On Sun, 2024-06-30 at 15:30 -0700, Noah Misch wrote:
> You're caching the result of object_aclcheck(NamespaceRelationId,
> ...), so
> pg_auth_members changes
Thank you for the report.
Question: to check for changes to pg_auth_members, it seems like either
AUTHMEMROLEMEM or AUTHMEMMEMROLE work, and to use both would be
redundant. Am I missing something, or should I just pick one
arbitrarily (or by some convention)?
> and pg_database changes also need to invalidate this
> cache. (pg_database affects the ACL_CREATE_TEMP case in
> pg_namespace_aclmask_ext()
I am having trouble finding an actual problem with ACL_CREATE_TEMP.
search_path ACL checks are normally bypassed for the temp namespace, so
it can only happen when the actual temp namespace name (e.g.
pg_temp_NNN) is explicitly included. In that case, the mask is
ACL_USAGE, so the two branches in pg_namespace_aclmask_ext() are
equivalent, right?
This question is not terribly important for the fix, because
invalidating for each pg_database change is still necessary as you
point out in here:
> and affects ROLE_PG_DATABASE_OWNER membership.)
Another good catch, thank you.
Patch attached. Contains a bit of cleanup and is intended for 17+18.
Regards,
Jeff Davis
