projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ed345c2)
MERGE ... DO NOTHING: require SELECT privileges
authorAlvaro Herrera <[email protected]>
Wed, 21 Feb 2024 16:18:52 +0000 (17:18 +0100)
committerAlvaro Herrera <[email protected]>
Wed, 21 Feb 2024 16:18:52 +0000 (17:18 +0100)
Verify that a user running MERGE with a DO NOTHING clause has
privileges to read the table, even if no columns are referenced.  Such
privileges were already required if the ON clause or any of the WHEN
conditions referenced any column at all, so there's no functional change
in practice.

This change fixes an assertion failure in the case where no column is
referenced by the command and the WHEN clauses are all DO NOTHING.

Backpatch to 15, where MERGE was introduced.

Reported-by: Alena Rybakina <[email protected]>
Reported-by: Alexander Lakhin <[email protected]>
Discussion: https://postgr.es/m/4d65a385-7efa-4436-a825-0869f89d9d92@postgrespro.ru

src/backend/parser/parse_merge.c patch | blob | blame | history
src/test/regress/expected/merge.out patch | blob | blame | history
src/test/regress/sql/merge.sql patch | blob | blame | history

diff --git a/src/backend/parser/parse_merge.c b/src/backend/parser/parse_merge.c
index 5f6a683ab941f2ff3d2c9212742bd741f079890c..73f7a48b3c69beb10eea1682db4e4962990fb965 100644 (file)
--- a/src/backend/parser/parse_merge.c
+++ b/src/backend/parser/parse_merge.c
@@ -133,7 +133,11 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt)
        int         when_type = (mergeWhenClause->matched ? 0 : 1);
 
        /*
-        * Collect action types so we can check target permissions
+        * Collect permissions to check, according to action types. We require
+        * SELECT privileges for DO NOTHING because it'd be irregular to have
+        * a target relation with zero privileges checked, in case DO NOTHING
+        * is the only action.  There's no damage from that: any meaningful
+        * MERGE command requires at least some access to the table anyway.
         */
        switch (mergeWhenClause->commandType)
        {
@@ -147,6 +151,7 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt)
                targetPerms |= ACL_DELETE;
                break;
            case CMD_NOTHING:
+               targetPerms |= ACL_SELECT;
                break;
            default:
                elog(ERROR, "unknown action in MERGE WHEN clause");
diff --git a/src/test/regress/expected/merge.out b/src/test/regress/expected/merge.out
index f87905fabd2702132f8b77fab0e5e4f7b48ef9de..28a69802d7297e96eadd24d58c1c668c7a5e35d4 100644 (file)
--- a/src/test/regress/expected/merge.out
+++ b/src/test/regress/expected/merge.out
@@ -3,6 +3,7 @@
 --
 CREATE USER regress_merge_privs;
 CREATE USER regress_merge_no_privs;
+CREATE USER regress_merge_none;
 DROP TABLE IF EXISTS target;
 NOTICE:  table "target" does not exist, skipping
 DROP TABLE IF EXISTS source;
@@ -159,6 +160,14 @@ ERROR:  cannot execute MERGE on relation "mv"
 DETAIL:  This operation is not supported for materialized views.
 DROP MATERIALIZED VIEW mv;
 -- permissions
+SET SESSION AUTHORIZATION regress_merge_none;
+MERGE INTO target
+USING (SELECT 1)
+ON true
+WHEN MATCHED THEN
+   DO NOTHING;
+ERROR:  permission denied for table target
+SET SESSION AUTHORIZATION regress_merge_privs;
 MERGE INTO target
 USING source2
 ON target.tid = source2.sid
@@ -2248,3 +2257,4 @@ DROP TABLE source, source2;
 DROP FUNCTION merge_trigfunc();
 DROP USER regress_merge_privs;
 DROP USER regress_merge_no_privs;
+DROP USER regress_merge_none;
diff --git a/src/test/regress/sql/merge.sql b/src/test/regress/sql/merge.sql
index 66cb75a7566c0d40d880c54e7b9dae0bff73e6c3..82faa7364ca9210fd6a502dc2d6ba665c0c944d4 100644 (file)
--- a/src/test/regress/sql/merge.sql
+++ b/src/test/regress/sql/merge.sql
@@ -4,6 +4,8 @@
 
 CREATE USER regress_merge_privs;
 CREATE USER regress_merge_no_privs;
+CREATE USER regress_merge_none;
+
 DROP TABLE IF EXISTS target;
 DROP TABLE IF EXISTS source;
 CREATE TABLE target (tid integer, balance integer)
@@ -118,6 +120,14 @@ DROP MATERIALIZED VIEW mv;
 
 -- permissions
 
+SET SESSION AUTHORIZATION regress_merge_none;
+MERGE INTO target
+USING (SELECT 1)
+ON true
+WHEN MATCHED THEN
+   DO NOTHING;
+
+SET SESSION AUTHORIZATION regress_merge_privs;
 MERGE INTO target
 USING source2
 ON target.tid = source2.sid
@@ -1471,3 +1481,4 @@ DROP TABLE source, source2;
 DROP FUNCTION merge_trigfunc();
 DROP USER regress_merge_privs;
 DROP USER regress_merge_no_privs;
+DROP USER regress_merge_none;
This is the main PostgreSQL git repository.