Обсуждение: about permissions
hi! First short explanation: I create application in php. In scripts I need sometimes check if user has permissions to for example update values in some table So question: How should looks my queryi like? I mean something like select pg_class.relacl where relname='cust' and pg_class.relacl[2]='my_user=arwR'; (this query doesn't work) and another difficult problem: I don't know what place in relacl array is occupied by permissions for my user and of course can't check for string 'myuser=arwR' cause permissions could be 'arw', 'ar', 'r'. Naturally I can solve this by taking whole array and processing data in php, but I could be really fine to solve this inside postgresTIARem -------------------------------------------------------------------*------------ Remigiusz Sokolowski e-mail: rems@gdansk.sprint.pl * * -----------------------------------------------------------------*****----------
Remigiusz Sokolowski wrote:
>
> hi!
> First short explanation:
> I create application in php. In scripts I need sometimes check if user has
> permissions to for example update values in some table
>
> So question:
> How should looks my queryi like?
>
> I mean something like
> select pg_class.relacl where relname='cust' and
> pg_class.relacl[2]='my_user=arwR'; (this query doesn't work)
>
> and another difficult problem:
> I don't know what place in relacl array is occupied by permissions for my
> user and of course can't check for string 'myuser=arwR' cause permissions
> could be 'arw', 'ar', 'r'.
> Naturally I can solve this by taking whole array and processing data in
> php, but
> I could be really fine to solve this inside postgres
You can compile+install PL/Tcl in your database and use the
function I've included at the end. It's usage is:
--
-- PL/Tcl function to verify if a user has specific permissions
-- on a relation.
--
-- Usage: check_permission(relname,username,perms)
--
-- perms is a string consisting of any combination of the
-- characters a,r,w and R (R means RULE permission).
--
-- Returns: true if user has ALL permissions
-- false if at least one permission is missing
--
-- Exceptions: generates an error if the relation or it's owner
-- aren't found in the system catalogs
--
The perms string can be given in any order, so 'awr' is equal
to 'raw'. It follows the PostgreSQL semantics where
superusers bypass all access restrictions, a user not
explicitly listed in the acl has the rights of the public
entry and if there is no acl at all, only the owner has full
rights.
It does NOT handle group permissions up to now. You didn't
told that you need this functionality too.
Hope that solves your problem.
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck@debis.com (Jan Wieck) #
I wrote:
> You can compile+install PL/Tcl in your database and use the
> function I've included at the end. It's usage is:
But forgot to include it :-)
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck@debis.com (Jan Wieck) #
begin 644 chkperm.sql
M+2T*+2T@4$PO5&-L(&9U;F-T:6]N('1O('9E<FEF>2!I9B!A('5S97(@:&%S
M('-P96-I9FEC('!E<FUI<W-I;VYS"BTM(&]N(&$@<F5L871I;VXN"BTM"BTM
M(%5S86=E.B`@("`@(&-H96-K7W!E<FUI<W-I;VXH<F5L;F%M92QU<V5R;F%M
M92QP97)M<RD*+2T@("`@("`@(`HM+2`@("`@("`@("`@("!P97)M<R!I<R!A
M('-T<FEN9R!C;VYS:7-T:6YG(&]F(&%N>2!C;VUB:6YA=&EO;B!O9B!T:&4*
M+2T@("`@("`@("`@("`@8VAA<F%C=&5R<R!A+'(L=R!A;F0@4B`H4B!M96%N
M<R!254Q%('!E<FUI<W-I;VXI+@HM+0HM+2!2971U<FYS.B`@("!T<G5E(&EF
M('5S97(@:&%S($%,3"!P97)M:7-S:6]N<PHM+2`@("`@("`@("`@("!F86QS
M92!I9B!A="!L96%S="!O;F4@<&5R;6ES<VEO;B!I<R!M:7-S:6YG"BTM"BTM
M($5X8V5P=&EO;G,Z(&=E;F5R871E<R!A;B!E<G)O<B!I9B!T:&4@<F5L871I
M;VX@;W(@:70G<R!O=VYE<@HM+2`@("`@("`@("`@("!A<F5N)W0@9F]U;F0@
M:6X@=&AE('-Y<W1E;2!C871A;&]G<PHM+0I#4D5!5$4@1E5.0U1)3TX@8VAE
M8VM?<&5R;6ES<VEO;B`H;F%M92P@;F%M92P@=&5X="D@4D5455).4R!B;V]L
