tags:

views:

259

answers:

2
Q: 

Find out if user got permission to select/update/... a table/function/... in PostgreSQL

What is the recommended way to figure out if a user got a certain right (e.g. select or execute) on a certain class (e.g. table or function) in PostgreSQL?

At the moment I got something like

aclcontains(
    someColumnWithAclitemArray,
    makeaclitem(userOid,grantorOid,someRight,false))

but it's terrible since I have to check for every grantorOid that is possible and for every userOid the user can belong to.

On a related note: what are the possible rights you can test for? I haven't found any documentation but reading the source code I guess:

INSERT
SELECT
UPDATE
DELETE
TRUNCATE
REFERENCES
TRIGGER
EXECUTE
USAGE
CREATE
CONNECT

There also seems to be a CREATE TEMP right, but I can't figure out the correct text to use in the makeaclitem-function.

+1  A: 

I've found that a better approach (and I seem to remember this was taken from some queries built into psql, or maybe the information_schema views) is to use the has_*_privilege functions, and simply apply them to a set of all possible combinations of user and object. This will take account of having access to an object via some group role as well.

For example, this will show which users have which access to non-catalogue tables and views:

select usename, nspname || '.' || relname as relation,
       case relkind when 'r' then 'TABLE' when 'v' then 'VIEW' end as relation_type,
       priv
from pg_class join pg_namespace on pg_namespace.oid = pg_class.relnamespace,
     pg_user,
     (values('SELECT', 1),('INSERT', 2),('UPDATE', 3),('DELETE', 4)) privs(priv, privorder)
where relkind in ('r', 'v')
      and has_table_privilege(pg_user.usesysid, pg_class.oid, priv)
      and not (nspname ~ '^pg_' or nspname = 'information_schema')
order by 2, 1, 3, privorder;

The possible privileges are detailed in the description of the has_*_privilege functions at http://www.postgresql.org/docs/8.3/static/functions-info.html after table 9-45.

'CREATE TEMP' is a database-level privilege: it permits a user to use a pg_temp_* schema. It can be tested with has_database_privilege(useroid, datoid, 'TEMP').

araqnid  2009-06-03 20:59:57
A: 

Take a look at the "Access Privilege Inquiry Functions" and also the "GRANT" reference page.

Milen A. Radev  2009-06-03 21:00:14

related questions

How do I (or can I) SELECT DISTINCT on multiple columns (postgresql)?
Is it possible to make a recursive SQL query ?
What does it mean when a PostgreSQL process is "idle in transaction"?
C# .NET + PostgreSQL
Possible to perform cross-database queries with postgres?
Cascading deletes in PostgreSQL
How to concatenate strings of a string field in a PostgreSQL 'group by' query?
Languages other than SQL in postgres
How to prevent Write Ahead Logging on just one table in PostgreSQL?
Using MS Access & ODBC to connect to a remote PostgreSQL
Reasons for SQL differences
PostgreSQL perfomance monitoring tool
How do you use script variables in PostgreSQL?
MySQL vs PostgreSQL for Web Applications
joining latest of various usermetadata tags to user rows
Good strategy for leaving an audit trail/change history for DB applications?
PostgreSQL: GIN or GiST indexes?
Migrating from MySQL to PostgreSQL
What's the preferred way to connect to a postgresql database from PHP?
Use for the phppgadmin Reports Database?
Recommendation for a PostgreSQL Programming Tutorial?
SQL Case Statement Syntax?
What language do you use for Postgresql triggers and stored procedures?
String literals and escape characters in postgresql
Python and MySQL