Fix column privileges for pg_subscription.subwalrcvtimeout

On Mon, Jun 1, 2026 at 10:44 PM Nisha Moond <nisha.moond412@gmail.com> wrote:

Hi Hackers,

IIUC, all columns of pg_subscription, except subconninfo, are intended
to be readable by non-superusers as well. A comment in
system_views.sql also states:
"-- All columns of pg_subscription except subconninfo are publicly readable."

However, 'subwalrcvtimeout' is currently not accessible:
Test:
postgres=# CREATE ROLE nisha LOGIN PASSWORD 'testpass';
CREATE ROLE
postgres=# SET SESSION AUTHORIZATION nisha;
SET
postgres=> select subwalrcvtimeout from pg_subscription;
ERROR: permission denied for table pg_subscription

It appears the column-level privileges for pg_subscription were not
updated when subwalrcvtimeout was added.

Attached is a small fix patch to grant public access to this column,
consistent with the existing behavior of the other pg_subscription
columns.

Thanks for the report and the patch! It looks good to me.

Barring any objections, I'll commit it. For my own reference, since this
changes the catalog, I'll need to update the catalog version when committing.

BTW, should we add a regression test for column privileges on pg_subscription
to help catch similar issues in the future? For example, the test could verify
that subconninfo remains unreadable to non-superusers, while all other existing
columns remain publicly readable. That would make it easier to detect omissions
when new columns are added to pg_subscription. For example,

SELECT count(*) = 0 AS ok
FROM pg_attribute
WHERE attrelid = 'pg_catalog.pg_subscription'::regclass
AND attnum > 0
AND NOT attisdropped
AND ((attname = 'subconninfo'
AND has_column_privilege('regress_subscription_user_dummy',
'pg_catalog.pg_subscription',
attname,
'SELECT'))
OR (attname <> 'subconninfo'
AND NOT
has_column_privilege('regress_subscription_user_dummy',
'pg_catalog.pg_subscription',
attname,
'SELECT')));

Regards,

--
Fujii Masao

On Tue, Jun 2, 2026 at 8:16 AM Fujii Masao <masao.fujii@gmail.com> wrote:

On Mon, Jun 1, 2026 at 10:44 PM Nisha Moond <nisha.moond412@gmail.com> wrote:

Hi Hackers,

IIUC, all columns of pg_subscription, except subconninfo, are intended
to be readable by non-superusers as well. A comment in
system_views.sql also states:
"-- All columns of pg_subscription except subconninfo are publicly readable."

However, 'subwalrcvtimeout' is currently not accessible:
Test:
postgres=# CREATE ROLE nisha LOGIN PASSWORD 'testpass';
CREATE ROLE
postgres=# SET SESSION AUTHORIZATION nisha;
SET
postgres=> select subwalrcvtimeout from pg_subscription;
ERROR: permission denied for table pg_subscription

It appears the column-level privileges for pg_subscription were not
updated when subwalrcvtimeout was added.

Attached is a small fix patch to grant public access to this column,
consistent with the existing behavior of the other pg_subscription
columns.

Thanks for the report and the patch! It looks good to me.

Barring any objections, I'll commit it. For my own reference, since this
changes the catalog, I'll need to update the catalog version when committing.

BTW, should we add a regression test for column privileges on pg_subscription
to help catch similar issues in the future?

+1. It makes sense because I noticed that patch authors previously
also omitted this part though in most cases those are caught in
review.

--
With Regards,
Amit Kapila.

On Tue, Jun 2, 2026 at 11:56 AM Amit Kapila <amit.kapila16@gmail.com> wrote:

BTW, should we add a regression test for column privileges on pg_subscription
to help catch similar issues in the future?

+1. It makes sense because I noticed that patch authors previously
also omitted this part though in most cases those are caught in
review.

Agreed. I've added the regression test to the patch.
Attached is the updated version.

Regards,

--
Fujii Masao

On Thu, Jun 4, 2026 at 7:35 AM Fujii Masao <masao.fujii@gmail.com> wrote:

On Tue, Jun 2, 2026 at 11:56 AM Amit Kapila <amit.kapila16@gmail.com> wrote:

BTW, should we add a regression test for column privileges on pg_subscription
to help catch similar issues in the future?

+1. It makes sense because I noticed that patch authors previously
also omitted this part though in most cases those are caught in
review.

Agreed. I've added the regression test to the patch.
Attached is the updated version.

Thank you, Fujii-san, for the updated patch. I tested both the success
and failure cases with the SQL query, and it worked as expected.

The patch LGTM.

--
Thanks,
Nisha

On Thu, Jun 4, 2026 at 2:39 PM Nisha Moond <nisha.moond412@gmail.com> wrote:

Thank you, Fujii-san, for the updated patch. I tested both the success
and failure cases with the SQL query, and it worked as expected.

The patch LGTM.

Thanks for the test and review! I've pushed the patch.

Regards,

--
Fujii Masao

On Fri, Jun 5, 2026 at 6:24 AM Fujii Masao <masao.fujii@gmail.com> wrote:

On Thu, Jun 4, 2026 at 2:39 PM Nisha Moond <nisha.moond412@gmail.com> wrote:

Thank you, Fujii-san, for the updated patch. I tested both the success
and failure cases with the SQL query, and it worked as expected.

The patch LGTM.

Thanks for the test and review! I've pushed the patch.

Thanks for pushing!

--
Nisha