Re: patch for type privileges

On 2011-12-01 22:14, Peter Eisentraut wrote:
> On tor, 2011-12-01 at 14:37 +0100, Yeb Havinga wrote:
>> On 2011-11-29 18:47, Peter Eisentraut wrote:
>>> On tis, 2011-11-29 at 07:07 +0200, Peter Eisentraut wrote:
>>>> On mån, 2011-11-28 at 11:41 +0100, Yeb Havinga wrote:
>>>>> On 2011-11-15 21:50, Peter Eisentraut wrote:
>>>>>> Patch attached.
>>>>> I cannot get the patch to apply, this is the output of patch -p1
>>>>> --dry-run on HEAD.
>>>> I need to remerge it against concurrent range type activity.
>>> New patch attached.
>> I'm looking at your patch. One thing that puzzled me for a while was
>> that I could not restrict access to base types (either built-in or user
>> defined). Is this intentional?
> Works for me:
>
> =# create user foo;
> =# revoke usage on type int8 from public;
> =# \c - foo
> =>  create table test1 (a int4, b int8);
> ERROR:  permission denied for type bigint

Hmm even though I have 'revoke all on type int2 from public' in my psql 
history, I cannot repeat what I think was happening yesterday. Probably 
I was still superuser in the window I was testing with, but will never 
no until time travel is invented. Or maybe I tested with a cast.

Using a cast, it is possible to create a table with a code path through 
OpenIntoRel:

session 1:
t=# revoke all on type int2 from public;
session2 :
t=> create table t2 (a int2);
ERROR:  permission denied for type smallint
t=> create table t as (select 1::int2 as a);
SELECT 1
t=> \d t       Table "public.t" Column |   Type   | Modifiers
--------+----------+----------- a      | smallint |

t=>

Something different: as non superuser I get this error when restricting 
a type I don't own:

t=> revoke all on type int2 from public;
ERROR:  unrecognized objkind: 6

My current time is limited but I will be able to look more at the patch 
in a few more days.

regards,
Yeb Havinga