Use has_privs_for_roles for predefined role checks

Generally if a role is granted membership to another role with NOINHERIT
they must use SET ROLE to access the privileges of that role, however
with predefined roles the membership and privilege is conflated. Fix that
by replacing is_member_of_role with has_privs_for_role for predefined
roles. Patch does not remove is_member_of_role from acl.h, but it does
add a warning not to use that function for privilege checking. Not
backpatched based on hackers list discussion.

Author: Joshua Brindle
Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway
Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com

9 files changed, 22 insertions, 22 deletions

diff --git a/doc/src/sgml/adminpack.sgml b/doc/src/sgml/adminpack.sgml
index 0dd89be3534..5702456cd25 100644
--- a/doc/src/sgml/adminpack.sgml
+++ b/doc/src/sgml/adminpack.sgml
@@ -22,9 +22,9 @@
   functions in <xref linkend="functions-admin-genfile-table"/>, which
   provide read-only access.)
   Only files within the database cluster directory can be accessed, unless the
-  user is a superuser or given one of the pg_read_server_files, or pg_write_server_files
-  roles, as appropriate for the function, but either a relative or absolute path is
-  allowable.
+  user is a superuser or given privileges of one of the pg_read_server_files, 
+  or pg_write_server_files roles, as appropriate for the function, but either a
+  relative or absolute path is allowable.
  </para>
 
  <table id="functions-adminpack-table">
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 94f01e40996..23e06b81a4f 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -10044,8 +10044,8 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
 
   <para>
    By default, the <structname>pg_backend_memory_contexts</structname> view can be
-   read only by superusers or members of the <literal>pg_read_all_stats</literal>
-   role.
+   read only by superusers or roles with the privileges of the
+   <literal>pg_read_all_stats</literal> role.
   </para>
  </sect1>
 
@@ -12552,7 +12552,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <para>
        Configuration file the current value was set in (null for
        values set from sources other than configuration files, or when
-       examined by a user who is neither a superuser or a member of
+       examined by a user who neither is a superuser nor has privileges of
        <literal>pg_read_all_settings</literal>); helpful when using
        <literal>include</literal> directives in configuration files
       </para></entry>
@@ -12565,7 +12565,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
       <para>
        Line number within the configuration file the current value was
        set at (null for values set from sources other than configuration files,
-       or when examined by a user who is neither a superuser or a member of
+       or when examined by a user who neither is a superuser nor has privileges of
        <literal>pg_read_all_settings</literal>).
       </para></entry>
      </row>
@@ -12941,8 +12941,8 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
 
   <para>
    By default, the <structname>pg_shmem_allocations</structname> view can be
-   read only by superusers or members of the <literal>pg_read_all_stats</literal>
-   role.
+   read only by superusers or roles with privileges of the
+   <literal>pg_read_all_stats</literal> role.
   </para>
  </sect1>
 
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 8a802fb2253..3a9d62b4084 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -25435,7 +25435,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
         Cancels the current query of the session whose backend process has the
         specified process ID.  This is also allowed if the
         calling role is a member of the role whose backend is being canceled or
-        the calling role has been granted <literal>pg_signal_backend</literal>,
+        the calling role has privileges of <literal>pg_signal_backend</literal>,
         however only superusers can cancel superuser backends.
        </para></entry>
       </row>
@@ -25508,7 +25508,7 @@ SELECT collation for ('foo' COLLATE "de_DE");
         Terminates the session whose backend process has the
         specified process ID.  This is also allowed if the calling role
         is a member of the role whose backend is being terminated or the
-        calling role has been granted <literal>pg_signal_backend</literal>,
+        calling role has privileges of <literal>pg_signal_backend</literal>,
         however only superusers can terminate superuser backends.
        </para>
        <para>
@@ -26783,7 +26783,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
         Computes the total disk space used by the database with the specified
         name or OID.  To use this function, you must
         have <literal>CONNECT</literal> privilege on the specified database
-        (which is granted by default) or be a member of
+        (which is granted by default) or have privileges of
         the <literal>pg_read_all_stats</literal> role.
        </para></entry>
       </row>
@@ -26913,7 +26913,7 @@ postgres=# SELECT * FROM pg_walfile_name_offset(pg_stop_backup());
         Computes the total disk space used in the tablespace with the
         specified name or OID. To use this function, you must
         have <literal>CREATE</literal> privilege on the specified tablespace
-        or be a member of the <literal>pg_read_all_stats</literal> role,
+        or have privileges of the <literal>pg_read_all_stats</literal> role,
         unless it is the default tablespace for the current database.
        </para></entry>
       </row>
@@ -27392,7 +27392,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
         a dot, directories, and other special files are excluded.
        </para>
        <para>
-        This function is restricted to superusers and members of
+        This function is restricted to superusers and roles with privileges of
         the <literal>pg_monitor</literal> role by default, but other users can
         be granted EXECUTE to run the function.
        </para></entry>
@@ -27416,7 +27416,7 @@ SELECT pg_size_pretty(sum(pg_relation_size(relid))) AS total_size
         are excluded.
        </para>
        <para>
-        This function is restricted to superusers and members of
+        This function is restricted to superusers and roles with privileges of 
         the <literal>pg_monitor</literal> role by default, but other users can
         be granted EXECUTE to run the function.
        </para></entry>
diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml
index 35b2923c5e8..6a6b09dc456 100644
--- a/doc/src/sgml/monitoring.sgml
+++ b/doc/src/sgml/monitoring.sgml
@@ -280,7 +280,7 @@ postgres   27093  0.0  0.0  30096  2752 ?        Ss   11:34   0:00 postgres: ser
    (sessions belonging to a role that they are a member of).  In rows about
    other sessions, many columns will be null.  Note, however, that the
    existence of a session and its general properties such as its sessions user
-   and database are visible to all users.  Superusers and members of the
+   and database are visible to all users.  Superusers and roles with privileges of
    built-in role <literal>pg_read_all_stats</literal> (see also <xref
    linkend="predefined-roles"/>) can see all the information about all sessions.
   </para>
diff --git a/doc/src/sgml/pgbuffercache.sgml b/doc/src/sgml/pgbuffercache.sgml
index e68d159d30f..a06fd3e26de 100644
--- a/doc/src/sgml/pgbuffercache.sgml
+++ b/doc/src/sgml/pgbuffercache.sgml
@@ -24,7 +24,7 @@
  </para>
 
