From 4989ce72644b9d636b9b23c7a1719a405e62670b Mon Sep 17 00:00:00 2001 From: Alvaro Herrera Date: Wed, 21 Feb 2024 17:18:52 +0100 Subject: [PATCH] MERGE ... DO NOTHING: require SELECT privileges Verify that a user running MERGE with a DO NOTHING clause has privileges to read the table, even if no columns are referenced. Such privileges were already required if the ON clause or any of the WHEN conditions referenced any column at all, so there's no functional change in practice. This change fixes an assertion failure in the case where no column is referenced by the command and the WHEN clauses are all DO NOTHING. Backpatch to 15, where MERGE was introduced. Reported-by: Alena Rybakina Reported-by: Alexander Lakhin Discussion: https://postgr.es/m/4d65a385-7efa-4436-a825-0869f89d9d92@postgrespro.ru --- src/backend/parser/parse_merge.c | 7 ++++++- src/test/regress/expected/merge.out | 10 ++++++++++ src/test/regress/sql/merge.sql | 11 +++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/backend/parser/parse_merge.c b/src/backend/parser/parse_merge.c index 5f6a683ab9..73f7a48b3c 100644 --- a/src/backend/parser/parse_merge.c +++ b/src/backend/parser/parse_merge.c @@ -133,7 +133,11 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt) int when_type = (mergeWhenClause->matched ? 0 : 1); /* - * Collect action types so we can check target permissions + * Collect permissions to check, according to action types. We require + * SELECT privileges for DO NOTHING because it'd be irregular to have + * a target relation with zero privileges checked, in case DO NOTHING + * is the only action. There's no damage from that: any meaningful + * MERGE command requires at least some access to the table anyway. */ switch (mergeWhenClause->commandType) { @@ -147,6 +151,7 @@ transformMergeStmt(ParseState *pstate, MergeStmt *stmt) targetPerms |= ACL_DELETE; break; case CMD_NOTHING: + targetPerms |= ACL_SELECT; break; default: elog(ERROR, "unknown action in MERGE WHEN clause"); diff --git a/src/test/regress/expected/merge.out b/src/test/regress/expected/merge.out index f87905fabd..28a69802d7 100644 --- a/src/test/regress/expected/merge.out +++ b/src/test/regress/expected/merge.out @@ -3,6 +3,7 @@ -- CREATE USER regress_merge_privs; CREATE USER regress_merge_no_privs; +CREATE USER regress_merge_none; DROP TABLE IF EXISTS target; NOTICE: table "target" does not exist, skipping DROP TABLE IF EXISTS source; @@ -159,6 +160,14 @@ ERROR: cannot execute MERGE on relation "mv" DETAIL: This operation is not supported for materialized views. DROP MATERIALIZED VIEW mv; -- permissions +SET SESSION AUTHORIZATION regress_merge_none; +MERGE INTO target +USING (SELECT 1) +ON true +WHEN MATCHED THEN + DO NOTHING; +ERROR: permission denied for table target +SET SESSION AUTHORIZATION regress_merge_privs; MERGE INTO target USING source2 ON target.tid = source2.sid @@ -2248,3 +2257,4 @@ DROP TABLE source, source2; DROP FUNCTION merge_trigfunc(); DROP USER regress_merge_privs; DROP USER regress_merge_no_privs; +DROP USER regress_merge_none; diff --git a/src/test/regress/sql/merge.sql b/src/test/regress/sql/merge.sql index 66cb75a756..82faa7364c 100644 --- a/src/test/regress/sql/merge.sql +++ b/src/test/regress/sql/merge.sql @@ -4,6 +4,8 @@ CREATE USER regress_merge_privs; CREATE USER regress_merge_no_privs; +CREATE USER regress_merge_none; + DROP TABLE IF EXISTS target; DROP TABLE IF EXISTS source; CREATE TABLE target (tid integer, balance integer) @@ -118,6 +120,14 @@ DROP MATERIALIZED VIEW mv; -- permissions +SET SESSION AUTHORIZATION regress_merge_none; +MERGE INTO target +USING (SELECT 1) +ON true +WHEN MATCHED THEN + DO NOTHING; + +SET SESSION AUTHORIZATION regress_merge_privs; MERGE INTO target USING source2 ON target.tid = source2.sid @@ -1471,3 +1481,4 @@ DROP TABLE source, source2; DROP FUNCTION merge_trigfunc(); DROP USER regress_merge_privs; DROP USER regress_merge_no_privs; +DROP USER regress_merge_none;