*** pgsql/src/backend/commands/trigger.c 2009/01/22 19:16:31 1.245 --- pgsql/src/backend/commands/trigger.c 2009/01/22 20:16:02 1.246 *************** *** 7,13 **** * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION ! * $PostgreSQL: pgsql/src/backend/commands/trigger.c,v 1.244 2009/01/21 09:28:26 mha Exp $ * *------------------------------------------------------------------------- */ --- 7,13 ---- * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION ! * $PostgreSQL: pgsql/src/backend/commands/trigger.c,v 1.245 2009/01/22 19:16:31 heikki Exp $ * *------------------------------------------------------------------------- */ *************** static void AfterTriggerSaveEvent(Result *** 74,84 **** * be made to link the trigger to that constraint. constraintOid is zero when * executing a user-entered CREATE TRIGGER command. * * Note: can return InvalidOid if we decided to not create a trigger at all, * but a foreign-key constraint. This is a kluge for backwards compatibility. */ Oid ! CreateTrigger(CreateTrigStmt *stmt, Oid constraintOid) { int16 tgtype; int2vector *tgattr; --- 74,89 ---- * be made to link the trigger to that constraint. constraintOid is zero when * executing a user-entered CREATE TRIGGER command. * + * If checkPermissions is true we require ACL_TRIGGER permissions on the + * relation. If not, the caller already checked permissions. (This is + * currently redundant with constraintOid being zero, but it's clearer to + * have a separate argument.) + * * Note: can return InvalidOid if we decided to not create a trigger at all, * but a foreign-key constraint. This is a kluge for backwards compatibility. */ Oid ! CreateTrigger(CreateTrigStmt *stmt, Oid constraintOid, bool checkPermissions) { int16 tgtype; int2vector *tgattr; *************** CreateTrigger(CreateTrigStmt *stmt, Oid *** 117,153 **** errmsg("permission denied: \"%s\" is a system catalog", RelationGetRelationName(rel)))); ! /* permission checks */ ! if (stmt->isconstraint) { - /* constraint trigger */ aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ! ACL_REFERENCES); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_CLASS, RelationGetRelationName(rel)); ! if (stmt->constrrel != NULL) { - constrrelid = RangeVarGetRelid(stmt->constrrel, false); - aclresult = pg_class_aclcheck(constrrelid, GetUserId(), ! ACL_REFERENCES); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_CLASS, get_rel_name(constrrelid)); } } - else - { - /* regular trigger */ - aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), - ACL_TRIGGER); - if (aclresult != ACLCHECK_OK) - aclcheck_error(aclresult, ACL_KIND_CLASS, - RelationGetRelationName(rel)); - } /* Compute tgtype */ TRIGGER_CLEAR_TYPE(tgtype); --- 122,148 ---- errmsg("permission denied: \"%s\" is a system catalog", RelationGetRelationName(rel)))); ! if (stmt->isconstraint && stmt->constrrel != NULL) ! constrrelid = RangeVarGetRelid(stmt->constrrel, false); ! /* permission checks */ ! if (checkPermissions) { aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(), ! ACL_TRIGGER); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_CLASS, RelationGetRelationName(rel)); ! if (OidIsValid(constrrelid)) { aclresult = pg_class_aclcheck(constrrelid, GetUserId(), ! ACL_TRIGGER); if (aclresult != ACLCHECK_OK) aclcheck_error(aclresult, ACL_KIND_CLASS, get_rel_name(constrrelid)); } } /* Compute tgtype */ TRIGGER_CLEAR_TYPE(tgtype);