nosuperhbagroup.patch
text/x-patch
Filename: nosuperhbagroup.patch
Type: text/x-patch
Part: 0
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: unified
| File | + | − |
|---|---|---|
| doc/src/sgml/client-auth.sgml | 4 | 1 |
| src/backend/libpq/hba.c | 7 | 2 |
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5d543cb..baed090 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -210,7 +210,10 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
in <productname>PostgreSQL</>; a <literal>+</> mark really means
<quote>match any of the roles that are directly or indirectly members
of this role</>, while a name without a <literal>+</> mark matches
- only that specific role.)
+ only that specific role.) For this purpose, a superuser is only
+ considered to be a member of a role if they are explicitly a member
+ of the role, directly or indirectly, and not just by virtue of
+ being a superuser.
Multiple user names can be supplied by separating them with commas.
A separate file containing user names can be specified by preceding the
file name with <literal>@</>.
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 1ee030f..1c84a60 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
if (!OidIsValid(roleid))
return false; /* if target role not exist, say "no" */
- /* See if user is directly or indirectly a member of role */
- return is_member_of_role(userid, roleid);
+ /*
+ * See if user is directly or indirectly a member of role.
+ * For this purpose, a superuser is not considered to be automatically
+ * a member of the role, so group auth only applies to explicit
+ * membership.
+ */
+ return is_member_of_role_nosuper(userid, roleid);
}
/*