If the grantee is the pseudo-role PUBLIC, it is represented by zero in
the <parameter>grantee</parameter> column. Each granted privilege is
represented as <literal>SELECT</literal>, <literal>INSERT</literal>,
- etc. Note that each privilege is broken out as a separate row, so
+ etc (see <xref linkend="privilege-abbrevs-table"/> for a full list).
+ Note that each privilege is broken out as a separate row, so
only one keyword appears in the <parameter>privilege_type</parameter>
column.
</para></entry>
</para>
<para>
Constructs an <type>aclitem</type> with the given properties.
+ <parameter>privileges</parameter> is a comma-separated list of
+ privilege names such as <literal>SELECT</literal>,
+ <literal>INSERT</literal>, etc, all of which are set in the
+ result. (Case of the privilege string is not significant, and
+ extra whitespace is allowed between but not within privilege
+ names.)
</para></entry>
</row>
</tbody>
static Acl *recursive_revoke(Acl *acl, Oid grantee, AclMode revoke_privs,
Oid ownerId, DropBehavior behavior);
-static AclMode convert_priv_string(text *priv_type_text);
static AclMode convert_any_priv_string(text *priv_type_text,
const priv_map *privileges);
bool goption = PG_GETARG_BOOL(3);
AclItem *result;
AclMode priv;
+ static const priv_map any_priv_map[] = {
+ {"SELECT", ACL_SELECT},
+ {"INSERT", ACL_INSERT},
+ {"UPDATE", ACL_UPDATE},
+ {"DELETE", ACL_DELETE},
+ {"TRUNCATE", ACL_TRUNCATE},
+ {"REFERENCES", ACL_REFERENCES},
+ {"TRIGGER", ACL_TRIGGER},
+ {"EXECUTE", ACL_EXECUTE},
+ {"USAGE", ACL_USAGE},
+ {"CREATE", ACL_CREATE},
+ {"TEMP", ACL_CREATE_TEMP},
+ {"TEMPORARY", ACL_CREATE_TEMP},
+ {"CONNECT", ACL_CONNECT},
+ {"SET", ACL_SET},
+ {"ALTER SYSTEM", ACL_ALTER_SYSTEM},
+ {"RULE", 0}, /* ignore old RULE privileges */
+ {NULL, 0}
+ };
- priv = convert_priv_string(privtext);
+ priv = convert_any_priv_string(privtext, any_priv_map);
result = (AclItem *) palloc(sizeof(AclItem));
PG_RETURN_ACLITEM_P(result);
}
-static AclMode
-convert_priv_string(text *priv_type_text)
-{
- char *priv_type = text_to_cstring(priv_type_text);
-
- if (pg_strcasecmp(priv_type, "SELECT") == 0)
- return ACL_SELECT;
- if (pg_strcasecmp(priv_type, "INSERT") == 0)
- return ACL_INSERT;
- if (pg_strcasecmp(priv_type, "UPDATE") == 0)
- return ACL_UPDATE;
- if (pg_strcasecmp(priv_type, "DELETE") == 0)
- return ACL_DELETE;
- if (pg_strcasecmp(priv_type, "TRUNCATE") == 0)
- return ACL_TRUNCATE;
- if (pg_strcasecmp(priv_type, "REFERENCES") == 0)
- return ACL_REFERENCES;
- if (pg_strcasecmp(priv_type, "TRIGGER") == 0)
- return ACL_TRIGGER;
- if (pg_strcasecmp(priv_type, "EXECUTE") == 0)
- return ACL_EXECUTE;
- if (pg_strcasecmp(priv_type, "USAGE") == 0)
- return ACL_USAGE;
- if (pg_strcasecmp(priv_type, "CREATE") == 0)
- return ACL_CREATE;
- if (pg_strcasecmp(priv_type, "TEMP") == 0)
- return ACL_CREATE_TEMP;
- if (pg_strcasecmp(priv_type, "TEMPORARY") == 0)
- return ACL_CREATE_TEMP;
- if (pg_strcasecmp(priv_type, "CONNECT") == 0)
- return ACL_CONNECT;
- if (pg_strcasecmp(priv_type, "SET") == 0)
- return ACL_SET;
- if (pg_strcasecmp(priv_type, "ALTER SYSTEM") == 0)
- return ACL_ALTER_SYSTEM;
- if (pg_strcasecmp(priv_type, "RULE") == 0)
- return 0; /* ignore old RULE privileges */
-
- ereport(ERROR,
- (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
- errmsg("unrecognized privilege type: \"%s\"", priv_type)));
- return ACL_NO_RIGHTS; /* keep compiler quiet */
-}
-
/*
* convert_any_priv_string: recognize privilege strings for has_foo_privilege
ALTER DEFAULT PRIVILEGES FOR ROLE regress_priv_user1 REVOKE EXECUTE ON FUNCTIONS FROM public;
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON SCHEMAS TO regress_priv_user2; -- error
ERROR: cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS
+-- Test makeaclitem()
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT', TRUE); -- single privilege
+ makeaclitem
+------------------------------------------
+ regress_priv_user1=r*/regress_priv_user2
+(1 row)
+
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT, INSERT, UPDATE , DELETE ', FALSE); -- multiple privileges
+ makeaclitem
+--------------------------------------------
+ regress_priv_user1=arwd/regress_priv_user2
+(1 row)
+
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT, fake_privilege', FALSE); -- error
+ERROR: unrecognized privilege type: "fake_privilege"
--
-- Testing blanket default grants is very hazardous since it might change
-- the privileges attached to objects created by concurrent regression tests.
ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON SCHEMAS TO regress_priv_user2; -- error
+-- Test makeaclitem()
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT', TRUE); -- single privilege
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT, INSERT, UPDATE , DELETE ', FALSE); -- multiple privileges
+SELECT makeaclitem('regress_priv_user1'::regrole, 'regress_priv_user2'::regrole,
+ 'SELECT, fake_privilege', FALSE); -- error
+
--
-- Testing blanket default grants is very hazardous since it might change
-- the privileges attached to objects created by concurrent regression tests.
projects / postgresql.git / commitdiff