On Mon, Jul 08, 2024 at 04:39:21PM -0700, Jeff Davis wrote: > On Sun, 2024-06-30 at 15:30 -0700, Noah Misch wrote: > > You're caching the result of object_aclcheck(NamespaceRelationId, > > ...), so > > pg_auth_members changes > > Thank you for the report. > > Question: to check for changes to pg_auth_members, it seems like either > AUTHMEMROLEMEM or AUTHMEMMEMROLE work, and to use both would be > redundant. Am I missing something, or should I just pick one > arbitrarily (or by some convention)?
One suffices. initialize_acl() is the only other place that invals on this catalog, so consider it a fine convention to mimic. > > and pg_database changes also need to invalidate this > > cache. (pg_database affects the ACL_CREATE_TEMP case in > > pg_namespace_aclmask_ext() > > I am having trouble finding an actual problem with ACL_CREATE_TEMP. > search_path ACL checks are normally bypassed for the temp namespace, so > it can only happen when the actual temp namespace name (e.g. > pg_temp_NNN) is explicitly included. In that case, the mask is > ACL_USAGE, so the two branches in pg_namespace_aclmask_ext() are > equivalent, right? I don't know. > This question is not terribly important for the fix, because > invalidating for each pg_database change is still necessary as you > point out
