Do not treat a superuser as a member of every role for HBA purposes.

This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas.
author: Andrew Dunstan <andrew@dunslane.net> 2011-11-03 12:45:02 -0400
committer: Andrew Dunstan <andrew@dunslane.net> 2011-11-03 12:45:02 -0400
commit: 94cd0f1ad8af722a48a30a1087377b52ca99d633 (patch)
tree: 81f19ed3c8699390334c169e7fa9d2d2e8e7bede /src/backend/libpq/hba.c
parent: 3b06105c7d999752177f98fdad20278d57804f8f (diff)
download: postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.tar.gz
postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.zip
1 files changed, 7 insertions, 2 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index d2a6db1478b..a3036018b4c 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
 	if (!OidIsValid(roleid))
 		return false;			/* if target role not exist, say "no" */
 
-	/* See if user is directly or indirectly a member of role */
-	return is_member_of_role(userid, roleid);
+	/* 
+	 * See if user is directly or indirectly a member of role.
+	 * For this purpose, a superuser is not considered to be automatically
+	 * a member of the role, so group auth only applies to explicit
+	 * membership.
+	 */
+	return is_member_of_role_nosuper(userid, roleid);
 }
 
 /*
author	Andrew Dunstan <andrew@dunslane.net>	2011-11-03 12:45:02 -0400
committer	Andrew Dunstan <andrew@dunslane.net>	2011-11-03 12:45:02 -0400
commit	94cd0f1ad8af722a48a30a1087377b52ca99d633 (patch)
tree	81f19ed3c8699390334c169e7fa9d2d2e8e7bede /src/backend/libpq/hba.c
parent	3b06105c7d999752177f98fdad20278d57804f8f (diff)
download	postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.tar.gz postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.zip