From aa1110624c08298393dfce996f7b21809d98d3fd Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Thu, 14 Jul 2005 21:46:30 +0000
Subject: Adjust permissions checking for ALTER OWNER commands: instead of
 requiring superuserness always, allow an owner to reassign ownership to any
 role he is a member of, if that role would have the right to create a similar
 object.  These three requirements essentially state that the would-be alterer
 has enough privilege to DROP the existing object and then re-CREATE it as the
 new role; so we might as well let him do it in one step.  The ALTER
 TABLESPACE case is a bit squirrely, but the whole concept of non-superuser
 tablespace owners is pretty dubious anyway.  Stephen Frost, code review by
 Tom Lane.

---
 src/backend/utils/adt/acl.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'src/backend/utils/adt/acl.c')

diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index a416def8155..3fedb33a8a5 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.118 2005/07/07 20:39:58 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/acl.c,v 1.119 2005/07/14 21:46:30 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -2541,6 +2541,10 @@ is_member_of_role(Oid member, Oid role)
 	if (member == role)
 		return true;
 
+	/* Superusers have every privilege, so are part of every role */
+	if (superuser_arg(member))
+		return true;
+
 	/* If cache is already valid, just use the list */
 	if (OidIsValid(cached_role) && cached_role == member)
 		return list_member_oid(cached_memberships, role);
@@ -2604,6 +2608,20 @@ is_member_of_role(Oid member, Oid role)
 	return list_member_oid(cached_memberships, role);
 }
 
+/*
+ * check_is_member_of_role
+ *		is_member_of_role with a standard permission-violation error if not
+ */
+void
+check_is_member_of_role(Oid member, Oid role)
+{
+	if (!is_member_of_role(member, role))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must be member of role \"%s\"",
+						GetUserNameFromId(role))));
+}
+
 
 /*
  * Is member an admin of role (directly or indirectly)?  That is, is it
-- 
cgit v1.2.3