On 3/30/21 8:17 PM, Joe Conway wrote:
On 3/30/21 6:22 PM, Tom Lane wrote:
Joe Conway <m...@joeconway.com> writes:
Heh, I missed the forest for the trees it seems.
That version undid the changes fixing what Ian was originally complaining about.

Duh, right.  It would be a good idea for there to be a code comment
explaining this, because it's *far* from obvious.  Say like

        * Check for column-level privileges first.  This serves in
        * part as a check on whether the column even exists, so we
        * need to do it before checking table-level privilege.

Will do.

My gripe about providing API-spec comments for the new aclchk.c
entry points still stands.  Other than that, I think it's good
to go.

Yeah, I was planning to put something akin to this in all four spots:
8<-------------------
/*
   * Exported routine for checking a user's access privileges to a table
   *
   * Does the bulk of the work for pg_class_aclcheck(), and allows other
   * callers to avoid the missing relation ERROR when is_missing is non-NULL.
   */
AclResult
pg_class_aclcheck_ext(Oid table_oid, Oid roleid,
                                          AclMode mode, bool *is_missing)
...
8<-------------------


Pushed that way.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Reply via email to