Allow LOCK TABLE .. ROW EXCLUSIVE MODE with INSERT
INSERT acquires RowExclusiveLock during normal operation and therefore it makes sense to allow LOCK TABLE .. ROW EXCLUSIVE MODE to be executed by users who have INSERT rights on a table (even if they don't have UPDATE or DELETE). Not back-patching this as it's a behavior change which, strictly speaking, loosens security restrictions. Per discussion with Tom and Robert (circa 2013).
This commit is contained in:
parent
9d15292cfc
commit
fa2642438f
|
@ -161,9 +161,11 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="PARAMETER">name</replaceable> [ * ]
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
<literal>LOCK TABLE ... IN ACCESS SHARE MODE</> requires <literal>SELECT</>
|
<literal>LOCK TABLE ... IN ACCESS SHARE MODE</> requires <literal>SELECT</>
|
||||||
privileges on the target table. All other forms of <command>LOCK</>
|
privileges on the target table. <literal>LOCK TABLE ... IN ROW EXCLUSIVE
|
||||||
require table-level <literal>UPDATE</>, <literal>DELETE</>, or
|
MODE</> requires <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
|
||||||
<literal>TRUNCATE</> privileges.
|
or <literal>TRUNCATE</> privileges on the target table. All other forms of
|
||||||
|
<command>LOCK</> require table-level <literal>UPDATE</>, <literal>DELETE</>,
|
||||||
|
or <literal>TRUNCATE</> privileges.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
|
|
|
@ -169,13 +169,17 @@ static AclResult
|
||||||
LockTableAclCheck(Oid reloid, LOCKMODE lockmode)
|
LockTableAclCheck(Oid reloid, LOCKMODE lockmode)
|
||||||
{
|
{
|
||||||
AclResult aclresult;
|
AclResult aclresult;
|
||||||
|
AclMode aclmask;
|
||||||
|
|
||||||
/* Verify adequate privilege */
|
/* Verify adequate privilege */
|
||||||
if (lockmode == AccessShareLock)
|
if (lockmode == AccessShareLock)
|
||||||
aclresult = pg_class_aclcheck(reloid, GetUserId(),
|
aclmask = ACL_SELECT;
|
||||||
ACL_SELECT);
|
else if (lockmode == RowExclusiveLock)
|
||||||
|
aclmask = ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
|
||||||
else
|
else
|
||||||
aclresult = pg_class_aclcheck(reloid, GetUserId(),
|
aclmask = ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
|
||||||
ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE);
|
|
||||||
|
aclresult = pg_class_aclcheck(reloid, GetUserId(), aclmask);
|
||||||
|
|
||||||
return aclresult;
|
return aclresult;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue