Re: User with BYPASSRLS privilege can't change password

On Tue, Nov 3, 2020 at 11:06 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

>
> > diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
> > index 9ce9a66921..5cd479a649 100644
> > --- a/src/backend/commands/user.c
> > +++ b/src/backend/commands/user.c
> > @@ -709,8 +709,10 @@ AlterRole(AlterRoleStmt *stmt)
> > roleid = authform->oid;
> >
> > /*
> > - * To mess with a superuser you gotta be superuser; else you need
> > - * createrole, or just want to change your own password
> > + * To mess with a superuser or replication role in any way you
> gotta be
> > + * superuser. We also insist on superuser to change the BYPASSRLS
> > + * property. Otherwise, if you don't have createrole, you're only
> allowed
> > + * to change your own password.
> > */
> > if (authform->rolsuper || issuper >= 0)
> > {
> > @@ -726,7 +728,7 @@ AlterRole(AlterRoleStmt *stmt)
> >
> (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> > errmsg("must be superuser to
> alter replication users")));
> > }
> > - else if (authform->rolbypassrls || bypassrls >= 0)
> > + else if (bypassrls >= 0)
> > {
> > if (!superuser())
> > ereport(ERROR,
>
> This change looks correct, we shouldn't be worrying about what's already
> been set on the role.
>
>
Is the nuance that in reality a non-superuser cannot specify BypassRLS even
if the effective value is unchanged unimportant here?

David J.