On Tue, Oct 19, 2021 at 9:15 AM tanghy.fnst@fujitsu.com
<tanghy.fnst@fujitsu.com> wrote:
>
> On Monday, October 18, 2021 8:23 PM vignesh C <vignesh21@gmail.com> wrote:
> >
> > Thanks for the comments, the attached v42 patch has the fixes for the same.
>
> Thanks for your new patch.
>
> I tried your patch and found that the permission check for superuser didn't work.
>
> For example:
> postgres=# create role r1;
> CREATE ROLE
> postgres=# grant all privileges on database postgres to r1;
> GRANT
> postgres=# set role r1;
> SET
> postgres=> create schema s1;
> CREATE SCHEMA
> postgres=> create publication pub for all tables in schema s1;
> CREATE PUBLICATION
>
> Role r1 is not superuser, but this role could create publication for all tables in schema
> successfully, I think it is related the following change. List schemaidlist was
> not assigned yet. I think we should check it later.
>
> @@ -165,6 +265,12 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
> (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> errmsg("must be superuser to create FOR ALL TABLES publication")));
>
> + /* FOR ALL TABLES IN SCHEMA requires superuser */
> + if (list_length(schemaidlist) > 0 && !superuser())
> + ereport(ERROR,
> + errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> + errmsg("must be superuser to create FOR ALL TABLES IN SCHEMA publication"));
> +
> rel = table_open(PublicationRelationId, RowExclusiveLock);
>
> /* Check if name is used */
This issue got induced in the v42 version, attached v43 patch has the
fixes for the same.
Regards,
Vignesh
