From 371087d006e04991080bf17cf2287db38d3ea92e Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Fri, 26 Nov 2021 14:02:01 +0100
Subject: Fix GRANTED BY support in REVOKE ROLE statements

Commit 6aaaa76bb added support for the GRANTED BY clause in GRANT and
REVOKE statements, but missed adding support for checking the role in
the REVOKE ROLE case. Fix by checking that the parsed role matches the
CURRENT_ROLE/CURRENT_USER requirement, and also add some tests for it.
Backpatch to v14 where GRANTED BY support was introduced.

Discussion: https://postgr.es/m/B7F6699A-A984-4943-B9BF-CEB84C003527@yesql.se
Backpatch-through: 14
---
 src/backend/commands/user.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src/backend/commands/user.c')

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 65bb7339589..b9cca41a7d3 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1319,7 +1319,18 @@ GrantRole(GrantRoleStmt *stmt)
 	ListCell   *item;
 
 	if (stmt->grantor)
+	{
 		grantor = get_rolespec_oid(stmt->grantor, false);
+
+		/*
+		 * Currently, this clause is only for SQL compatibility, not very
+		 * interesting otherwise.
+		 */
+		if (grantor != GetUserId())
+			ereport(ERROR,
+					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					 errmsg("grantor must be current user")));
+	}
 	else
 		grantor = GetUserId();
 
-- 
cgit v1.2.3