*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.88 2003/09/04 15:53:04 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/catalog/aclchk.c,v 1.89 2003/10/05 21:49:12 petere Exp $
*
* NOTES
* See acl.h.
static Acl *
merge_acl_with_grant(Acl *old_acl, bool is_grant,
List *grantees, AclMode privileges,
- bool grant_option, DropBehavior behavior)
+ bool grant_option, DropBehavior behavior,
+ AclId owner_uid)
{
unsigned modechg;
List *j;
AclItem aclitem;
uint32 idtype;
Acl *newer_acl;
+ bool grantee_is_owner = false;
if (grantee->username)
{
aclitem.ai_grantee = get_usesysid(grantee->username);
idtype = ACL_IDTYPE_UID;
+
+ grantee_is_owner = (aclitem.ai_grantee == owner_uid && owner_uid != InvalidOid);
}
else if (grantee->groupname)
{
(errcode(ERRCODE_INVALID_GRANT_OPERATION),
errmsg("grant options can only be granted to individual users")));
+ if (!is_grant && grant_option && grantee_is_owner)
+ ereport(ERROR,
+ (errcode(ERRCODE_INVALID_GRANT_OPERATION),
+ errmsg("cannot revoke grant options from owner")));
+
aclitem.ai_grantor = GetUserId();
ACLITEM_SET_PRIVS_IDTYPE(aclitem,
- (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
- (grant_option || !is_grant) ? privileges : ACL_NO_RIGHTS,
+ (is_grant || !grant_option) ? privileges : ACL_NO_RIGHTS,
+ (grant_option || (!is_grant && !grantee_is_owner)) ? privileges : ACL_NO_RIGHTS,
idtype);
newer_acl = aclinsert3(new_acl, &aclitem, modechg, behavior);
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grantees, privileges,
- stmt->grant_option, stmt->behavior);
+ stmt->grant_option, stmt->behavior,
+ pg_class_tuple->relowner);
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grantees, privileges,
- stmt->grant_option, stmt->behavior);
+ stmt->grant_option, stmt->behavior,
+ pg_database_tuple->datdba);
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grantees, privileges,
- stmt->grant_option, stmt->behavior);
+ stmt->grant_option, stmt->behavior,
+ pg_proc_tuple->proowner);
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grantees, privileges,
- stmt->grant_option, stmt->behavior);
+ stmt->grant_option, stmt->behavior,
+ InvalidOid);
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
new_acl = merge_acl_with_grant(old_acl, stmt->is_grant,
stmt->grantees, privileges,
- stmt->grant_option, stmt->behavior);
+ stmt->grant_option, stmt->behavior,
+ pg_namespace_tuple->nspowner);
/* finished building new ACL value, now insert it */
MemSet(values, 0, sizeof(values));
projects / postgresql / commitdiff