From fcecd1586769f7363504e7e47541516a841b2951 Mon Sep 17 00:00:00 2001 From: Peter Geoghegan Date: Tue, 26 Aug 2014 21:28:40 -0700 Subject: [PATCH 1/8] Make UPDATE privileges distinct from INSERT privileges in RTEs Previously, relation range table entries used a single Bitmapset field representing which columns required either UPDATE or INSERT privileges, despite the fact that INSERT and UPDATE privileges are separately cataloged, and may be independently held. This worked because ExecCheckRTEPerms() was called with a ACL_INSERT or ACL_UPDATE requiredPerms, and based on that it was evident which type of optimizable statement was under consideration. Since historically no type of optimizable statement could directly INSERT and UPDATE at the same time, there was no ambiguity as to which privileges were required. This largely mechanical commit is required infrastructure for the INSERT...ON CONFLICT UPDATE feature, which introduces an optimizable statement that may be subject to both INSERT and UPDATE permissions enforcement. Tests follow in a later commit. sepgsql is also affected by this commit. Note that this commit necessitates an initdb, since stored ACLs are broken. --- contrib/sepgsql/dml.c | 31 ++++++++++------- src/backend/commands/copy.c | 2 +- src/backend/commands/createas.c | 2 +- src/backend/commands/trigger.c | 22 ++++++------- src/backend/executor/execMain.c | 55 +++++++++++++++++++++++++------ src/backend/nodes/copyfuncs.c | 3 +- src/backend/nodes/equalfuncs.c | 3 +- src/backend/nodes/outfuncs.c | 3 +- src/backend/nodes/readfuncs.c | 3 +- src/backend/optimizer/plan/setrefs.c | 6 ++-- src/backend/optimizer/prep/prepsecurity.c | 6 ++-- src/backend/optimizer/prep/prepunion.c | 8 +++-- src/backend/parser/analyze.c | 4 +-- src/backend/parser/parse_relation.c | 21 ++++++++---- src/backend/rewrite/rewriteHandler.c | 52 ++++++++++++++++------------- src/include/nodes/parsenodes.h | 14 ++++---- 16 files changed, 152 insertions(+), 83 deletions(-) diff --git a/contrib/sepgsql/dml.c b/contrib/sepgsql/dml.c index 36c6a37..4a71753 100644 --- a/contrib/sepgsql/dml.c +++ b/contrib/sepgsql/dml.c @@ -145,7 +145,8 @@ fixup_inherited_columns(Oid parentId, Oid childId, Bitmapset *columns) static bool check_relation_privileges(Oid relOid, Bitmapset *selected, - Bitmapset *modified, + Bitmapset *inserted, + Bitmapset *updated, uint32 required, bool abort_on_violation) { @@ -231,8 +232,9 @@ check_relation_privileges(Oid relOid, * Check permissions on the columns */ selected = fixup_whole_row_references(relOid, selected); - modified = fixup_whole_row_references(relOid, modified); - columns = bms_union(selected, modified); + inserted = fixup_whole_row_references(relOid, inserted); + updated = fixup_whole_row_references(relOid, updated); + columns = bms_union(selected, bms_union(inserted, updated)); while ((index = bms_first_member(columns)) >= 0) { @@ -241,13 +243,16 @@ check_relation_privileges(Oid relOid, if (bms_is_member(index, selected)) column_perms |= SEPG_DB_COLUMN__SELECT; - if (bms_is_member(index, modified)) + if (bms_is_member(index, inserted)) { - if (required & SEPG_DB_TABLE__UPDATE) - column_perms |= SEPG_DB_COLUMN__UPDATE; if (required & SEPG_DB_TABLE__INSERT) column_perms |= SEPG_DB_COLUMN__INSERT; } + if (bms_is_member(index, updated)) + { + if (required & SEPG_DB_TABLE__UPDATE) + column_perms |= SEPG_DB_COLUMN__UPDATE; + } if (column_perms == 0) continue; @@ -304,7 +309,7 @@ sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation) required |= SEPG_DB_TABLE__INSERT; if (rte->requiredPerms & ACL_UPDATE) { - if (!bms_is_empty(rte->modifiedCols)) + if (!bms_is_empty(rte->updatedCols)) required |= SEPG_DB_TABLE__UPDATE; else required |= SEPG_DB_TABLE__LOCK; @@ -333,7 +338,8 @@ sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation) { Oid tableOid = lfirst_oid(li); Bitmapset *selectedCols; - Bitmapset *modifiedCols; + Bitmapset *insertedCols; + Bitmapset *updatedCols; /* * child table has different attribute numbers, so we need to fix @@ -341,15 +347,18 @@ sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation) */ selectedCols = fixup_inherited_columns(rte->relid, tableOid, rte->selectedCols); - modifiedCols = fixup_inherited_columns(rte->relid, tableOid, - rte->modifiedCols); + insertedCols = fixup_inherited_columns(rte->relid, tableOid, + rte->insertedCols); + updatedCols = fixup_inherited_columns(rte->relid, tableOid, + rte->updatedCols); /* * check permissions on individual tables */ if (!check_relation_privileges(tableOid, selectedCols, - modifiedCols, + insertedCols, + updatedCols, required, abort_on_violation)) return false; } diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c index 0e604b7..cf95aa8 100644 --- a/src/backend/commands/copy.c +++ b/src/backend/commands/copy.c @@ -837,7 +837,7 @@ DoCopy(const CopyStmt *stmt, const char *queryString, uint64 *processed) FirstLowInvalidHeapAttributeNumber; if (is_from) - rte->modifiedCols = bms_add_member(rte->modifiedCols, attno); + rte->insertedCols = bms_add_member(rte->insertedCols, attno); else rte->selectedCols = bms_add_member(rte->selectedCols, attno); } diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c index abc0fe8..fc368c0 100644 --- a/src/backend/commands/createas.c +++ b/src/backend/commands/createas.c @@ -433,7 +433,7 @@ intorel_startup(DestReceiver *self, int operation, TupleDesc typeinfo) rte->requiredPerms = ACL_INSERT; for (attnum = 1; attnum <= intoRelationDesc->rd_att->natts; attnum++) - rte->modifiedCols = bms_add_member(rte->modifiedCols, + rte->insertedCols = bms_add_member(rte->insertedCols, attnum - FirstLowInvalidHeapAttributeNumber); ExecCheckRTPerms(list_make1(rte), true); diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index 4899a27..3f5918f 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -65,8 +65,8 @@ int SessionReplicationRole = SESSION_REPLICATION_ROLE_ORIGIN; /* How many levels deep into trigger execution are we? */ static int MyTriggerDepth = 0; -#define GetModifiedColumns(relinfo, estate) \ - (rt_fetch((relinfo)->ri_RangeTableIndex, (estate)->es_range_table)->modifiedCols) +#define GetUpdatedColumns(relinfo, estate) \ + (rt_fetch((relinfo)->ri_RangeTableIndex, (estate)->es_range_table)->updatedCols) /* Local function prototypes */ static void ConvertTriggerToFK(CreateTrigStmt *stmt, Oid funcoid); @@ -2337,7 +2337,7 @@ ExecBSUpdateTriggers(EState *estate, ResultRelInfo *relinfo) TriggerDesc *trigdesc; int i; TriggerData LocTriggerData; - Bitmapset *modifiedCols; + Bitmapset *updatedCols; trigdesc = relinfo->ri_TrigDesc; @@ -2346,7 +2346,7 @@ ExecBSUpdateTriggers(EState *estate, ResultRelInfo *relinfo) if (!trigdesc->trig_update_before_statement) return; - modifiedCols = GetModifiedColumns(relinfo, estate); + updatedCols = GetUpdatedColumns(relinfo, estate); LocTriggerData.type = T_TriggerData; LocTriggerData.tg_event = TRIGGER_EVENT_UPDATE | @@ -2367,7 +2367,7 @@ ExecBSUpdateTriggers(EState *estate, ResultRelInfo *relinfo) TRIGGER_TYPE_UPDATE)) continue; if (!TriggerEnabled(estate, relinfo, trigger, LocTriggerData.tg_event, - modifiedCols, NULL, NULL)) + updatedCols, NULL, NULL)) continue; LocTriggerData.tg_trigger = trigger; @@ -2392,7 +2392,7 @@ ExecASUpdateTriggers(EState *estate, ResultRelInfo *relinfo) if (trigdesc && trigdesc->trig_update_after_statement) AfterTriggerSaveEvent(estate, relinfo, TRIGGER_EVENT_UPDATE, false, NULL, NULL, NIL, - GetModifiedColumns(relinfo, estate)); + GetUpdatedColumns(relinfo, estate)); } TupleTableSlot * @@ -2410,7 +2410,7 @@ ExecBRUpdateTriggers(EState *estate, EPQState *epqstate, HeapTuple oldtuple; TupleTableSlot *newSlot; int i; - Bitmapset *modifiedCols; + Bitmapset *updatedCols; Bitmapset *keyCols; LockTupleMode lockmode; @@ -2419,10 +2419,10 @@ ExecBRUpdateTriggers(EState *estate, EPQState *epqstate, * been modified, then we can use a weaker lock, allowing for better * concurrency. */ - modifiedCols = GetModifiedColumns(relinfo, estate); + updatedCols = GetUpdatedColumns(relinfo, estate); keyCols = RelationGetIndexAttrBitmap(relinfo->ri_RelationDesc, INDEX_ATTR_BITMAP_KEY); - if (bms_overlap(keyCols, modifiedCols)) + if (bms_overlap(keyCols, updatedCols)) lockmode = LockTupleExclusive; else lockmode = LockTupleNoKeyExclusive; @@ -2476,7 +2476,7 @@ ExecBRUpdateTriggers(EState *estate, EPQState *epqstate, TRIGGER_TYPE_UPDATE)) continue; if (!TriggerEnabled(estate, relinfo, trigger, LocTriggerData.tg_event, - modifiedCols, trigtuple, newtuple)) + updatedCols, trigtuple, newtuple)) continue; LocTriggerData.tg_trigtuple = trigtuple; @@ -2546,7 +2546,7 @@ ExecARUpdateTriggers(EState *estate, ResultRelInfo *relinfo, AfterTriggerSaveEvent(estate, relinfo, TRIGGER_EVENT_UPDATE, true, trigtuple, newtuple, recheckIndexes, - GetModifiedColumns(relinfo, estate)); + GetUpdatedColumns(relinfo, estate)); if (trigtuple != fdw_trigtuple) heap_freetuple(trigtuple); } diff --git a/src/backend/executor/execMain.c b/src/backend/executor/execMain.c index 5b70cc9..f6a379f 100644 --- a/src/backend/executor/execMain.c +++ b/src/backend/executor/execMain.c @@ -636,27 +636,27 @@ ExecCheckRTEPerms(RangeTblEntry *rte) } /* - * Basically the same for the mod columns, with either INSERT or - * UPDATE privilege as specified by remainingPerms. + * Basically the same for the mod columns, for both INSERT and UPDATE + * privilege as specified by remainingPerms (INSERT...ON CONFLICT + * UPDATE may set both). */ - remainingPerms &= ~ACL_SELECT; - if (remainingPerms != 0) + if (remainingPerms & ACL_INSERT) { /* - * When the query doesn't explicitly change any columns, allow the + * When the query doesn't explicitly insert any columns, allow the * query if we have permission on any column of the rel. This is * to handle SELECT FOR UPDATE as well as possible corner cases in - * INSERT and UPDATE. + * UPDATE. */ - if (bms_is_empty(rte->modifiedCols)) + if (bms_is_empty(rte->insertedCols)) { - if (pg_attribute_aclcheck_all(relOid, userid, remainingPerms, + if (pg_attribute_aclcheck_all(relOid, userid, ACL_INSERT, ACLMASK_ANY) != ACLCHECK_OK) return false; } col = -1; - while ((col = bms_next_member(rte->modifiedCols, col)) >= 0) + while ((col = bms_next_member(rte->insertedCols, col)) >= 0) { /* bit #s are offset by FirstLowInvalidHeapAttributeNumber */ AttrNumber attno = col + FirstLowInvalidHeapAttributeNumber; @@ -669,7 +669,42 @@ ExecCheckRTEPerms(RangeTblEntry *rte) else { if (pg_attribute_aclcheck(relOid, attno, userid, - remainingPerms) != ACLCHECK_OK) + ACL_INSERT) != ACLCHECK_OK) + return false; + } + } + } + + if (remainingPerms & ACL_UPDATE) + { + /* + * When the query doesn't explicitly update any columns, allow the + * query if we have permission on any column of the rel. This is + * to handle SELECT FOR UPDATE as well as possible corner cases in + * UPDATE. + */ + if (bms_is_empty(rte->updatedCols)) + { + if (pg_attribute_aclcheck_all(relOid, userid, ACL_UPDATE, + ACLMASK_ANY) != ACLCHECK_OK) + return false; + } + + col = -1; + while ((col = bms_next_member(rte->updatedCols, col)) >= 0) + { + /* bit #s are offset by FirstLowInvalidHeapAttributeNumber */ + AttrNumber attno = col + FirstLowInvalidHeapAttributeNumber; + + if (attno == InvalidAttrNumber) + { + /* whole-row reference can't happen here */ + elog(ERROR, "whole-row update is not implemented"); + } + else + { + if (pg_attribute_aclcheck(relOid, attno, userid, + ACL_UPDATE) != ACLCHECK_OK) return false; } } diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c index f1a24f5..00ffe4a 100644 --- a/src/backend/nodes/copyfuncs.c +++ b/src/backend/nodes/copyfuncs.c @@ -2028,7 +2028,8 @@ _copyRangeTblEntry(const RangeTblEntry *from) COPY_SCALAR_FIELD(requiredPerms); COPY_SCALAR_FIELD(checkAsUser); COPY_BITMAPSET_FIELD(selectedCols); - COPY_BITMAPSET_FIELD(modifiedCols); + COPY_BITMAPSET_FIELD(insertedCols); + COPY_BITMAPSET_FIELD(updatedCols); COPY_NODE_FIELD(securityQuals); return newnode; diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c index 6e8b308..79035b2 100644 --- a/src/backend/nodes/equalfuncs.c +++ b/src/backend/nodes/equalfuncs.c @@ -2345,7 +2345,8 @@ _equalRangeTblEntry(const RangeTblEntry *a, const RangeTblEntry *b) COMPARE_SCALAR_FIELD(requiredPerms); COMPARE_SCALAR_FIELD(checkAsUser); COMPARE_BITMAPSET_FIELD(selectedCols); - COMPARE_BITMAPSET_FIELD(modifiedCols); + COMPARE_BITMAPSET_FIELD(insertedCols); + COMPARE_BITMAPSET_FIELD(updatedCols); COMPARE_NODE_FIELD(securityQuals); return true; diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c index dd1278b..b4a2667 100644 --- a/src/backend/nodes/outfuncs.c +++ b/src/backend/nodes/outfuncs.c @@ -2456,7 +2456,8 @@ _outRangeTblEntry(StringInfo str, const RangeTblEntry *node) WRITE_UINT_FIELD(requiredPerms); WRITE_OID_FIELD(checkAsUser); WRITE_BITMAPSET_FIELD(selectedCols); - WRITE_BITMAPSET_FIELD(modifiedCols); + WRITE_BITMAPSET_FIELD(insertedCols); + WRITE_BITMAPSET_FIELD(updatedCols); WRITE_NODE_FIELD(securityQuals); } diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c index ae24d05..dbc162a 100644 --- a/src/backend/nodes/readfuncs.c +++ b/src/backend/nodes/readfuncs.c @@ -1253,7 +1253,8 @@ _readRangeTblEntry(void) READ_UINT_FIELD(requiredPerms); READ_OID_FIELD(checkAsUser); READ_BITMAPSET_FIELD(selectedCols); - READ_BITMAPSET_FIELD(modifiedCols); + READ_BITMAPSET_FIELD(insertedCols); + READ_BITMAPSET_FIELD(updatedCols); READ_NODE_FIELD(securityQuals); READ_DONE(); diff --git a/src/backend/optimizer/plan/setrefs.c b/src/backend/optimizer/plan/setrefs.c index 7703946..5d865b0 100644 --- a/src/backend/optimizer/plan/setrefs.c +++ b/src/backend/optimizer/plan/setrefs.c @@ -368,9 +368,9 @@ flatten_rtes_walker(Node *node, PlannerGlobal *glob) * * In the flat rangetable, we zero out substructure pointers that are not * needed by the executor; this reduces the storage space and copying cost - * for cached plans. We keep only the alias and eref Alias fields, which - * are needed by EXPLAIN, and the selectedCols and modifiedCols bitmaps, - * which are needed for executor-startup permissions checking and for + * for cached plans. We keep only the alias and eref Alias fields, which are + * needed by EXPLAIN, and the selectedCols, insertedCols and updatedCols + * bitmaps, which are needed for executor-startup permissions checking and for * trigger event checking. */ static void diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c index af3ee61..f86e792 100644 --- a/src/backend/optimizer/prep/prepsecurity.c +++ b/src/backend/optimizer/prep/prepsecurity.c @@ -115,7 +115,8 @@ expand_security_quals(PlannerInfo *root, List *tlist) rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * For the most part, Vars referencing the original relation @@ -213,7 +214,8 @@ expand_security_qual(PlannerInfo *root, List *tlist, int rt_index, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Now deal with any PlanRowMark on this RTE by requesting a lock diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c index 05f601e..1e28363 100644 --- a/src/backend/optimizer/prep/prepunion.c +++ b/src/backend/optimizer/prep/prepunion.c @@ -1367,14 +1367,16 @@ expand_inherited_rtentry(PlannerInfo *root, RangeTblEntry *rte, Index rti) * if this is the parent table, leave copyObject's result alone. * * Note: we need to do this even though the executor won't run any - * permissions checks on the child RTE. The modifiedCols bitmap may - * be examined for trigger-firing purposes. + * permissions checks on the child RTE. The insertedCols/updatedCols + * bitmaps may be examined for trigger-firing purposes. */ if (childOID != parentOID) { childrte->selectedCols = translate_col_privs(rte->selectedCols, appinfo->translated_vars); - childrte->modifiedCols = translate_col_privs(rte->modifiedCols, + childrte->insertedCols = translate_col_privs(rte->insertedCols, + appinfo->translated_vars); + childrte->updatedCols = translate_col_privs(rte->updatedCols, appinfo->translated_vars); } diff --git a/src/backend/parser/analyze.c b/src/backend/parser/analyze.c index a68f2e8..df89065 100644 --- a/src/backend/parser/analyze.c +++ b/src/backend/parser/analyze.c @@ -733,7 +733,7 @@ transformInsertStmt(ParseState *pstate, InsertStmt *stmt) false); qry->targetList = lappend(qry->targetList, tle); - rte->modifiedCols = bms_add_member(rte->modifiedCols, + rte->insertedCols = bms_add_member(rte->insertedCols, attr_num - FirstLowInvalidHeapAttributeNumber); icols = lnext(icols); @@ -2002,7 +2002,7 @@ transformUpdateStmt(ParseState *pstate, UpdateStmt *stmt) origTarget->location); /* Mark the target column as requiring update permissions */ - target_rte->modifiedCols = bms_add_member(target_rte->modifiedCols, + target_rte->updatedCols = bms_add_member(target_rte->updatedCols, attrno - FirstLowInvalidHeapAttributeNumber); origTargetList = lnext(origTargetList); diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c index 8d4f79f..d2820d8 100644 --- a/src/backend/parser/parse_relation.c +++ b/src/backend/parser/parse_relation.c @@ -1052,7 +1052,8 @@ addRangeTableEntry(ParseState *pstate, rte->requiredPerms = ACL_SELECT; rte->checkAsUser = InvalidOid; /* not set-uid by default, either */ rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1105,7 +1106,8 @@ addRangeTableEntryForRelation(ParseState *pstate, rte->requiredPerms = ACL_SELECT; rte->checkAsUser = InvalidOid; /* not set-uid by default, either */ rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1183,7 +1185,8 @@ addRangeTableEntryForSubquery(ParseState *pstate, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1437,7 +1440,8 @@ addRangeTableEntryForFunction(ParseState *pstate, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1509,7 +1513,8 @@ addRangeTableEntryForValues(ParseState *pstate, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1577,7 +1582,8 @@ addRangeTableEntryForJoin(ParseState *pstate, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list @@ -1677,7 +1683,8 @@ addRangeTableEntryForCTE(ParseState *pstate, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * Add completed RTE to pstate's range table list, but not to join list diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c index b8e6e7a..fab2948 100644 --- a/src/backend/rewrite/rewriteHandler.c +++ b/src/backend/rewrite/rewriteHandler.c @@ -1403,7 +1403,8 @@ ApplyRetrieveRule(Query *parsetree, rte->requiredPerms = 0; rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * For the most part, Vars referencing the view should remain as @@ -1466,12 +1467,14 @@ ApplyRetrieveRule(Query *parsetree, subrte->requiredPerms = rte->requiredPerms; subrte->checkAsUser = rte->checkAsUser; subrte->selectedCols = rte->selectedCols; - subrte->modifiedCols = rte->modifiedCols; + subrte->insertedCols = rte->insertedCols; + subrte->updatedCols = rte->updatedCols; rte->requiredPerms = 0; /* no permission check on subquery itself */ rte->checkAsUser = InvalidOid; rte->selectedCols = NULL; - rte->modifiedCols = NULL; + rte->insertedCols = NULL; + rte->updatedCols = NULL; /* * If FOR [KEY] UPDATE/SHARE of view, mark all the contained tables as @@ -2584,9 +2587,9 @@ rewriteTargetView(Query *parsetree, Relation view) /* * For INSERT/UPDATE the modified columns must all be updatable. Note that * we get the modified columns from the query's targetlist, not from the - * result RTE's modifiedCols set, since rewriteTargetListIU may have added - * additional targetlist entries for view defaults, and these must also be - * updatable. + * result RTE's insertedCols and/or updatedCols set, since + * rewriteTargetListIU may have added additional targetlist entries for + * view defaults, and these must also be updatable. */ if (parsetree->commandType != CMD_DELETE) { @@ -2723,26 +2726,31 @@ rewriteTargetView(Query *parsetree, Relation view) * * Initially, new_rte contains selectedCols permission check bits for all * base-rel columns referenced by the view, but since the view is a SELECT - * query its modifiedCols is empty. We set modifiedCols to include all - * the columns the outer query is trying to modify, adjusting the column - * numbers as needed. But we leave selectedCols as-is, so the view owner - * must have read permission for all columns used in the view definition, - * even if some of them are not read by the outer query. We could try to - * limit selectedCols to only columns used in the transformed query, but - * that does not correspond to what happens in ordinary SELECT usage of a - * view: all referenced columns must have read permission, even if - * optimization finds that some of them can be discarded during query - * transformation. The flattening we're doing here is an optional - * optimization, too. (If you are unpersuaded and want to change this, - * note that applying adjust_view_column_set to view_rte->selectedCols is - * clearly *not* the right answer, since that neglects base-rel columns - * used in the view's WHERE quals.) + * query its insertedCols/updatedCols is empty. We set insertedCols and + * updatedCols to include all the columns the outer query is trying to + * modify, adjusting the column numbers as needed. But we leave + * selectedCols as-is, so the view owner must have read permission for all + * columns used in the view definition, even if some of them are not read + * by the outer query. We could try to limit selectedCols to only columns + * used in the transformed query, but that does not correspond to what + * happens in ordinary SELECT usage of a view: all referenced columns must + * have read permission, even if optimization finds that some of them can + * be discarded during query transformation. The flattening we're doing + * here is an optional optimization, too. (If you are unpersuaded and want + * to change this, note that applying adjust_view_column_set to + * view_rte->selectedCols is clearly *not* the right answer, since that + * neglects base-rel columns used in the view's WHERE quals.) * * This step needs the modified view targetlist, so we have to do things * in this order. */ - Assert(bms_is_empty(new_rte->modifiedCols)); - new_rte->modifiedCols = adjust_view_column_set(view_rte->modifiedCols, + Assert(bms_is_empty(new_rte->insertedCols) && + bms_is_empty(new_rte->updatedCols)); + + new_rte->insertedCols = adjust_view_column_set(view_rte->insertedCols, + view_targetlist); + + new_rte->updatedCols = adjust_view_column_set(view_rte->updatedCols, view_targetlist); /* diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h index b1dfa85..86d1c07 100644 --- a/src/include/nodes/parsenodes.h +++ b/src/include/nodes/parsenodes.h @@ -717,11 +717,12 @@ typedef struct XmlSerialize * For SELECT/INSERT/UPDATE permissions, if the user doesn't have * table-wide permissions then it is sufficient to have the permissions * on all columns identified in selectedCols (for SELECT) and/or - * modifiedCols (for INSERT/UPDATE; we can tell which from the query type). - * selectedCols and modifiedCols are bitmapsets, which cannot have negative - * integer members, so we subtract FirstLowInvalidHeapAttributeNumber from - * column numbers before storing them in these fields. A whole-row Var - * reference is represented by setting the bit for InvalidAttrNumber. + * insertedCols and/or updatedCols (INSERT with ON CONFLICT UPDATE may + * have all 3). selectedCols, insertedCols and updatedCols are + * bitmapsets, which cannot have negative integer members, so we subtract + * FirstLowInvalidHeapAttributeNumber from column numbers before storing + * them in these fields. A whole-row Var reference is represented by + * setting the bit for InvalidAttrNumber. *-------------------- */ typedef enum RTEKind @@ -816,7 +817,8 @@ typedef struct RangeTblEntry AclMode requiredPerms; /* bitmask of required access permissions */ Oid checkAsUser; /* if valid, check access as this role */ Bitmapset *selectedCols; /* columns needing SELECT permission */ - Bitmapset *modifiedCols; /* columns needing INSERT/UPDATE permission */ + Bitmapset *insertedCols; /* columns needing INSERT permission */ + Bitmapset *updatedCols; /* columns needing UPDATE permission */ List *securityQuals; /* any security barrier quals to apply */ } RangeTblEntry; -- 1.9.1