Обсуждение: CREATE OPERATOR query
Hi,
While trying to create regression tests for CREATE OPERATOR, I am able to create an operator despite not have USAGE / ALL access to the given argument type. Shouldn't the following SQL throw an error?
BEGIN TRANSACTION;
CREATE ROLE rol_op3;
CREATE TYPE type_op3 AS ENUM ('new', 'open', 'closed');
CREATE FUNCTION fn_op3(type_op3, type_op3)
RETURNS type_op3 AS $$
SELECT NULL::type_op3;
$$ LANGUAGE sql IMMUTABLE;
REVOKE ALL ON TYPE type_op3 FROM rol_op3;
SET ROLE rol_op3;
CREATE OPERATOR #*# (
leftarg = type_op3,
rightarg = type_op3,
procedure = fn_op3
);
RESET ROLE;
ROLLBACK;
This what the doc says:
> To be able to create an operator, you must have USAGE privilege on the argument types and the return type, as well as EXECUTE privilege on the underlying function. If a commutator or negator operator is specified, you must own these operators.
Any pointers would be helpful.
Thanks
--
Robins Tharakan
Further, I seem to have a similar problem with the EXECUTE check requirement as well.
Sample SQL given below.
BEGIN TRANSACTION;
CREATE ROLE rol_op3;
CREATE TYPE type_op3 AS ENUM ('new', 'open', 'closed');
CREATE FUNCTION fn_op3(type_op3, type_op3)
RETURNS type_op3 AS $$
SELECT NULL::type_op3;
$$ LANGUAGE sql IMMUTABLE;
REVOKE EXECUTE ON FUNCTION fn_op3(type_op3, type_op3) FROM rol_op3;
SET ROLE rol_op3;
CREATE OPERATOR #*# (
leftarg = type_op3,
rightarg = type_op3,
procedure = fn_op3
);
RESET ROLE;
ROLLBACK;
Thanks.
--
Robins Tharakan
On 22 May 2013 05:50, Robins Tharakan <tharakan@gmail.com> wrote:
Hi,While trying to create regression tests for CREATE OPERATOR, I am able to create an operator despite not have USAGE / ALL access to the given argument type. Shouldn't the following SQL throw an error?BEGIN TRANSACTION;CREATE ROLE rol_op3;CREATE TYPE type_op3 AS ENUM ('new', 'open', 'closed');CREATE FUNCTION fn_op3(type_op3, type_op3)RETURNS type_op3 AS $$SELECT NULL::type_op3;$$ LANGUAGE sql IMMUTABLE;REVOKE ALL ON TYPE type_op3 FROM rol_op3;SET ROLE rol_op3;CREATE OPERATOR #*# (leftarg = type_op3,rightarg = type_op3,procedure = fn_op3);RESET ROLE;ROLLBACK;This what the doc says:> To be able to create an operator, you must have USAGE privilege on the argument types and the return type, as well as EXECUTE privilege on the underlying function. If a commutator or negator operator is specified, you must own these operators.Any pointers would be helpful.Thanks--Robins Tharakan
Robins Tharakan escribió: > Further, I seem to have a similar problem with the EXECUTE check > requirement as well. > Sample SQL given below. > > BEGIN TRANSACTION; > CREATE ROLE rol_op3; > CREATE TYPE type_op3 AS ENUM ('new', 'open', 'closed'); > CREATE FUNCTION fn_op3(type_op3, type_op3) > RETURNS type_op3 AS $$ > SELECT NULL::type_op3; > $$ LANGUAGE sql IMMUTABLE; > REVOKE EXECUTE ON FUNCTION fn_op3(type_op3, type_op3) FROM rol_op3; Doesn't PUBLIC still have EXECUTE permissions on this function? -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Yes, but the documentation states that EXECUTE permission for the function is required to even CREATE the operator.
This what the doc says:
> To be able to create an operator, you must have USAGE privilege on the argument types and the return type, as well as EXECUTE privilege on the underlying function. If a commutator or negator operator is specified, you must own these operators.
Am I missing something obvious here?
--
Robins Tharakan
On 22 May 2013 07:12, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
Robins Tharakan escribió:> Further, I seem to have a similar problem with the EXECUTE checkDoesn't PUBLIC still have EXECUTE permissions on this function?
> requirement as well.
> Sample SQL given below.
>
> BEGIN TRANSACTION;
> CREATE ROLE rol_op3;
> CREATE TYPE type_op3 AS ENUM ('new', 'open', 'closed');
> CREATE FUNCTION fn_op3(type_op3, type_op3)
> RETURNS type_op3 AS $$
> SELECT NULL::type_op3;
> $$ LANGUAGE sql IMMUTABLE;
> REVOKE EXECUTE ON FUNCTION fn_op3(type_op3, type_op3) FROM rol_op3;
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
Robins Tharakan escribió: > Yes, but the documentation states that EXECUTE permission for the function > is required to even CREATE the operator. What I mean is that your new role still has said permission through PUBLIC (a pseudo-role which is automatically granted to all other roles and cannot be revoked), even if you revoke it directly. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Makes perfect sense. Thanks and appreciate a prompt response.
Would update the tests accordingly.
--
Robins Tharakan
On 22 May 2013 09:03, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
Robins Tharakan escribió:> Yes, but the documentation states that EXECUTE permission for the functionWhat I mean is that your new role still has said permission through
> is required to even CREATE the operator.
PUBLIC (a pseudo-role which is automatically granted to all other roles
and cannot be revoked), even if you revoke it directly.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services