On Mon, Jul 08, 2024 at 04:39:21PM -0700, Jeff Davis wrote:
> On Sun, 2024-06-30 at 15:30 -0700, Noah Misch wrote:
> > You're caching the result of object_aclcheck(NamespaceRelationId,
> > ...), so
> > pg_auth_members changes
>
> Thank you for the report.
>
> Question: to check for changes to pg_auth_members, it seems like either
> AUTHMEMROLEMEM or AUTHMEMMEMROLE work, and to use both would be
> redundant. Am I missing something, or should I just pick one
> arbitrarily (or by some convention)?
One suffices. initialize_acl() is the only other place that invals on this
catalog, so consider it a fine convention to mimic.
> > and pg_database changes also need to invalidate this
> > cache. (pg_database affects the ACL_CREATE_TEMP case in
> > pg_namespace_aclmask_ext()
>
> I am having trouble finding an actual problem with ACL_CREATE_TEMP.
> search_path ACL checks are normally bypassed for the temp namespace, so
> it can only happen when the actual temp namespace name (e.g.
> pg_temp_NNN) is explicitly included. In that case, the mask is
> ACL_USAGE, so the two branches in pg_namespace_aclmask_ext() are
> equivalent, right?
I don't know.
> This question is not terribly important for the fix, because
> invalidating for each pg_database change is still necessary as you
> point out
