Create new ParseExprKind for use by policy expressions.
Policy USING and WITH CHECK expressions were using EXPR_KIND_WHERE for parse analysis, which results in inappropriate ERROR messages when the expression contains unsupported constructs such as aggregates. Create a new ParseExprKind called EXPR_KIND_POLICY and tailor the related messages to fit. Reported by Noah Misch. Reviewed by Dean Rasheed, Alvaro Herrera, and Robert Haas. Back-patch to 9.5 where RLS was introduced.
This commit is contained in:
parent
f04ce31475
commit
632cd9f892
|
@ -534,12 +534,12 @@ CreatePolicy(CreatePolicyStmt *stmt)
|
|||
|
||||
qual = transformWhereClause(qual_pstate,
|
||||
copyObject(stmt->qual),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
with_check_qual = transformWhereClause(with_check_pstate,
|
||||
copyObject(stmt->with_check),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
/* Fix up collation information */
|
||||
|
@ -707,7 +707,7 @@ AlterPolicy(AlterPolicyStmt *stmt)
|
|||
addRTEtoQuery(qual_pstate, rte, false, true, true);
|
||||
|
||||
qual = transformWhereClause(qual_pstate, copyObject(stmt->qual),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
/* Fix up collation information */
|
||||
|
@ -730,7 +730,7 @@ AlterPolicy(AlterPolicyStmt *stmt)
|
|||
|
||||
with_check_qual = transformWhereClause(with_check_pstate,
|
||||
copyObject(stmt->with_check),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
/* Fix up collation information */
|
||||
|
|
|
@ -372,6 +372,13 @@ check_agglevels_and_constraints(ParseState *pstate, Node *expr)
|
|||
break;
|
||||
case EXPR_KIND_WHERE:
|
||||
errkind = true;
|
||||
break;
|
||||
case EXPR_KIND_POLICY:
|
||||
if (isAgg)
|
||||
err = _("aggregate functions are not allowed in policy expressions");
|
||||
else
|
||||
err = _("grouping operations are not allowed in policy expressions");
|
||||
|
||||
break;
|
||||
case EXPR_KIND_HAVING:
|
||||
/* okay */
|
||||
|
@ -770,6 +777,9 @@ transformWindowFuncCall(ParseState *pstate, WindowFunc *wfunc,
|
|||
case EXPR_KIND_WHERE:
|
||||
errkind = true;
|
||||
break;
|
||||
case EXPR_KIND_POLICY:
|
||||
err = _("window functions are not allowed in policy expressions");
|
||||
break;
|
||||
case EXPR_KIND_HAVING:
|
||||
errkind = true;
|
||||
break;
|
||||
|
|
|
@ -1672,6 +1672,7 @@ transformSubLink(ParseState *pstate, SubLink *sublink)
|
|||
case EXPR_KIND_FROM_SUBSELECT:
|
||||
case EXPR_KIND_FROM_FUNCTION:
|
||||
case EXPR_KIND_WHERE:
|
||||
case EXPR_KIND_POLICY:
|
||||
case EXPR_KIND_HAVING:
|
||||
case EXPR_KIND_FILTER:
|
||||
case EXPR_KIND_WINDOW_PARTITION:
|
||||
|
@ -3173,6 +3174,8 @@ ParseExprKindName(ParseExprKind exprKind)
|
|||
return "function in FROM";
|
||||
case EXPR_KIND_WHERE:
|
||||
return "WHERE";
|
||||
case EXPR_KIND_POLICY:
|
||||
return "POLICY";
|
||||
case EXPR_KIND_HAVING:
|
||||
return "HAVING";
|
||||
case EXPR_KIND_FILTER:
|
||||
|
|
|
@ -63,7 +63,8 @@ typedef enum ParseExprKind
|
|||
EXPR_KIND_INDEX_PREDICATE, /* index predicate */
|
||||
EXPR_KIND_ALTER_COL_TRANSFORM, /* transform expr in ALTER COLUMN TYPE */
|
||||
EXPR_KIND_EXECUTE_PARAMETER, /* parameter value in EXECUTE */
|
||||
EXPR_KIND_TRIGGER_WHEN /* WHEN condition in CREATE TRIGGER */
|
||||
EXPR_KIND_TRIGGER_WHEN, /* WHEN condition in CREATE TRIGGER */
|
||||
EXPR_KIND_POLICY /* USING or WITH CHECK expr in policy */
|
||||
} ParseExprKind;
|
||||
|
||||
|
||||
|
|
|
@ -106,7 +106,7 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
|
|||
e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
|
||||
|
||||
policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
policy->with_check_qual = copyObject(policy->qual);
|
||||
|
@ -160,7 +160,7 @@ test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
|
|||
e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
|
||||
|
||||
policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
|
||||
EXPR_KIND_WHERE,
|
||||
EXPR_KIND_POLICY,
|
||||
"POLICY");
|
||||
|
||||
policy->with_check_qual = copyObject(policy->qual);
|
||||
|
|
|
@ -3024,6 +3024,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD
|
|||
SELECT * FROM generate_series(1,5) t0(c); -- succeeds
|
||||
ROLLBACK;
|
||||
--
|
||||
-- Policy expression handling
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security = FORCE;
|
||||
CREATE TABLE t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
|
||||
ERROR: aggregate functions are not allowed in policy expressions
|
||||
ROLLBACK;
|
||||
--
|
||||
-- Clean up objects
|
||||
--
|
||||
RESET SESSION AUTHORIZATION;
|
||||
|
|
|
@ -1289,6 +1289,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD
|
|||
SELECT * FROM generate_series(1,5) t0(c); -- succeeds
|
||||
ROLLBACK;
|
||||
|
||||
--
|
||||
-- Policy expression handling
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security = FORCE;
|
||||
CREATE TABLE t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
|
||||
ROLLBACK;
|
||||
|
||||
--
|
||||
-- Clean up objects
|
||||
--
|
||||
|
|
Loading…
Reference in New Issue