robust-revoke.diff
text/x-patch
Filename: robust-revoke.diff
Type: text/x-patch
Part: 0
Patch
Format: unified
| File | + | − |
|---|---|---|
| src/backend/catalog/aclchk.c | 13 | 2 |
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 7abf3c2a74..aff91582d7 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -444,6 +444,9 @@ ExecuteGrantStmt(GrantStmt *stmt)
* Convert the RoleSpec list into an Oid list. Note that at this point we
* insert an ACL_ID_PUBLIC into the list if appropriate, so downstream
* there shouldn't be any additional work needed to support this case.
+ *
+ * Allow missing grantees in case of REVOKE (!istmt.is_grant)
+ * if now valid roles found return immediately
*/
foreach(cell, stmt->grantees)
{
@@ -456,12 +459,20 @@ ExecuteGrantStmt(GrantStmt *stmt)
grantee_uid = ACL_ID_PUBLIC;
break;
default:
- grantee_uid = get_rolespec_oid(grantee, false);
+ grantee_uid = get_rolespec_oid(grantee, !istmt.is_grant);
break;
}
- istmt.grantees = lappend_oid(istmt.grantees, grantee_uid);
+ if (OidIsValid(grantee_uid))
+ istmt.grantees = lappend_oid(istmt.grantees, grantee_uid);
+ else
+ ereport(WARNING,
+ (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+ errmsg("ignoring REVOKE FROM a missing role \"%s\"", grantee->rolename)));
}
+ if (istmt.grantees == NIL)
+ return;
+
/*
* Convert stmt->privileges, a list of AccessPriv nodes, into an AclMode
* bitmask. Note: objtype can't be OBJECT_COLUMN.