This is the final state of the rule system for 6.4 after the

    patch is applied:

	Rewrite rules on relation level work fine now.

	Event qualifications on insert/update/delete  rules  work
	fine now.

	I  added  the  new  keyword  OLD to reference the CURRENT
	tuple. CURRENT will be removed in 6.5.

	Update rules can  reference  NEW  and  OLD  in  the  rule
	qualification and the actions.

	Insert/update/delete rules on views can be established to
	let them behave like real tables.

	For  insert/update/delete  rules  multiple  actions   are
	supported  now.   The  actions  can also be surrounded by
	parantheses to make psql  happy.   Multiple  actions  are
	required if update to a view requires updates to multiple
	tables.

	Regular users  are  permitted  to  create/drop  rules  on
	tables     they     have     RULE     permissions     for
	(DefineQueryRewrite() is  now  able  to  get  around  the
	access  restrictions  on  pg_rewrite).  This enables view
	creation for regular users too. This  required  an  extra
	boolean  parameter  to  pg_parse_and_plan() that tells to
	set skipAcl on all rangetable entries  of  the  resulting
	queries.       There      is      a      new     function
	pg_exec_query_acl_override()  that  could  be   used   by
	backend utilities to use this facility.

	All rule actions (not only views) inherit the permissions
	of the event relations  owner.  Sample:  User  A  creates
	tables    T1    and    T2,   creates   rules   that   log
	INSERT/UPDATE/DELETE on T1 in T2 (like in the  regression
	tests  for rules I created) and grants ALL but RULE on T1
	to user B.  User B  can  now  fully  access  T1  and  the
	logging  happens  in  T2.  But user B cannot access T2 at
	all, only the rule actions can. And due to  missing  RULE
	permissions on T1, user B cannot disable logging.

	Rules  on  the  attribute  level are disabled (they don't
	work properly and since regular users are  now  permitted
	to create rules I decided to disable them).

	Rules  on  select  must have exactly one action that is a
	select (so select rules must be a view definition).

	UPDATE NEW/OLD rules  are  disabled  (still  broken,  but
	triggers can do it).

	There are two new system views (pg_rule and pg_view) that
	show the definition of the rules or views so the db admin
	can  see  what  the  users do. They use two new functions
	pg_get_ruledef() and pg_get_viewdef() that are  builtins.

	The functions pg_get_ruledef() and pg_get_viewdef() could
	be used to implement rule and view support in pg_dump.

	PostgreSQL is now the only database system I  know,  that
	has rewrite rules on the query level. All others (where I
	found a  rule  statement  at  all)  use  stored  database
	procedures  or  the  like  (triggers as we call them) for
	active rules (as some call them).

    Future of the rule system:

	The now disabled parts  of  the  rule  system  (attribute
	level,  multiple  actions on select and update new stuff)
	require a complete new rewrite handler from scratch.  The
	old one is too badly wired up.

	After  6.4  I'll  start to work on a new rewrite handler,
	that fully supports the attribute level  rules,  multiple
	actions on select and update new.  This will be available
	for 6.5 so we get full rewrite rule capabilities.

Jan

1 files changed, 42 insertions, 77 deletions

diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
index 68169cbf2d2..02bbc69a8ca 100644
--- a/src/backend/rewrite/rewriteHandler.c
+++ b/src/backend/rewrite/rewriteHandler.c
@@ -6,7 +6,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/rewrite/rewriteHandler.c,v 1.19 1998/08/19 02:02:30 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/rewrite/rewriteHandler.c,v 1.20 1998/08/24 01:37:59 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -45,7 +45,6 @@ fireRules(Query *parsetree, int rt_index, CmdType event,
 static void QueryRewriteSubLink(Node *node);
 static List *QueryRewriteOne(Query *parsetree);
 static List *deepRewriteQuery(Query *parsetree);
-static void CheckViewPerms(Relation view, List *rtable);
 static void RewritePreprocessQuery(Query *parsetree);
 static Query *RewritePostprocessNonSelect(Query *parsetree);
 
@@ -273,7 +272,6 @@ ApplyRetrieveRule(Query *parsetree,
 	int			nothing,
 				rt_length;
 	int			badsql = FALSE;
-	int			viewAclOverride = FALSE;
 
 	rule_qual = rule->qual;
 	if (rule->actions)
@@ -291,19 +289,6 @@ ApplyRetrieveRule(Query *parsetree,
 			return;
 		rule_action = copyObject(lfirst(rule->actions));
 		nothing = FALSE;
-
-		/*
-		 * If this rule is on the relation level, the rule action is a
-		 * select and the rule is instead then it must be a view.
-		 * Permissions for views now follow the owner of the view, not the
-		 * current user.
-		 */
-		if (relation_level && rule_action->commandType == CMD_SELECT
-			&& rule->isInstead)
-		{
-			CheckViewPerms(relation, rule_action->rtable);
-			viewAclOverride = TRUE;
-		}
 	}
 	else
 		nothing = TRUE;
@@ -321,28 +306,7 @@ ApplyRetrieveRule(Query *parsetree,
 	}
 	rt_length = length(rtable);
 
