Allow LOCK TABLE .. ROW EXCLUSIVE MODE with INSERT

INSERT acquires RowExclusiveLock during normal operation and therefore it makes sense to allow LOCK TABLE .. ROW EXCLUSIVE MODE to be executed by users who have INSERT rights on a table (even if they don't have UPDATE or DELETE). Not back-patching this as it's a behavior change which, strictly speaking, loosens security restrictions. Per discussion with Tom and Robert (circa 2013).
author: Stephen Frost 2015-05-11 19:44:12 +0000
committer: Stephen Frost 2015-05-11 19:44:12 +0000
commit: fa2642438f189c2b169ace3ac1df19533b9c7781 (patch)
tree: 7a455813a35d03230771870778bd9a47962c916e /src/backend/commands
parent: 9d15292cfc581d2916778b79df0f0e86e032a677 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/src/backend/commands/lockcmds.c b/src/backend/commands/lockcmds.c
index bdec2ff545c..a1670821aa4 100644
--- a/src/backend/commands/lockcmds.c
+++ b/src/backend/commands/lockcmds.c
@@ -169,13 +169,17 @@ static AclResult
 LockTableAclCheck(Oid reloid, LOCKMODE lockmode)
 {
 	AclResult	aclresult;
+	AclMode		aclmask;
 
 	/* Verify adequate privilege */
 	if (lockmode == AccessShareLock)
-		aclresult = pg_class_aclcheck(reloid, GetUserId(),
-									  ACL_SELECT);
+		aclmask = ACL_SELECT;
+	else if (lockmode == RowExclusiveLock)
+		aclmask = ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
 	else
-		aclresult = pg_class_aclcheck(reloid, GetUserId(),
-									  ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE);
+		aclmask = ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE;
+
+	aclresult = pg_class_aclcheck(reloid, GetUserId(), aclmask);
+
 	return aclresult;
 }
author	Stephen Frost	2015-05-11 19:44:12 +0000
committer	Stephen Frost	2015-05-11 19:44:12 +0000
commit	fa2642438f189c2b169ace3ac1df19533b9c7781 (patch)
tree	7a455813a35d03230771870778bd9a47962c916e /src/backend/commands
parent	9d15292cfc581d2916778b79df0f0e86e032a677 (diff)