Commit df7fe9e2 authored by Peter Eisentraut's avatar Peter Eisentraut

Disallow dropping rules on system tables by default

This was previously not covered by allow_system_table_mods, but now it
is.  The impact in practice is probably low, but this makes it
consistent with most other DDL commands.
Reviewed-by: default avatarRobert Haas <robertmhaas@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/ee9df1af-c0d8-7c82-5be7-39ce4e3b0a9d%402ndquadrant.com
parent 8c6d30f2
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
#include "access/htup_details.h" #include "access/htup_details.h"
#include "access/sysattr.h" #include "access/sysattr.h"
#include "access/table.h" #include "access/table.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h" #include "catalog/dependency.h"
#include "catalog/indexing.h" #include "catalog/indexing.h"
#include "catalog/namespace.h" #include "catalog/namespace.h"
...@@ -28,6 +29,7 @@ ...@@ -28,6 +29,7 @@
#include "utils/fmgroids.h" #include "utils/fmgroids.h"
#include "utils/inval.h" #include "utils/inval.h"
#include "utils/lsyscache.h" #include "utils/lsyscache.h"
#include "utils/rel.h"
#include "utils/syscache.h" #include "utils/syscache.h"
/* /*
...@@ -72,6 +74,12 @@ RemoveRewriteRuleById(Oid ruleOid) ...@@ -72,6 +74,12 @@ RemoveRewriteRuleById(Oid ruleOid)
eventRelationOid = ((Form_pg_rewrite) GETSTRUCT(tuple))->ev_class; eventRelationOid = ((Form_pg_rewrite) GETSTRUCT(tuple))->ev_class;
event_relation = table_open(eventRelationOid, AccessExclusiveLock); event_relation = table_open(eventRelationOid, AccessExclusiveLock);
if (!allowSystemTableMods && IsSystemRelation(event_relation))
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied: \"%s\" is a system catalog",
RelationGetRelationName(event_relation))));
/* /*
* Now delete the pg_rewrite tuple for the rule * Now delete the pg_rewrite tuple for the rule
*/ */
......
...@@ -81,7 +81,16 @@ CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING; ...@@ -81,7 +81,16 @@ CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
ERROR: permission denied: "pg_description" is a system catalog ERROR: permission denied: "pg_description" is a system catalog
ALTER RULE r1 ON pg_description RENAME TO r2; ALTER RULE r1 ON pg_description RENAME TO r2;
ERROR: permission denied: "pg_description" is a system catalog ERROR: permission denied: "pg_description" is a system catalog
--DROP RULE r2 ON pg_description; -- now make one to test dropping:
SET allow_system_table_mods TO on;
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
RESET allow_system_table_mods;
DROP RULE r2 ON pg_description;
ERROR: permission denied: "pg_description" is a system catalog
-- cleanup:
SET allow_system_table_mods TO on;
DROP RULE r2 ON pg_description;
RESET allow_system_table_mods;
SET allow_system_table_mods = on; SET allow_system_table_mods = on;
-- create new table in pg_catalog -- create new table in pg_catalog
BEGIN; BEGIN;
......
...@@ -79,7 +79,15 @@ ALTER TRIGGER t1 ON pg_description RENAME TO t2; ...@@ -79,7 +79,15 @@ ALTER TRIGGER t1 ON pg_description RENAME TO t2;
-- rules -- rules
CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING; CREATE RULE r1 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
ALTER RULE r1 ON pg_description RENAME TO r2; ALTER RULE r1 ON pg_description RENAME TO r2;
--DROP RULE r2 ON pg_description; -- now make one to test dropping:
SET allow_system_table_mods TO on;
CREATE RULE r2 AS ON INSERT TO pg_description DO INSTEAD NOTHING;
RESET allow_system_table_mods;
DROP RULE r2 ON pg_description;
-- cleanup:
SET allow_system_table_mods TO on;
DROP RULE r2 ON pg_description;
RESET allow_system_table_mods;
SET allow_system_table_mods = on; SET allow_system_table_mods = on;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment