Thursday, May 22, 2008

[PATCHES] Extending grant insert on tables to sequences

? config.log
? config.status
Index: src/backend/catalog/aclchk.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/catalog/aclchk.c,v
retrieving revision 1.146
diff -c -r1.146 aclchk.c
*** src/backend/catalog/aclchk.c 12 May 2008 00:00:46 -0000 1.146
--- src/backend/catalog/aclchk.c 22 May 2008 18:13:18 -0000
***************
*** 360,365 ****
--- 360,402 ----
}

ExecGrantStmt_oids(&istmt);
+
+ /*
+ * If the objtype is a relation and the privileges includes INSERT, UPDATE
+ * or SELECT then extends the GRANT/REVOKE to the sequences owned by the
+ * relation
+ */
+ if (istmt.objtype == ACL_OBJECT_RELATION) &&
+ (istmt.privileges & (ACL_INSERT | ACL_UPDATE | ACL_SELECT))
+ {
+ AclMode priv;
+ foreach(cell, istmt.objects)
+ {
+ InternalGrant istmt_seq;
+
+ istmt_seq.is_grant = istmt.is_grant;
+ istmt_seq.objtype = ACL_OBJECT_SEQUENCE;
+ istmt_seq.grantees = istmt.grantees;
+ istmt_seq.grant_option = istmt.grant_option;
+ istmt_seq.behavior = istmt.behavior;
+
+ istmt_seq.all_privs = false;
+ istmt_seq.privileges = ACL_NO_RIGHTS;
+
+ istmt_seq.objects = getOwnedSequences(lfirst_oid(cell));
+ if (istmt_seq.objects != NIL)
+ {
+ if (istmt.privileges & (ACL_INSERT))
+ istmt_seq.privileges |= ACL_USAGE;
+ else if (istmt.privileges & (ACL_UPDATE))
+ istmt_seq.privileges |= ACL_UPDATE;
+ else if (istmt.privileges & (ACL_SELECT))
+ istmt_seq.privileges |= ACL_SELECT;
+
+ ExecGrantStmt_oids(&istmt_seq);
+ }
+ }
+ }
}

/*
Hi,

The idea of this patch is to avoid the need to make explicit grants on
sequences owned by tables.

This patch make:
- GRANT INSERT ON TABLE extend to GRANT USAGE ON SEQUENCE (currval, nextval)
- GRANT UPDATE ON TABLE extend to GRANT UPDATE ON SEQUENCE (nextval, setval)
- GRANT SELECT ON TABLE extend to GRANT SELECT ON SEQUENCE (currval)

comments?

--
regards,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 087171157

No comments: