[postgresql] / src / test / regress / expected / privileges.out

--
-- Test access privileges
--
CREATE USER regressuser1;
CREATE USER regressuser2;
CREATE USER regressuser3;
CREATE USER regressuser4;
CREATE USER regressuser4;       -- duplicate
ERROR:  CREATE USER: user name "regressuser4" already exists
CREATE GROUP regressgroup1;
CREATE GROUP regressgroup2 WITH USER regressuser1, regressuser2;
ALTER GROUP regressgroup1 ADD USER regressuser4;
ALTER GROUP regressgroup2 ADD USER regressuser2;        -- duplicate
NOTICE:  ALTER GROUP: user "regressuser2" is already in group "regressgroup2"
ALTER GROUP regressgroup2 DROP USER regressuser2;
ALTER GROUP regressgroup2 ADD USER regressuser4;
-- test owner privileges
SET SESSION AUTHORIZATION regressuser1;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser1 | regressuser1
(1 row)

CREATE TABLE atest1 ( a int, b text );
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

INSERT INTO atest1 VALUES (1, 'one');
DELETE FROM atest1;
UPDATE atest1 SET a = 1 WHERE b = 'blech';
LOCK atest1 IN ACCESS EXCLUSIVE MODE;
REVOKE ALL ON atest1 FROM PUBLIC;
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

GRANT ALL ON atest1 TO regressuser2;
GRANT SELECT ON atest1 TO regressuser3, regressuser4;
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

CREATE TABLE atest2 (col1 varchar(10), col2 boolean);
GRANT SELECT ON atest2 TO regressuser2;
GRANT UPDATE ON atest2 TO regressuser3;
GRANT INSERT ON atest2 TO regressuser4;
SET SESSION AUTHORIZATION regressuser2;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser2 | regressuser2
(1 row)

-- try various combinations of queries on atest1 and atest2
SELECT * FROM atest1; -- ok
 a | b 
---+---
(0 rows)

SELECT * FROM atest2; -- ok
 col1 | col2 
------+------
(0 rows)

INSERT INTO atest1 VALUES (2, 'two'); -- ok
INSERT INTO atest2 VALUES ('foo', true); -- fail
ERROR:  atest2: Permission denied.
INSERT INTO atest1 SELECT 1, b FROM atest1; -- ok
UPDATE atest1 SET a = 1 WHERE a = 2; -- ok
UPDATE atest2 SET col2 = NOT col2; -- fail
ERROR:  atest2: Permission denied.
SELECT * FROM atest1 FOR UPDATE; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atest2 FOR UPDATE; -- fail
ERROR:  atest2: Permission denied.
DELETE FROM atest2; -- fail
ERROR:  atest2: Permission denied.
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- fail
ERROR:  LOCK TABLE: permission denied
COPY atest2 FROM stdin; -- fail
ERROR:  atest2: Permission denied.
GRANT ALL ON atest1 TO PUBLIC; -- fail
ERROR:  permission denied
-- checks in subquery, both ok
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
 a | b 
---+---
(0 rows)

SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) );
 col1 | col2 
------+------
(0 rows)

SET SESSION AUTHORIZATION regressuser3;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser3 | regressuser3
(1 row)

SELECT * FROM atest1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atest2; -- fail
ERROR:  atest2: Permission denied.
INSERT INTO atest1 VALUES (2, 'two'); -- fail
ERROR:  atest1: Permission denied.
INSERT INTO atest2 VALUES ('foo', true); -- fail
ERROR:  atest2: Permission denied.
INSERT INTO atest1 SELECT 1, b FROM atest1; -- fail
ERROR:  atest1: Permission denied.
UPDATE atest1 SET a = 1 WHERE a = 2; -- fail
ERROR:  atest1: Permission denied.
UPDATE atest2 SET col2 = NULL; -- ok
UPDATE atest2 SET col2 = NOT col2; -- fails; requires SELECT on atest2
ERROR:  atest2: Permission denied.
UPDATE atest2 SET col2 = true WHERE atest1.a = 5; -- ok
SELECT * FROM atest1 FOR UPDATE; -- fail
ERROR:  atest1: Permission denied.
SELECT * FROM atest2 FOR UPDATE; -- fail
ERROR:  atest2: Permission denied.
DELETE FROM atest2; -- fail
ERROR:  atest2: Permission denied.
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- ok
COPY atest2 FROM stdin; -- fail
ERROR:  atest2: Permission denied.
-- checks in subquery, both fail
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
ERROR:  atest2: Permission denied.
SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) );
ERROR:  atest2: Permission denied.
SET SESSION AUTHORIZATION regressuser4;
COPY atest2 FROM stdin; -- ok
SELECT * FROM atest1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