-	if (viewAclOverride)
-	{
-		List	   *rule_rtable,
-				   *rule_rt;
-		RangeTblEntry *rte;
-
-		rule_rtable = copyObject(rule_action->rtable);
-		foreach(rule_rt, rule_rtable)
-		{
-			rte = lfirst(rule_rt);
-
-			/*
-			 * tell the executor that the ACL check on this range table
-			 * entry is already done
-			 */
-			rte->skipAcl = true;
-		}
-
-		rtable = nconc(rtable, rule_rtable);
-	}
-	else
-		rtable = nconc(rtable, copyObject(rule_action->rtable));
+	rtable = nconc(rtable, copyObject(rule_action->rtable));
 	parsetree->rtable = rtable;
 
 	rule_action->rtable = rtable;
@@ -425,6 +389,8 @@ ProcessRetrieveQuery(Query *parsetree,
 	if (rule)
 		return NIL;
 
+	rt_index = 0;
+
 	foreach(rt, rtable)
 	{
 		RangeTblEntry *rt_entry = lfirst(rt);
@@ -537,6 +503,44 @@ fireRules(Query *parsetree,
 		List	   *r;
 		bool		orig_instead_flag = *instead_flag;
 
+		/*
+		 * Instead rules change the resultRelation of the
+		 * query. So the permission checks on the initial
+		 * resultRelation would never be done (this is
+		 * normally done in the executor deep down). So
+		 * we must do it here. The result relations resulting
+		 * from earlier rewrites are already checked against
+		 * the rules eventrelation owner (during matchLocks)
+		 * and have the skipAcl flag set.
+		 */
+		if (rule_lock->isInstead && 
+				parsetree->commandType != CMD_SELECT) {
+			RangeTblEntry	*rte;
+			int32		acl_rc;
+			int32		reqperm;
+
+			switch (parsetree->commandType) {
+				case CMD_INSERT:
+					reqperm = ACL_AP;
+					break;
+				default:
+					reqperm = ACL_WR;
+					break;
+			}
+			
+			rte = (RangeTblEntry *)nth(parsetree->resultRelation - 1,
+					parsetree->rtable);
+			if (!rte->skipAcl) {
+				acl_rc = pg_aclcheck(rte->relname,
+					GetPgUserName(), reqperm);
+				if (acl_rc != ACLCHECK_OK) {
+					elog(ERROR, "%s: %s",
+						rte->relname,
+						aclcheck_error_strings[acl_rc]);
+				}
+			}
+		}
+
 		/* multiple rule action time */
 		*instead_flag = rule_lock->isInstead;
 		event_qual = rule_lock->qual;
@@ -1024,42 +1028,3 @@ deepRewriteQuery(Query *parsetree)
 
 	return rewritten;
 }
-
-
-static void
-CheckViewPerms(Relation view, List *rtable)
-{
-	HeapTuple	utup;
-	NameData	uname;
-	List	   *rt;
-	RangeTblEntry *rte;
-	int32		aclcheck_res;
-
-	/*
-	 * get the usename of the view's owner
-	 */
-	utup = SearchSysCacheTuple(USESYSID,
-								ObjectIdGetDatum(view->rd_rel->relowner),
-								0, 0, 0);
-	if (!HeapTupleIsValid(utup))
-	{
-		elog(ERROR, "cache lookup for userid %d failed",
-			 view->rd_rel->relowner);
-	}
-	StrNCpy(uname.data,
-			((Form_pg_shadow) GETSTRUCT(utup))->usename.data,
-			NAMEDATALEN);
-
-	/*
-	 * check that we have read access to all the classes in the range
-	 * table of the view
-	 */
-	foreach(rt, rtable)
-	{
-		rte = (RangeTblEntry *) lfirst(rt);
-
-		aclcheck_res = pg_aclcheck(rte->relname, uname.data, ACL_RD);
-		if (aclcheck_res != ACLCHECK_OK)
-			elog(ERROR, "%s: %s", rte->relname, aclcheck_error_strings[aclcheck_res]);
-	}
-}