Skip to content

Commit 7d38dcf

Browse files
laurenzlaurenz
committed
Omit columns permissions from "column_permissions" if the corresponding table privilege is granted
This is probably what users expect, since these column privileges are implied, even if they were explicitly granted. Per suggestion from Antonin Houska.
1 parent 0c45ef6 commit 7d38dcf

File tree

3 files changed

+7
-29
lines changed

3 files changed

+7
-29
lines changed

expected/sample.out

+4-27
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ VALUES (13, 'user2', ARRAY['DELETE']::perm_type[], 'COLUMN', 'appschema', 'appta
7474
ERROR: new row for relation "permission_target" violates check constraint "permission_target_valid"
7575
DETAIL: Failing row contains (13, user2, {DELETE}, COLUMN, appschema, apptable2, val).
7676
-- actual permissions
77-
GRANT REFERENCES (val) ON appschema.apptable2 TO user1; -- missing SELECT, INSERT, UPDATE
77+
-- missing REFERENCES for user1 on apptable2.val
7878
GRANT UPDATE (val) ON appschema.apptable2 TO user2; -- extra privilege UPDATE
7979
/* view */
8080
-- desired permissions
@@ -133,31 +133,7 @@ ORDER BY object_type, role_name, schema_name, object_name, column_name, permissi
133133
VIEW | user1 | appschema | appview | | DELETE
134134
VIEW | user2 | appschema | appview | | SELECT
135135
VIEW | users | appschema | appview | | SELECT
136-
COLUMN | user1 | appschema | apptable | created | SELECT
137-
COLUMN | user1 | appschema | apptable | created | INSERT
138-
COLUMN | user1 | appschema | apptable | created | UPDATE
139-
COLUMN | user1 | appschema | apptable | id | SELECT
140-
COLUMN | user1 | appschema | apptable | id | INSERT
141-
COLUMN | user1 | appschema | apptable | id | UPDATE
142-
COLUMN | user1 | appschema | apptable | val | SELECT
143-
COLUMN | user1 | appschema | apptable | val | INSERT
144-
COLUMN | user1 | appschema | apptable | val | UPDATE
145-
COLUMN | user1 | appschema | apptable2 | val | REFERENCES
146-
COLUMN | user1 | appschema | appview | id | SELECT
147-
COLUMN | user1 | appschema | appview | id | INSERT
148-
COLUMN | user1 | appschema | appview | val | SELECT
149-
COLUMN | user1 | appschema | appview | val | INSERT
150-
COLUMN | user2 | appschema | apptable | created | SELECT
151-
COLUMN | user2 | appschema | apptable | created | INSERT
152-
COLUMN | user2 | appschema | apptable | id | SELECT
153-
COLUMN | user2 | appschema | apptable | id | INSERT
154-
COLUMN | user2 | appschema | apptable | val | SELECT
155-
COLUMN | user2 | appschema | apptable | val | INSERT
156136
COLUMN | user2 | appschema | apptable2 | val | UPDATE
157-
COLUMN | user2 | appschema | appview | id | SELECT
158-
COLUMN | user2 | appschema | appview | val | SELECT
159-
COLUMN | users | appschema | appview | id | SELECT
160-
COLUMN | users | appschema | appview | val | SELECT
161137
SEQUENCE | user1 | appschema | appseq | | USAGE
162138
SEQUENCE | user2 | appschema | appseq | | UPDATE
163139
SEQUENCE | user2 | appschema | appseq | | USAGE
@@ -176,7 +152,7 @@ ORDER BY object_type, role_name, schema_name, object_name, column_name, permissi
176152
DATABASE | user2 | | | | TEMPORARY
177153
DATABASE | users | | | | CONNECT
178154
DATABASE | users | | | | TEMPORARY
179-
(53 rows)
155+
(29 rows)
180156

181157
/* report differences */
182158
SELECT * FROM permission_diffs()
@@ -196,14 +172,15 @@ ORDER BY object_type, schema_name, object_name, column_name, role_name, permissi
196172
t | user1 | COLUMN | appschema | apptable2 | val | SELECT
197173
t | user1 | COLUMN | appschema | apptable2 | val | INSERT
198174
t | user1 | COLUMN | appschema | apptable2 | val | UPDATE
175+
t | user1 | COLUMN | appschema | apptable2 | val | REFERENCES
199176
f | user2 | COLUMN | appschema | apptable2 | val | UPDATE
200177
t | user1 | SEQUENCE | appschema | appseq | | SELECT
201178
f | user2 | SEQUENCE | appschema | appseq | | UPDATE
202179
f | users | FUNCTION | appschema | appfun(integer) | | EXECUTE
203180
t | user1 | SCHEMA | appschema | | | CREATE
204181
f | user2 | SCHEMA | appschema | | | CREATE
205182
f | user2 | DATABASE | | | | CREATE
206-
(19 rows)
183+
(20 rows)
207184

208185
/* clean up */
209186
DROP FUNCTION appschema.appfun(integer);

pg_permissions--1.0.sql

+2-1
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,8 @@ SELECT obj_type 'COLUMN' AS object_type,
7373
t.relname::text AS object_name,
7474
c.attname AS column_name,
7575
p.perm::perm_type AS permission,
76-
has_column_privilege(r.oid, t.oid, c.attnum, p.perm) AS granted
76+
has_column_privilege(r.oid, t.oid, c.attnum, p.perm)
77+
AND NOT has_table_privilege(r.oid, t.oid, p.perm) AS granted
7778
FROM pg_catalog.pg_class AS t
7879
JOIN pg_catalog.pg_attribute AS c ON t.oid = c.attrelid
7980
CROSS JOIN pg_catalog.pg_roles AS r

sql/sample.sql

+1-1
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ INSERT INTO permission_target
7777
(id, role_name, permissions, object_type, schema_name, object_name, column_name)
7878
VALUES (13, 'user2', ARRAY['DELETE']::perm_type[], 'COLUMN', 'appschema', 'apptable2', 'val');
7979
-- actual permissions
80-
GRANT REFERENCES (val) ON appschema.apptable2 TO user1; -- missing SELECT, INSERT, UPDATE
80+
-- missing REFERENCES for user1 on apptable2.val
8181
GRANT UPDATE (val) ON appschema.apptable2 TO user2; -- extra privilege UPDATE
8282

8383
/* view */

0 commit comments

Comments
 (0)