-- groups
SET SESSION AUTHORIZATION regressuser3;
CREATE TABLE atest3 (one int, two int, three int);
GRANT DELETE ON atest3 TO GROUP regressgroup2;
SET SESSION AUTHORIZATION regressuser1;
SELECT * FROM atest3; -- fail
ERROR:  atest3: Permission denied.
DELETE FROM atest3; -- ok
-- views
SET SESSION AUTHORIZATION regressuser3;
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok
/* The next *should* fail, but it's not implemented that way yet. */
CREATE VIEW atestv2 AS SELECT * FROM atest2;
CREATE VIEW atestv3 AS SELECT * FROM atest3; -- ok
SELECT * FROM atestv1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

GRANT SELECT ON atestv1, atestv3 TO regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT * FROM atestv1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atestv3; -- ok
 one | two | three 
-----+-----+-------
(0 rows)

-- has_table_privilege function
-- bad-input checks
select has_table_privilege(NULL,'pg_shadow','select');
 has_table_privilege 
---------------------
 
(1 row)

select has_table_privilege('pg_shad','select');
ERROR:  has_table_privilege: relation "pg_shad" does not exist
select has_table_privilege('nosuchuser','pg_shadow','select');
ERROR:  user "nosuchuser" does not exist
select has_table_privilege('pg_shadow','sel');
ERROR:  has_table_privilege: invalid privilege type sel
select has_table_privilege(-999999,'pg_shadow','update');
ERROR:  pg_aclcheck: invalid user id 4293967297
select has_table_privilege(1,'rule');
ERROR:  has_table_privilege: invalid relation oid 1
-- superuser
\c regression
select has_table_privilege(current_user,'pg_shadow','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'pg_shadow','insert');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,'pg_shadow','update')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,'pg_shadow','delete')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,t1.oid,'rule')
from (select oid from pg_class where relname = 'pg_shadow') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'pg_shadow') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'select')
from (select oid from pg_class where relname = 'pg_shadow') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'insert')
from (select oid from pg_class where relname = 'pg_shadow') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege('pg_shadow','update');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege('pg_shadow','delete');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'pg_shadow') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'pg_shadow') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

-- non-superuser
SET SESSION AUTHORIZATION regressuser3;
select has_table_privilege(current_user,'pg_class','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'pg_class','insert');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,'pg_class','update')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,'pg_class','delete')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'rule')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'select')
from (select oid from pg_class where relname = 'pg_class') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'insert')
from (select oid from pg_class where relname = 'pg_class') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('pg_class','update');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('pg_class','delete');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,'atest1','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'atest1','insert');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,'atest1','update')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,'atest1','delete')
from (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'rule')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'select')
from (select oid from pg_class where relname = 'atest1') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.usesysid,t1.oid,'insert')
from (select oid from pg_class where relname = 'atest1') as t1,
  (select usesysid from pg_user where usename = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('atest1','update');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('atest1','delete');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

-- clean up
\c regression
DROP TABLE atest1;
DROP TABLE atest2;
DROP TABLE atest3;
DROP VIEW atestv1;
DROP VIEW atestv2;
DROP VIEW atestv3;
DROP GROUP regressgroup1;
DROP GROUP regressgroup2;
DROP USER regressuser1;
DROP USER regressuser2;
DROP USER regressuser3;
DROP USER regressuser4;