From ef7422510e93266e5aa9bb926d6747d5f2ae21f4 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut
Date: Thu, 23 Jan 2003 23:39:07 +0000
Subject: Grant options, and cascading revoke.  Grant options are allowed only
 for users right now, not groups.  Extension of has_foo_privileges functions
 to query the grant options.  Extension of aclitem type to store grantor.

---
 src/test/regress/expected/privileges.out | 45 ++++++++++++++++++++++++++++++--
 src/test/regress/sql/privileges.sql      | 28 ++++++++++++++++++++
 2 files changed, 71 insertions(+), 2 deletions(-)

(limited to 'src/test')

diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index c962879e40b..c9fd902a7aa 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -90,7 +90,7 @@ ERROR:  atest2: permission denied
 COPY atest2 FROM stdin; -- fail
 ERROR:  atest2: permission denied
 GRANT ALL ON atest1 TO PUBLIC; -- fail
-ERROR:  atest1: must be owner
+ERROR:  atest1: permission denied
 -- checks in subquery, both ok
 SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
  a | b 
@@ -227,7 +227,7 @@ GRANT USAGE ON LANGUAGE c TO PUBLIC; -- fail
 ERROR:  language "c" is not trusted
 SET SESSION AUTHORIZATION regressuser1;
 GRANT USAGE ON LANGUAGE sql TO regressuser2; -- fail
-ERROR:  permission denied
+ERROR:  sql: permission denied
 CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql;
 CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE sql;
 REVOKE ALL ON FUNCTION testfunc1(int), testfunc2(int) FROM PUBLIC;
@@ -544,6 +544,46 @@ from (select oid from pg_class where relname = 'atest1') as t1;
  f
 (1 row)
 
+-- Grant options
+SET SESSION AUTHORIZATION regressuser1;
+CREATE TABLE atest4 (a int);
+GRANT SELECT ON atest4 TO regressuser2 WITH GRANT OPTION;
+GRANT UPDATE ON atest4 TO regressuser2;
+GRANT SELECT ON atest4 TO GROUP regressgroup1 WITH GRANT OPTION; -- fail
+ERROR:  grant options can only be granted to individual users
+SET SESSION AUTHORIZATION regressuser2;
+GRANT SELECT ON atest4 TO regressuser3;
+GRANT UPDATE ON atest4 TO regressuser3; -- fail
+ERROR:  atest4: permission denied
+SET SESSION AUTHORIZATION regressuser1;
+REVOKE SELECT ON atest4 FROM regressuser3; -- does nothing
+SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- true
+ has_table_privilege 
+---------------------
+ t
+(1 row)
+
+REVOKE SELECT ON atest4 FROM regressuser2; -- fail
+ERROR:  dependent privileges exist (use CASCADE to revoke them too)
+REVOKE GRANT OPTION FOR SELECT ON atest4 FROM regressuser2 CASCADE; -- ok
+SELECT has_table_privilege('regressuser2', 'atest4', 'SELECT'); -- true
+ has_table_privilege 
+---------------------
+ t
+(1 row)
+
+SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- false
+ has_table_privilege 
+---------------------
+ f
+(1 row)
+
+SELECT has_table_privilege('regressuser1', 'atest4', 'SELECT WITH GRANT OPTION'); -- true
+ has_table_privilege 
+---------------------
+ t
+(1 row)
+
 -- clean up
 \c regression
 SET autocommit TO 'on';
@@ -561,6 +601,7 @@ ERROR:  view "atestv4" does not exist
 DROP TABLE atest1;
 DROP TABLE atest2;
 DROP TABLE atest3;
+DROP TABLE atest4;
 DROP GROUP regressgroup1;
 DROP GROUP regressgroup2;
 DROP USER regressuser1;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index 1d1bde3bddc..d7076d2575c 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -293,6 +293,33 @@ select has_table_privilege(t1.oid,'trigger')
 from (select oid from pg_class where relname = 'atest1') as t1;
 
 
+-- Grant options
+
+SET SESSION AUTHORIZATION regressuser1;
+
+CREATE TABLE atest4 (a int);
+
+GRANT SELECT ON atest4 TO regressuser2 WITH GRANT OPTION;
+GRANT UPDATE ON atest4 TO regressuser2;
+GRANT SELECT ON atest4 TO GROUP regressgroup1 WITH GRANT OPTION; -- fail
+
+SET SESSION AUTHORIZATION regressuser2;
+
+GRANT SELECT ON atest4 TO regressuser3;
+GRANT UPDATE ON atest4 TO regressuser3; -- fail
+
+SET SESSION AUTHORIZATION regressuser1;
+
+REVOKE SELECT ON atest4 FROM regressuser3; -- does nothing
+SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- true
+REVOKE SELECT ON atest4 FROM regressuser2; -- fail
+REVOKE GRANT OPTION FOR SELECT ON atest4 FROM regressuser2 CASCADE; -- ok
+SELECT has_table_privilege('regressuser2', 'atest4', 'SELECT'); -- true
+SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- false
+
+SELECT has_table_privilege('regressuser1', 'atest4', 'SELECT WITH GRANT OPTION'); -- true
+
+
 -- clean up
 
 \c regression
@@ -311,6 +338,7 @@ DROP VIEW atestv4;
 DROP TABLE atest1;
 DROP TABLE atest2;
 DROP TABLE atest3;
+DROP TABLE atest4;
 
 DROP GROUP regressgroup1;
 DROP GROUP regressgroup2;
-- 
cgit v1.2.3