mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restrict CREATE OPERATOR CLASS to superusers, per discussion some weeks

Browse Source 
ago.
This commit is contained in:
Tom Lane 2002-10-04 22:19:29 +00:00
parent d2db166c75
commit 916d8164df
2 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/src/sgml/ref/create_opclass.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_opclass.sgml,v 1.3 2002/09/21 18:32:54 petere Exp $ $Header: /cvsroot/pgsql/doc/src/sgml/ref/create_opclass.sgml,v 1.4 2002/10/04 22:19:29 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
@ -209,9 +209,10 @@ CREATE OPERATOR CLASS
are for different index access methods. are for different index access methods.
</para> </para>
<para> <para>
The user who defines an operator class becomes its owner. The user The user who defines an operator class becomes its owner. Presently,
must own the data type for which the operator class is being defined, the creating user must be a superuser. (This restriction is made because
and must have execute permission for all referenced operators and functions. an erroneous operator class definition could confuse or even crash the
server.)
</para> </para>
<para> <para>

15
src/backend/commands/opclasscmds.c
View File

@ -9,7 +9,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/commands/opclasscmds.c,v 1.5 2002/09/04 20:31:15 momjian Exp $ * $Header: /cvsroot/pgsql/src/backend/commands/opclasscmds.c,v 1.6 2002/10/04 22:19:29 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -96,12 +96,25 @@ DefineOpClass(CreateOpClassStmt *stmt)
ReleaseSysCache(tup); ReleaseSysCache(tup);
/*
* Currently, we require superuser privileges to create an opclass.
* This seems necessary because we have no way to validate that the
* offered set of operators and functions are consistent with the AM's
* expectations. It would be nice to provide such a check someday,
* if it can be done without solving the halting problem :-(
*/
if (!superuser())
elog(ERROR, "Must be superuser to create an operator class");
/* Look up the datatype */ /* Look up the datatype */
typeoid = typenameTypeId(stmt->datatype); typeoid = typenameTypeId(stmt->datatype);
#ifdef NOT_USED
/* XXX this is unnecessary given the superuser check above */
/* Check we have ownership of the datatype */ /* Check we have ownership of the datatype */
if (!pg_type_ownercheck(typeoid, GetUserId())) if (!pg_type_ownercheck(typeoid, GetUserId()))
aclcheck_error(ACLCHECK_NOT_OWNER, format_type_be(typeoid)); aclcheck_error(ACLCHECK_NOT_OWNER, format_type_be(typeoid));
#endif
/* Storage datatype is optional */ /* Storage datatype is optional */
storageoid = InvalidOid; storageoid = InvalidOid;