diff options
| author | Andrew Dunstan <andrew@dunslane.net> | 2011-11-03 12:45:02 -0400 |
|---|---|---|
| committer | Andrew Dunstan <andrew@dunslane.net> | 2011-11-03 12:45:02 -0400 |
| commit | 94cd0f1ad8af722a48a30a1087377b52ca99d633 (patch) | |
| tree | 81f19ed3c8699390334c169e7fa9d2d2e8e7bede /src | |
| parent | 3b06105c7d999752177f98fdad20278d57804f8f (diff) | |
| download | postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.tar.gz postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.zip | |
Do not treat a superuser as a member of every role for HBA purposes.
This makes it possible to use reject lines with group roles.
Andrew Dunstan, reviewd by Robert Haas.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/hba.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index d2a6db1478b..a3036018b4c 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -442,8 +442,13 @@ is_member(Oid userid, const char *role) if (!OidIsValid(roleid)) return false; /* if target role not exist, say "no" */ - /* See if user is directly or indirectly a member of role */ - return is_member_of_role(userid, roleid); + /* + * See if user is directly or indirectly a member of role. + * For this purpose, a superuser is not considered to be automatically + * a member of the role, so group auth only applies to explicit + * membership. + */ + return is_member_of_role_nosuper(userid, roleid); } /* |