Re: User with BYPASSRLS privilege can't change password - Mailing list pgsql-bugs

From Tom Lane
Subject Re: User with BYPASSRLS privilege can't change password
Date
Msg-id 958390.1604427443@sss.pgh.pa.us
Whole thread Raw
In response to User with BYPASSRLS privilege can't change password  (Wolfgang Walther <walther@technowledgy.de>)
List pgsql-bugs
Stephen Frost <sfrost@snowman.net> writes:
>> @@ -739,7 +741,6 @@ AlterRole(AlterRoleStmt *stmt)
>>             createrole < 0 &&
>>             createdb < 0 &&
>>             canlogin < 0 &&
>> -             isreplication < 0 &&
>>             !dconnlimit &&
>>             !rolemembers &&
>>             !validUntil &&

> This seems like an independent change..?  Not saying it's wrong though.

That test is redundant, since we wouldn't be in this path at all if
isreplication >= 0.  You could alternatively argue that this should
redundantly test all three of issuper, isreplication, and bypassrls;
but testing just one of them is confusing and hence bug-prone.

            regards, tom lane



pgsql-bugs by date:

Previous
From: Wolfgang Walther
Date:
Subject: Re: User with BYPASSRLS privilege can't change password
Next
From: Tom Lane
Date:
Subject: Re: User with BYPASSRLS privilege can't change password