diff options
Diffstat (limited to 'src/backend/commands')
| -rw-r--r-- | src/backend/commands/portalcmds.c | 5 | ||||
| -rw-r--r-- | src/backend/commands/trigger.c | 12 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/backend/commands/portalcmds.c b/src/backend/commands/portalcmds.c index 6a2c2336157..f65529ba6ad 100644 --- a/src/backend/commands/portalcmds.c +++ b/src/backend/commands/portalcmds.c @@ -27,6 +27,7 @@ #include "commands/portalcmds.h" #include "executor/executor.h" #include "executor/tstoreReceiver.h" +#include "miscadmin.h" #include "rewrite/rewriteHandler.h" #include "tcop/pquery.h" #include "tcop/tcopprot.h" @@ -65,6 +66,10 @@ PerformCursorOpen(ParseState *pstate, DeclareCursorStmt *cstmt, ParamListInfo pa */ if (!(cstmt->options & CURSOR_OPT_HOLD)) RequireTransactionBlock(isTopLevel, "DECLARE CURSOR"); + else if (InSecurityRestrictedOperation()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("cannot create a cursor WITH HOLD within security-restricted operation"))); /* * Parse analysis was done already, but we still have to run the rule diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index 3d8333bb848..9361a1417b6 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -4020,6 +4020,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, bool immediate_only) { bool found = false; + bool deferred_found = false; AfterTriggerEvent event; AfterTriggerEventChunk *chunk; @@ -4055,6 +4056,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, */ if (defer_it && move_list != NULL) { + deferred_found = true; /* add it to move_list */ afterTriggerAddEvent(move_list, event, evtshared); /* mark original copy "done" so we don't do it again */ @@ -4062,6 +4064,16 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, } } + /* + * We could allow deferred triggers if, before the end of the + * security-restricted operation, we were to verify that a SET CONSTRAINTS + * ... IMMEDIATE has fired all such triggers. For now, don't bother. + */ + if (deferred_found && InSecurityRestrictedOperation()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("cannot fire deferred trigger within security-restricted operation"))); + return found; } |