diff options
| author | Robert Treat | 2020-10-28 05:18:52 +0000 |
|---|---|---|
| committer | Robert Treat | 2020-10-28 15:02:53 +0000 |
| commit | 076f9f54225079e0117227481fbe22f2dff81687 (patch) | |
| tree | a25ed10987dfc006e9c41e61f1996e53c22cb28b | |
| parent | 4b914974d2a1418aac463f89e89a5b9506838b88 (diff) | |
Consider group membership when testing owned_only
Based on code and suggestions from @cathysax, ultimately I used the internal
pg_has_role function to test whether a user has ownership rights based on
group membership. I actually check for 'USAGE' rights, since that implies the
role has rights without need to `set role`, which users wouldn't be able to do
with a normal PPA login. Loosely tested back to 9.5.
This fixes https://github.com/phppgadmin/phppgadmin/issues/102
| -rw-r--r-- | classes/database/Postgres.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/classes/database/Postgres.php b/classes/database/Postgres.php index bfd04a87..e83227f6 100644 --- a/classes/database/Postgres.php +++ b/classes/database/Postgres.php @@ -450,7 +450,7 @@ class Postgres extends ADODB_base { if (isset($conf['owned_only']) && $conf['owned_only'] && !$this->isSuperUser()) { $username = $server_info['username']; $this->clean($username); - $clause = " AND pr.rolname='{$username}'"; + $clause = " AND pg_has_role('{$username}'::name,pr.rolname,'USAGE')"; } else $clause = ''; |