Fix an ALTER GROUP ... DROP USER error message.

This error message stated the privileges required to add a member
to a group even if the user was trying to drop a member:

	postgres=> alter group a drop user b;
	ERROR:  permission denied to alter role
	DETAIL:  Only roles with the ADMIN option on role "a" may add members.

Since the required privileges for both operations are the same, we
can fix this by modifying the message to mention both adding and
dropping members:

	postgres=> alter group a drop user b;
	ERROR:  permission denied to alter role
	DETAIL:  Only roles with the ADMIN option on role "a" may add or drop members.

Author: ChangAo Chen
Reviewed-by: Tom Lane
Discussion: https://postgr.es/m/tencent_FAA0D00E3514AAF0BBB6322542A6094FEF05%40qq.com
Backpatch-through: 16

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index c75cde2e8e1bdc747df02384b9600b8609d88564..e204eb5e5d1458eccba9bef27f2015624e462351 100644 (file)
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -817,12 +817,12 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
                                                           "BYPASSRLS", "BYPASSRLS")));
        }
 
-       /* To add members to a role, you need ADMIN OPTION. */
+       /* To add or drop members, you need ADMIN OPTION. */
        if (drolemembers && !is_admin_of_role(currentUserId, roleid))
                ereport(ERROR,
                                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                                 errmsg("permission denied to alter role"),
-                                errdetail("Only roles with the %s option on role \"%s\" may add members.",
+                                errdetail("Only roles with the %s option on role \"%s\" may add or drop members.",
                                                   "ADMIN", rolename)));
 
        /* Convert validuntil to internal form */

diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 1296da0d5799e7b2b472685887d6292b5a43383a..e8c668e0a11f7e5a7504e0fd6867f27161aa8335 100644 (file)
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -216,6 +216,13 @@ CREATE GROUP regress_priv_group1;
 CREATE GROUP regress_priv_group2 WITH ADMIN regress_priv_user1 USER regress_priv_user2;
 ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
 GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;
+SET SESSION AUTHORIZATION regress_priv_user3;
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;   -- fail
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2;  -- fail
+ERROR:  permission denied to alter role
+DETAIL:  Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.
 SET SESSION AUTHORIZATION regress_priv_user1;
 ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;
 NOTICE:  role "regress_priv_user2" has already been granted membership in role "regress_priv_group2" by role "regress_priv_user1"

diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index 5880bc018deab08478ad9a697125f830b806f89f..b7e1cb6cdde9f0d88deb8515d9802cee1a167b74 100644 (file)
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -169,6 +169,9 @@ CREATE GROUP regress_priv_group2 WITH ADMIN regress_priv_user1 USER regress_priv
 ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
 
 GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;
+SET SESSION AUTHORIZATION regress_priv_user3;
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;   -- fail
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2;  -- fail
 SET SESSION AUTHORIZATION regress_priv_user1;
 ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;
 ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;   -- duplicate