*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.105.4.4 2008/01/03 21:25:00 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.105.4.5 2009/09/03 22:08:54 tgl Exp $
*
*-------------------------------------------------------------------------
*/
/* not a saved ID, so look it up */
HeapTuple userTup;
- if (InSecurityDefinerContext())
- {
- /*
- * Disallow SET SESSION AUTHORIZATION inside a security definer
- * context. We need to do this because when we exit the context,
- * GUC won't be notified, leaving things out of sync. Note that
- * this test is positioned so that restoring a previously saved
- * setting isn't prevented.
- */
- if (source >= PGC_S_INTERACTIVE)
- ereport(ERROR,
- (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- errmsg("cannot set session authorization within security-definer function")));
- return NULL;
- }
-
if (!IsTransactionState())
{
/*
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.252.4.5 2008/05/26 18:54:59 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.252.4.6 2009/09/03 22:08:54 tgl Exp $
*
*--------------------------------------------------------------------
*/
{"session_authorization", PGC_USERSET, UNGROUPED,
gettext_noop("Sets the session user name."),
NULL,
- GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF
},
&session_authorization_string,
NULL, assign_session_authorization, show_session_authorization
break;
}
+ /*
+ * Disallow changing GUC_NOT_WHILE_SEC_DEF values if we are inside a
+ * security-definer function. We can reject this regardless of
+ * the context or source, mainly because sources that it might be
+ * reasonable to override for won't be seen while inside a function.
+ *
+ * Note: variables marked GUC_NOT_WHILE_SEC_DEF should probably be marked
+ * GUC_NO_RESET_ALL as well, because ResetAllOptions() doesn't check this.
+ *
+ * Note: this flag is currently used for "session_authorization".
+ * We need to prohibit this because when we exit the sec-def
+ * context, GUC won't be notified, leaving things out of sync.
+ *
+ * XXX it would be nice to allow these cases in future, with the behavior
+ * being that the SET's effects end when the security definer context is
+ * exited.
+ */
+ if ((record->flags & GUC_NOT_WHILE_SEC_DEF) && InSecurityDefinerContext())
+ {
+ ereport(elevel,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("cannot set parameter \"%s\" within security-definer function",
+ name)));
+ return false;
+ }
+
/*
* Should we set reset/stacked values? (If so, the behavior is not
* transactional.)
*
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
*
- * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.19.4.1 2006/02/12 22:33:14 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/utils/guc_tables.h,v 1.19.4.2 2009/09/03 22:08:54 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#define GUC_SUPERUSER_ONLY 0x0100 /* show only to superusers */
#define GUC_IS_NAME 0x0200 /* limit string to NAMEDATALEN-1 */
+#define GUC_NOT_WHILE_SEC_DEF 0x8000 /* can't change inside sec-def func */
+
/* bit values in status field */
#define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
#define GUC_HAVE_LOCAL 0x0002 /* a SET LOCAL has been executed */
projects / thirdparty / postgresql.git / commitdiff
