path: root/src/test/regress/expected/privileges.out

--
-- Test access privileges
--
-- Clean up in case a prior regression run failed
-- Suppress NOTICE messages when users/groups don't exist
SET client_min_messages TO 'warning';
DROP ROLE IF EXISTS regressgroup1;
DROP ROLE IF EXISTS regressgroup2;
DROP ROLE IF EXISTS regressuser1;
DROP ROLE IF EXISTS regressuser2;
DROP ROLE IF EXISTS regressuser3;
DROP ROLE IF EXISTS regressuser4;
DROP ROLE IF EXISTS regressuser5;
RESET client_min_messages;
-- test proper begins here
CREATE USER regressuser1;
CREATE USER regressuser2;
CREATE USER regressuser3;
CREATE USER regressuser4;
CREATE USER regressuser5;
CREATE USER regressuser5;	-- duplicate
ERROR:  role "regressuser5" already exists
CREATE GROUP regressgroup1;
CREATE GROUP regressgroup2 WITH USER regressuser1, regressuser2;
ALTER GROUP regressgroup1 ADD USER regressuser4;
ALTER GROUP regressgroup2 ADD USER regressuser2;	-- duplicate
NOTICE:  role "regressuser2" is already a member of role "regressgroup2"
ALTER GROUP regressgroup2 DROP USER regressuser2;
ALTER GROUP regressgroup2 ADD USER regressuser4;
-- test owner privileges
SET SESSION AUTHORIZATION regressuser1;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser1 | regressuser1
(1 row)

CREATE TABLE atest1 ( a int, b text );
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

INSERT INTO atest1 VALUES (1, 'one');
DELETE FROM atest1;
UPDATE atest1 SET a = 1 WHERE b = 'blech';
TRUNCATE atest1;
BEGIN;
LOCK atest1 IN ACCESS EXCLUSIVE MODE;
COMMIT;
REVOKE ALL ON atest1 FROM PUBLIC;
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

GRANT ALL ON atest1 TO regressuser2;
GRANT SELECT ON atest1 TO regressuser3, regressuser4;
SELECT * FROM atest1;
 a | b 
---+---
(0 rows)

CREATE TABLE atest2 (col1 varchar(10), col2 boolean);
GRANT SELECT ON atest2 TO regressuser2;
GRANT UPDATE ON atest2 TO regressuser3;
GRANT INSERT ON atest2 TO regressuser4;
GRANT TRUNCATE ON atest2 TO regressuser5;
SET SESSION AUTHORIZATION regressuser2;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser2 | regressuser2
(1 row)

-- try various combinations of queries on atest1 and atest2
SELECT * FROM atest1; -- ok
 a | b 
---+---
(0 rows)

SELECT * FROM atest2; -- ok
 col1 | col2 
------+------
(0 rows)

INSERT INTO atest1 VALUES (2, 'two'); -- ok
INSERT INTO atest2 VALUES ('foo', true); -- fail
ERROR:  permission denied for relation atest2
INSERT INTO atest1 SELECT 1, b FROM atest1; -- ok
UPDATE atest1 SET a = 1 WHERE a = 2; -- ok
UPDATE atest2 SET col2 = NOT col2; -- fail
ERROR:  permission denied for relation atest2
SELECT * FROM atest1 FOR UPDATE; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atest2 FOR UPDATE; -- fail
ERROR:  permission denied for relation atest2
DELETE FROM atest2; -- fail
ERROR:  permission denied for relation atest2
TRUNCATE atest2; -- fail
ERROR:  permission denied for relation atest2
BEGIN;
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- fail
ERROR:  permission denied for relation atest2
COMMIT;
COPY atest2 FROM stdin; -- fail
ERROR:  permission denied for relation atest2
GRANT ALL ON atest1 TO PUBLIC; -- fail
WARNING:  no privileges were granted for "atest1"
-- checks in subquery, both ok
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
 a | b 
---+---
(0 rows)

SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) );
 col1 | col2 
------+------
(0 rows)

SET SESSION AUTHORIZATION regressuser3;
SELECT session_user, current_user;
 session_user | current_user 
--------------+--------------
 regressuser3 | regressuser3
(1 row)

