/* Hook to check passwords in CreateRole() and AlterRole() */
check_password_hook_type check_password_hook = NULL;
-static void AddRoleMems(const char *rolename, Oid roleid,
+static void AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
List *memberSpecs, List *memberIds,
Oid grantorId, GrantRoleOptions *popt);
-static void DelRoleMems(const char *rolename, Oid roleid,
+static void DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
List *memberSpecs, List *memberIds,
Oid grantorId, GrantRoleOptions *popt,
DropBehavior behavior);
HeapTuple tuple;
Datum new_record[Natts_pg_authid] = {0};
bool new_record_nulls[Natts_pg_authid] = {0};
+ Oid currentUserId = GetUserId();
Oid roleid;
ListCell *item;
ListCell *option;
char *oldrolename = NameStr(oldroleform->rolname);
/* can only add this role to roles for which you have rights */
- check_role_membership_authorization(GetUserId(), oldroleid, true);
- AddRoleMems(oldrolename, oldroleid,
+ check_role_membership_authorization(currentUserId, oldroleid, true);
+ AddRoleMems(currentUserId, oldrolename, oldroleid,
thisrole_list,
thisrole_oidlist,
InvalidOid, &popt);
* NB: No permissions check is required here. If you have enough rights
* to create a role, you can add any members you like.
*/
- AddRoleMems(stmt->role, roleid,
+ AddRoleMems(currentUserId, stmt->role, roleid,
rolemembers, roleSpecsToIds(rolemembers),
InvalidOid, &popt);
popt.specified |= GRANT_ROLE_SPECIFIED_ADMIN;
popt.admin = true;
- AddRoleMems(stmt->role, roleid,
+ AddRoleMems(currentUserId, stmt->role, roleid,
adminmembers, roleSpecsToIds(adminmembers),
InvalidOid, &popt);
DefElem *dvalidUntil = NULL;
DefElem *dbypassRLS = NULL;
Oid roleid;
+ Oid currentUserId = GetUserId();
GrantRoleOptions popt;
check_rolespec_name(stmt->role,
errmsg("permission denied")));
/* without CREATEROLE, can only change your own password */
- if (dpassword && roleid != GetUserId())
+ if (dpassword && roleid != currentUserId)
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must have CREATEROLE privilege to change another user's password")));
/* without CREATEROLE, can only add members to roles you admin */
- if (drolemembers && !is_admin_of_role(GetUserId(), roleid))
+ if (drolemembers && !is_admin_of_role(currentUserId, roleid))
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must have admin option on role \"%s\" to add members",
CommandCounterIncrement();
if (stmt->action == +1) /* add members to role */
- AddRoleMems(rolename, roleid,
+ AddRoleMems(currentUserId, rolename, roleid,
rolemembers, roleSpecsToIds(rolemembers),
InvalidOid, &popt);
else if (stmt->action == -1) /* drop members from role */
- DelRoleMems(rolename, roleid,
+ DelRoleMems(currentUserId, rolename, roleid,
rolemembers, roleSpecsToIds(rolemembers),
InvalidOid, &popt, DROP_RESTRICT);
}
List *grantee_ids;
ListCell *item;
GrantRoleOptions popt;
+ Oid currentUserId = GetUserId();
/* Parse options list. */
InitGrantRoleOptions(&popt);
errmsg("column names cannot be included in GRANT/REVOKE ROLE")));
roleid = get_role_oid(rolename, false);
- check_role_membership_authorization(GetUserId(), roleid,
- stmt->is_grant);
+ check_role_membership_authorization(currentUserId,
+ roleid, stmt->is_grant);
if (stmt->is_grant)
- AddRoleMems(rolename, roleid,
+ AddRoleMems(currentUserId, rolename, roleid,
stmt->grantee_roles, grantee_ids,
grantor, &popt);
else
- DelRoleMems(rolename, roleid,
+ DelRoleMems(currentUserId, rolename, roleid,
stmt->grantee_roles, grantee_ids,
grantor, &popt, stmt->behavior);
}
/*
* AddRoleMems -- Add given members to the specified role
*
+ * currentUserId: OID of role performing the operation
* rolename: name of role to add to (used only for error messages)
* roleid: OID of role to add to
* memberSpecs: list of RoleSpec of roles to add (used only for error messages)
* memberIds: OIDs of roles to add
- * grantorId: who is granting the membership (InvalidOid if not set explicitly)
+ * grantorId: OID that should be recorded as having granted the membership
+ * (InvalidOid if not set explicitly)
* popt: information about grant options
*/
static void
-AddRoleMems(const char *rolename, Oid roleid,
+AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
List *memberSpecs, List *memberIds,
Oid grantorId, GrantRoleOptions *popt)
{
TupleDesc pg_authmem_dsc;
ListCell *specitem;
ListCell *iditem;
- Oid currentUserId = GetUserId();
Assert(list_length(memberSpecs) == list_length(memberIds));
* behavior: RESTRICT or CASCADE behavior for recursive removal
*/
static void
-DelRoleMems(const char *rolename, Oid roleid,
+DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid,
List *memberSpecs, List *memberIds,
Oid grantorId, GrantRoleOptions *popt, DropBehavior behavior)
{
TupleDesc pg_authmem_dsc;
ListCell *specitem;
ListCell *iditem;
- Oid currentUserId = GetUserId();
CatCList *memlist;
RevokeRoleGrantAction *actions;
int i;
projects / users / gsingh / postgres.git / commitdiff