| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | hkauchi(at)gmail(dot)com |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #14613: Referencing foreign key needs privileges of table owner? |
| Date: | 2017-04-06 03:00:36 |
| Message-ID: | 14343.1491447636@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
hkauchi(at)gmail(dot)com writes:
> create role user1;
> create role user2 login;
> create table table1(id int primary key);
> create table table2(id int primary key, table1_id integer references
> table1(id));
> alter table table1 owner to user1;
> alter table table2 owner to user2;
> grant select,insert,update,delete on table1 to user2;
> grant select,insert,update,delete on table2 to user2;
> revoke all on schema public from public; // To prevent creation of
> objects.
You realize that that's much more draconian than needed to prevent
creation of objects? In particular, you've left user1 unable to
reference the table it owns, which hardly seems like a useful
arrangement.
> test=# insert into table2(id, table1_id) values(1,1);
> ERROR: permission denied for schema public
> LINE 1: SELECT 1 FROM ONLY "public"."table1" x WHERE "id" OPERATOR(p...
> ^
> QUERY: SELECT 1 FROM ONLY "public"."table1" x WHERE "id"
> OPERATOR(pg_catalog.=) $1 FOR KEY SHARE OF x
This is not a bug. That foreign key check query is executed as the owner
of table1. If it were not, you'd probably be complaining about some
other permissions problem.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hisahiro Kauchi | 2017-04-06 03:32:05 | Re: BUG #14613: Referencing foreign key needs privileges of table owner? |
| Previous Message | hkauchi | 2017-04-06 02:09:41 | BUG #14613: Referencing foreign key needs privileges of table owner? |