On 09/09/2011 11:34 PM, Bruce Momjian wrote:
Robert Haas wrote:
On Sat, May 7, 2011 at 11:42 PM, Bruce Momjian<br...@momjian.us> wrote:
Is this a TODO?
I think so.
Added to TODO:
Address problem where superusers are assumed to be members of all groups
http://archives.postgresql.org/pgsql-hackers/2011-04/msg00337.php
This turns out to be a one-liner.
Patch attached.
cheers
andrew
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 1ee030f..1c84a60 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
if (!OidIsValid(roleid))
return false; /* if target role not exist, say "no" */
- /* See if user is directly or indirectly a member of role */
- return is_member_of_role(userid, roleid);
+ /*
+ * See if user is directly or indirectly a member of role.
+ * For this purpose, a superuser is not considered to be automatically
+ * a member of the role, so group auth only applies to explicit
+ * membership.
+ */
+ return is_member_of_role_nosuper(userid, roleid);
}
/*
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
