Do not treat a superuser as a member of every role for HBA purposes.
This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas.
This commit is contained in:
parent
3b06105c7d
commit
94cd0f1ad8
@ -210,7 +210,10 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
|
||||
in <productname>PostgreSQL</>; a <literal>+</> mark really means
|
||||
<quote>match any of the roles that are directly or indirectly members
|
||||
of this role</>, while a name without a <literal>+</> mark matches
|
||||
only that specific role.)
|
||||
only that specific role.) For this purpose, a superuser is only
|
||||
considered to be a member of a role if they are explicitly a member
|
||||
of the role, directly or indirectly, and not just by virtue of
|
||||
being a superuser.
|
||||
Multiple user names can be supplied by separating them with commas.
|
||||
A separate file containing user names can be specified by preceding the
|
||||
file name with <literal>@</>.
|
||||
|
@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
|
||||
if (!OidIsValid(roleid))
|
||||
return false; /* if target role not exist, say "no" */
|
||||
|
||||
/* See if user is directly or indirectly a member of role */
|
||||
return is_member_of_role(userid, roleid);
|
||||
/*
|
||||
* See if user is directly or indirectly a member of role.
|
||||
* For this purpose, a superuser is not considered to be automatically
|
||||
* a member of the role, so group auth only applies to explicit
|
||||
* membership.
|
||||
*/
|
||||
return is_member_of_role_nosuper(userid, roleid);
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user