Check that aggregate creator has the right to execute the transition

author Tom Lane <[email protected]>

Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)

committer Tom Lane <[email protected]>

Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)
author Tom Lane <[email protected]>
Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)
committer Tom Lane <[email protected]>
Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)
diff --git a/src/backend/catalog/pg_aggregate.c b/src/backend/catalog/pg_aggregate.c

index 6f9c7f7aa7f613e3b8e4d05c958c8c225a663938..b95aeec33a35af0b3dffd40a05475d014a6bb366 100644 (file)
--- a/src/backend/catalog/pg_aggregate.c
+++ b/src/backend/catalog/pg_aggregate.c
@@ -22,10 +22,13 @@
  #include "catalog/pg_aggregate.h"
  #include "catalog/pg_language.h"
  #include "catalog/pg_proc.h"
+#include "miscadmin.h"
  #include "optimizer/cost.h"
  #include "parser/parse_coerce.h"
  #include "parser/parse_func.h"
+#include "utils/acl.h"
  #include "utils/builtins.h"
+#include "utils/lsyscache.h"
  #include "utils/syscache.h"
  
  
@@ -46,6 +49,7 @@ AggregateCreate(const char *aggName,
         char            nulls[Natts_pg_aggregate];
         Datum           values[Natts_pg_aggregate];
         Form_pg_proc proc;
+       AclResult       aclresult;
         Oid                     transfn;
         Oid                     finalfn = InvalidOid;   /* can be omitted */
         Oid                     finaltype;
@@ -100,6 +104,11 @@ AggregateCreate(const char *aggName,
         }
         ReleaseSysCache(tup);
  
+       /* Check aggregate creator has permission to call the function */
+       aclresult = pg_proc_aclcheck(transfn, GetUserId(), ACL_EXECUTE);
+       if (aclresult != ACLCHECK_OK)
+               aclcheck_error(aclresult, get_func_name(transfn));
+
         /* handle finalfn, if supplied */
         if (aggfinalfnName)
         {
@@ -116,6 +125,11 @@ AggregateCreate(const char *aggName,
                 proc = (Form_pg_proc) GETSTRUCT(tup);
                 finaltype = proc->prorettype;
                 ReleaseSysCache(tup);
+
+               /* Check aggregate creator has permission to call the function */
+               aclresult = pg_proc_aclcheck(finalfn, GetUserId(), ACL_EXECUTE);
+               if (aclresult != ACLCHECK_OK)
+                       aclcheck_error(aclresult, get_func_name(finalfn));
         }
         else
         {
diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c

index 09fdd8ec31dc008e09efe802066e6c123f8b75cf..46df1e52130fb5a6c9c4a718bd8ff9a4e41a43d9 100644 (file)
--- a/src/backend/executor/nodeAgg.c
+++ b/src/backend/executor/nodeAgg.c
@@ -56,6 +56,7 @@
  #include "access/heapam.h"
  #include "catalog/pg_aggregate.h"
  #include "catalog/pg_operator.h"
+#include "catalog/pg_proc.h"
  #include "executor/executor.h"
  #include "executor/nodeAgg.h"
  #include "miscadmin.h"
@@ -903,6 +904,33 @@ ExecInitAgg(Agg *node, EState *estate, Plan *parent)
                 peraggstate->transfn_oid = transfn_oid = aggform->aggtransfn;
                 peraggstate->finalfn_oid = finalfn_oid = aggform->aggfinalfn;
  
+               /* Check that aggregate owner has permission to call component fns */
+               {
+                       HeapTuple       procTuple;
+                       AclId           aggOwner;
+
+                       procTuple = SearchSysCache(PROCOID,
+                                                                          ObjectIdGetDatum(aggref->aggfnoid),
+                                                                          0, 0, 0);
+                       if (!HeapTupleIsValid(procTuple))
+                               elog(ERROR, "cache lookup failed for function %u",
+                                        aggref->aggfnoid);
+                       aggOwner = ((Form_pg_proc) GETSTRUCT(procTuple))->proowner;
+                       ReleaseSysCache(procTuple);
+
+                       aclresult = pg_proc_aclcheck(transfn_oid, aggOwner,
+                                                                                ACL_EXECUTE);
+                       if (aclresult != ACLCHECK_OK)
+                               aclcheck_error(aclresult, get_func_name(transfn_oid));
+                       if (OidIsValid(finalfn_oid))
+                       {
+                               aclresult = pg_proc_aclcheck(finalfn_oid, aggOwner,
+                                                                                        ACL_EXECUTE);
+                               if (aclresult != ACLCHECK_OK)
+                                       aclcheck_error(aclresult, get_func_name(finalfn_oid));
+                       }
+               }
+
                 fmgr_info(transfn_oid, &peraggstate->transfn);
                 if (OidIsValid(finalfn_oid))
                         fmgr_info(finalfn_oid, &peraggstate->finalfn);
author	Tom Lane <[email protected]>
	Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)
committer	Tom Lane <[email protected]>
	Thu, 27 Jan 2005 23:43:45 +0000 (23:43 +0000)
src/backend/catalog/pg_aggregate.c		patch \| blob \| blame \| history
src/backend/executor/nodeAgg.c		patch \| blob \| blame \| history