptable | val | SELECT
COLUMN | user2 | appschema | apptable | val | INSERT
COLUMN | user2 | appschema | apptable2 | val | UPDATE
COLUMN | user2 | appschema | appview | id | SELECT
COLUMN | user2 | appschema | appview | val | SELECT
COLUMN | users | appschema | appview | id | SELECT
COLUMN | users | appschema | appview | val | SELECT
SEQUENCE | user1 | appschema | appseq | | USAGE
SEQUENCE | user2 | appschema | appseq | | UPDATE
SEQUENCE | user2 | appschema | appseq | | USAGE
Expand All @@ -176,7 +152,7 @@ ORDER BY object_type, role_name, schema_name, object_name, column_name, permissi
DATABASE | user2 | | | | TEMPORARY
DATABASE | users | | | | CONNECT
DATABASE | users | | | | TEMPORARY
(53 rows)
(29 rows)

/* report differences */
SELECT * FROM permission_diffs()
Expand All @@ -196,14 +172,15 @@ ORDER BY object_type, schema_name, object_name, column_name, role_name, permissi
t | user1 | COLUMN | appschema | apptable2 | val | SELECT
t | user1 | COLUMN | appschema | apptable2 | val | INSERT
t | user1 | COLUMN | appschema | apptable2 | val | UPDATE
t | user1 | COLUMN | appschema | apptable2 | val | REFERENCES
f | user2 | COLUMN | appschema | apptable2 | val | UPDATE
t | user1 | SEQUENCE | appschema | appseq | | SELECT
f | user2 | SEQUENCE | appschema | appseq | | UPDATE
f | users | FUNCTION | appschema | appfun(integer) | | EXECUTE
t | user1 | SCHEMA | appschema | | | CREATE
f | user2 | SCHEMA | appschema | | | CREATE
f | user2 | DATABASE | | | | CREATE
(19 rows)
(20 rows)

/* clean up */
DROP FUNCTION appschema.appfun(integer);
Expand Down
3 changes: 2 additions & 1 deletion pg_permissions--1.0.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ SELECT obj_type 'COLUMN' AS object_type,
t.relname::text AS object_name,
c.attname AS column_name,
p.perm::perm_type AS permission,
has_column_privilege(r.oid, t.oid, c.attnum, p.perm) AS granted
has_column_privilege(r.oid, t.oid, c.attnum, p.perm)
AND NOT has_table_privilege(r.oid, t.oid, p.perm) AS granted
FROM pg_catalog.pg_class AS t
JOIN pg_catalog.pg_attribute AS c ON t.oid = c.attrelid
CROSS JOIN pg_catalog.pg_roles AS r
Expand Down
2 changes: 1 addition & 1 deletion sql/sample.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ INSERT INTO permission_target
(id, role_name, permissions, object_type, schema_name, object_name, column_name)
VALUES (13, 'user2', ARRAY['DELETE']::perm_type[], 'COLUMN', 'appschema', 'apptable2', 'val');
-- actual permissions
GRANT REFERENCES (val) ON appschema.apptable2 TO user1; -- missing SELECT, INSERT, UPDATE
-- missing REFERENCES for user1 on apptable2.val
GRANT UPDATE (val) ON appschema.apptable2 TO user2; -- extra privilege UPDATE

/* view */
Expand Down

0 comments on commit 7d38dcf

Please sign in to comment.