From 2765212be270601b88ad555c3f23973f76ae92e8 Mon Sep 17 00:00:00 2001
From: reshke <reshke@double.cloud>
Date: Wed, 29 Oct 2025 11:29:59 +0000
Subject: [PATCH v1] Disallow alter schema to catalog schema without proper GUC
 set

---
 src/backend/catalog/namespace.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
index d23474da4fb..03992230e3a 100644
--- a/src/backend/catalog/namespace.c
+++ b/src/backend/catalog/namespace.c
@@ -3534,6 +3534,17 @@ CheckSetNamespace(Oid oldNspOid, Oid nspOid)
 				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 				 errmsg("cannot move objects into or out of temporary schemas")));
 
+
+	if (!allowSystemTableMods &&
+		((IsCatalogNamespace(nspOid)) ||
+		 IsToastNamespace(nspOid)) &&
+		IsNormalProcessingMode())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("permission denied to alter schema to \"%s\"",
+						get_namespace_name(nspOid)),
+				 errdetail("System catalog modifications are currently disallowed.")));
+
 	/* same for TOAST schema */
 	if (nspOid == PG_TOAST_NAMESPACE || oldNspOid == PG_TOAST_NAMESPACE)
 		ereport(ERROR,
-- 
2.43.0