M($%3("<*"2,*"2,@3VX@9FER<W0@8V%L;"!C<F5A=&4@82!P<F5P87)E9"!P
M;&%N(&9O<B!T:&4@;&]O:W5P"@DC"@EI9B![(5MI;F9O(&5X:7-T<R!'1%U]
M('L*"0ES970@1T0H<&QA;BD@6W-P:5]P<F5P87)E"0D)"0D)"5Q<"@D)"2)3
M14Q%0U0@0RYR96QA8VP@05,@86-L+"!5+G5S96YA;64@05,@;W=N97(L"5Q<
M"@D)"0E5+G5S97-U<&5R($%3('-U<&5R=7-E<@D)"0D)"5Q<"@D)"0E&4D]-
M('!G7V-L87-S($,L('!G7W5S97(@50D)"0D)7%P*"0D)"5=(15)%($,N<F5L
M;F%M92`](%Q<)#$)"0D)"0E<7`H)"0D)("!!3D0@0RYR96QO=VYE<B`](%4N
M=7-E<WES:60B"0D)"5Q<"@D)"7MN86UE?5T*"7T*"@DC"@DC($=E="!R96QA
M=&EO;B!O=VYE<BP@86-L(&QI<W0@86YD(&EF('5S97(@:7,@82!S=7!E<G5S
M97(*"2,*"7-E="!N(%MS<&E?97AE8W`@+6-O=6YT(#$@)$=$*'!L86XI(%ML
M:7-T("0Q75T*"6EF('LD;B`A/2`Q?2!["@D)96QO9R!%4E)/4B`B<F5L871I
M;VX@)#$@;W(@=7-E<B`D,B!D;V5S(&YO="!E>&ES="(*"7T*"@DC"@DC(%-U
M<&5R=7-E<G,@8GEP87-S(&%L;"!P97)M:7-S:6]N<PH)(PH):68@>UMS=')I
M;F<@8V]M<&%R92`D<W5P97)U<V5R(")T(ET@/3T@,'T@>PH)"7)E='5R;B!T
M"@E]"@H)(PH)(R!)9B!T:&5R92!I<R!N;R!A8VP@;&ES="!T:&4@;W=N97(@
M:&%S(&9U;&P@<FEG:'1S"@DC"@EI9B![(5MI;F9O(&5X:7-T<R!A8VQ=?2![
M"@D):68@>UMS=')I;F<@8V]M<&%R92`D;W=N97(@)#)=(#T](#!]('L*"0D)
M<F5T=7)N('0*"0E](&5L<V4@>PH)"0ER971U<FX@9@H)"7T*"7T*"@DC"@DC
M($EN('1H92!L;V]P(&)E;&]W+"!P=6)L:6,@:7,@=')E871E9"!A<R!E;7!T
M>2!U<V5R(&YA;64*"2,@<V\@:70@=VEL;"!M871C:"!T:&4@(CTN+BXB(&5N
M=')Y(&EN('1H92!A8VP@;&ES="X*"2,*"6EF('M;<W1R:6YG(&-O;7!A<F4@
M)#(@(G!U8FQI8R)=(#T](#!]('L*"0ES970@,B`B(@H)?0H*"2,*"2,@4F5M
M;W9E('1H92!S=7)R;W5N9&EN9R!C=7)L>2!B<F%C97,@9G)O;2!T:&4@86-L
M(&QI<W0*"2,*"7)E9W-U8B`B7EQ<>R(@)&%C;"`B(B!A8VP*"7)E9W-U8B`B
M7%Q]7%PD(B`D86-L("(B(&%C;`H*"2,*"2,@17AT<F%C="!T:&4@86-L(&5N
M=')Y('=E(&QO;VL@9F]R(&%N9"!R96UE;6)E<B!P=6)L:6,*"2,@<&5R;6ES
M<VEO;G,@;VX@=&AE(&9L>0H)(PH)<V5T('!U8FQI8R`B(@H)<V5T('!E<FUS
M("`B(@H)<V5T(&9O=6YD("`P"@EF;W)E86-H(&%C;&4@6W-P;&ET("1A8VP@
M+%T@>PH)"6EF('M;<F5G97AP(")<7"(H7%Q;7CU<7%TJ*3TH7%Q;7EQ<(EQ<
M72HI7%PB(B`D86-L92![?2!U('!=?2!["@D)"6EF('M;<W1R:6YG(&-O;7!A
M<F4@)'4@(B)=(#T](#!]('L*"0D)"7-E="!P=6)L:6,@)'`*"0D)?0H)"0EI
M9B![6W-T<FEN9R!C;VUP87)E("1U("0R72`]/2`P?2!["@D)"0ES970@<&5R
M;7,@)'`*"0D)"7-E="!F;W5N9"`Q"@D)"0EB<F5A:PH)"0E]"@D)?0H)?0H)
M:68@>R$D9F]U;F1]('L*"0ES970@<&5R;7,@)'!U8FQI8PH)?0H*"2,*"2,@
M3F]W(&-H96-K('1H870@86QL('1H92!R97%U97-T960@;6]D97,@87)E('-E
M=`H)(PH)9F]R96%C:"!C:&L@6W-P;&ET("0S("(B72!["@D):68@>UMS=')I
M;F<@9FER<W0@)&-H:R`D<&5R;7-=(#P@,'T@>PH)"0ER971U<FX@9@H)"7T*
M"7T*"@DC(`H)(R!!;&P@;6]D97,@<V5T("T@=7-E<B!H87,@=&AE(')E<75E
M<W1E9"!P97)M:7-S:6]N<PH)(PH)<F5T=7)N('0*)R!,04Y'54%'12`G<&QT
&8VPG.PH*
`
end
> I wrote: > > > You can compile+install PL/Tcl in your database and use the > > function I've included at the end. It's usage is: > > But forgot to include it :-) > > > Jan > thanks - I'll try it. You mention about checking also group permissions - here question, cause I need it also. When postgres checks permissions of any user, I mean, it checks for example firstly if this user has permissions to table and after searches for groups in which this user is listed and checks permissions of this groups - are there any functions to do this? Sorry for querying You about simple things, but I really know very little about programmingRem -------------------------------------------------------------------*------------ Remigiusz Sokolowski e-mail: rems@gdansk.sprint.pl * * -----------------------------------------------------------------*****----------
> > You can compile+install PL/Tcl in your database and use the > function I've included at the end. It's usage is: > Could You point me where to find sources of PL/Tcl? I search for it, but without result (I need it for 6.3.2 ver) I don't look at distribution - is there those ?TIARem -------------------------------------------------------------------*------------ Remigiusz Sokolowski e-mail: rems@gdansk.sprint.pl * * -----------------------------------------------------------------*****----------