The following bug has been logged online: Bug reference: 5458 Logged by: Takahiro Itagaki Email address: itagaki.takah...@oss.ntt.co.jp PostgreSQL version: 9.0beta1 Operating system: Linux (maybe ALL) Description: Permission check is skipped by inheritance Details:
Even if a non-superuser who has no permissions on a parent and a child tables, he can retrieve data from the parent when the two tables have inheritance relationship. The behavior seems to be changed in 9.0. 8.4 returns "permission denied" errors expectedly. === test case === - 'postgres' is a superuser. - 'normal' is a non-superuser. (9.0beta1) =# CREATE TABLE parent (i integer); =# CREATE TABLE child (i integer); =# REVOKE ALL ON parent, child FROM public; =# SET ROLE normal; => SELECT * FROM parent; ERROR: permission denied for relation parent => SELECT * FROM child; ERROR: permission denied for relation child => SET ROLE postgres; =# ALTER TABLE child INHERIT parent; =# SET ROLE normal; => SELECT * FROM parent; -- ??? i --- (0 rows) postgres=> SELECT * FROM child; ERROR: permission denied for relation child (8.4.3) ... =# ALTER TABLE child INHERIT parent; =# SET ROLE normal; => SELECT * FROM parent; ERROR: permission denied for relation parent => SELECT * FROM child; ERROR: permission denied for relation child -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