  <para>
-  By default, use is restricted to superusers and members of the
+  By default, use is restricted to superusers and roles with privileges of the
   <literal>pg_monitor</literal> role. Access may be granted to others
   using <command>GRANT</command>.
  </para>
diff --git a/doc/src/sgml/pgfreespacemap.sgml b/doc/src/sgml/pgfreespacemap.sgml
index 1f7867d9b9f..3063885c2cb 100644
--- a/doc/src/sgml/pgfreespacemap.sgml
+++ b/doc/src/sgml/pgfreespacemap.sgml
@@ -16,7 +16,7 @@
  </para>
 
  <para>
-  By default use is restricted to superusers and members of the
+  By default use is restricted to superusers and roles with privileges of the
   <literal>pg_stat_scan_tables</literal> role. Access may be granted to others
   using <command>GRANT</command>.
  </para>
diff --git a/doc/src/sgml/pgrowlocks.sgml b/doc/src/sgml/pgrowlocks.sgml
index 392d5f1f9a7..2914bf6e6d6 100644
--- a/doc/src/sgml/pgrowlocks.sgml
+++ b/doc/src/sgml/pgrowlocks.sgml
@@ -13,7 +13,7 @@
  </para>
 
  <para>
-  By default use is restricted to superusers, members of the
+  By default use is restricted to superusers, roles with privileges of the
   <literal>pg_stat_scan_tables</literal> role, and users with
   <literal>SELECT</literal> permissions on the table.
  </para>
diff --git a/doc/src/sgml/pgstatstatements.sgml b/doc/src/sgml/pgstatstatements.sgml
index bc9d5bdbe3b..3a7e36bd13c 100644
--- a/doc/src/sgml/pgstatstatements.sgml
+++ b/doc/src/sgml/pgstatstatements.sgml
@@ -384,7 +384,7 @@
   </table>
 
   <para>
-   For security reasons, only superusers and members of the
+   For security reasons, only superusers and roles with privileges of the
    <literal>pg_read_all_stats</literal> role are allowed to see the SQL text and
    <structfield>queryid</structfield> of queries executed by other users.
    Other users can see the statistics, however, if the view has been installed
diff --git a/doc/src/sgml/pgvisibility.sgml b/doc/src/sgml/pgvisibility.sgml
index 75336946a61..8090aa5207e 100644
--- a/doc/src/sgml/pgvisibility.sgml
+++ b/doc/src/sgml/pgvisibility.sgml
@@ -140,8 +140,8 @@
   </variablelist>
 
   <para>
-   By default, these functions are executable only by superusers and members of the
-   <literal>pg_stat_scan_tables</literal> role, with the exception of
+   By default, these functions are executable only by superusers and roles with privileges
+   of the <literal>pg_stat_scan_tables</literal> role, with the exception of
    <function>pg_truncate_visibility_map(relation regclass)</function> which can only
    be executed by superusers.
   </para>