SELECT * FROM atest1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atest2; -- fail
ERROR:  permission denied for relation atest2
INSERT INTO atest1 VALUES (2, 'two'); -- fail
ERROR:  permission denied for relation atest1
INSERT INTO atest2 VALUES ('foo', true); -- fail
ERROR:  permission denied for relation atest2
INSERT INTO atest1 SELECT 1, b FROM atest1; -- fail
ERROR:  permission denied for relation atest1
UPDATE atest1 SET a = 1 WHERE a = 2; -- fail
ERROR:  permission denied for relation atest1
UPDATE atest2 SET col2 = NULL; -- ok
UPDATE atest2 SET col2 = NOT col2; -- fails; requires SELECT on atest2
ERROR:  permission denied for relation atest2
UPDATE atest2 SET col2 = true FROM atest1 WHERE atest1.a = 5; -- ok
SELECT * FROM atest1 FOR UPDATE; -- fail
ERROR:  permission denied for relation atest1
SELECT * FROM atest2 FOR UPDATE; -- fail
ERROR:  permission denied for relation atest2
DELETE FROM atest2; -- fail
ERROR:  permission denied for relation atest2
TRUNCATE atest2; -- fail
ERROR:  permission denied for relation atest2
BEGIN;
LOCK atest2 IN ACCESS EXCLUSIVE MODE; -- ok
COMMIT;
COPY atest2 FROM stdin; -- fail
ERROR:  permission denied for relation atest2
-- checks in subquery, both fail
SELECT * FROM atest1 WHERE ( b IN ( SELECT col1 FROM atest2 ) );
ERROR:  permission denied for relation atest2
SELECT * FROM atest2 WHERE ( col1 IN ( SELECT b FROM atest1 ) );
ERROR:  permission denied for relation atest2
SET SESSION AUTHORIZATION regressuser4;
COPY atest2 FROM stdin; -- ok
SELECT * FROM atest1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

-- groups
SET SESSION AUTHORIZATION regressuser3;
CREATE TABLE atest3 (one int, two int, three int);
GRANT DELETE ON atest3 TO GROUP regressgroup2;
SET SESSION AUTHORIZATION regressuser1;
SELECT * FROM atest3; -- fail
ERROR:  permission denied for relation atest3
DELETE FROM atest3; -- ok
-- views
SET SESSION AUTHORIZATION regressuser3;
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok
/* The next *should* fail, but it's not implemented that way yet. */
CREATE VIEW atestv2 AS SELECT * FROM atest2;
CREATE VIEW atestv3 AS SELECT * FROM atest3; -- ok
SELECT * FROM atestv1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atestv2; -- fail
ERROR:  permission denied for relation atest2
GRANT SELECT ON atestv1, atestv3 TO regressuser4;
GRANT SELECT ON atestv2 TO regressuser2;
SET SESSION AUTHORIZATION regressuser4;
SELECT * FROM atestv1; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT * FROM atestv2; -- fail
ERROR:  permission denied for relation atestv2
SELECT * FROM atestv3; -- ok
 one | two | three 
-----+-----+-------
(0 rows)

CREATE VIEW atestv4 AS SELECT * FROM atestv3; -- nested view
SELECT * FROM atestv4; -- ok
 one | two | three 
-----+-----+-------
(0 rows)

GRANT SELECT ON atestv4 TO regressuser2;
SET SESSION AUTHORIZATION regressuser2;
-- Two complex cases:
SELECT * FROM atestv3; -- fail
ERROR:  permission denied for relation atestv3
SELECT * FROM atestv4; -- ok (even though regressuser2 cannot access underlying atestv3)
 one | two | three 
-----+-----+-------
(0 rows)

SELECT * FROM atest2; -- ok
 col1 | col2 
------+------
 bar  | t
(1 row)

SELECT * FROM atestv2; -- fail (even though regressuser2 can access underlying atest2)
ERROR:  permission denied for relation atest2
-- Test column level permissions
SET SESSION AUTHORIZATION regressuser1;
CREATE TABLE atest5 (one int, two int, three int);
CREATE TABLE atest6 (one int, two int, blue int);
GRANT SELECT (one), INSERT (two), UPDATE (three) ON atest5 TO regressuser4;
GRANT ALL (one) ON atest5 TO regressuser3;
INSERT INTO atest5 VALUES (1,2,3);
SET SESSION AUTHORIZATION regressuser4;
SELECT * FROM atest5; -- fail
ERROR:  permission denied for relation atest5
SELECT one FROM atest5; -- ok
 one 
-----
   1
(1 row)

COPY atest5 (one) TO stdout; -- ok
1
SELECT two FROM atest5; -- fail
ERROR:  permission denied for relation atest5
COPY atest5 (two) TO stdout; -- fail
ERROR:  permission denied for relation atest5
SELECT atest5 FROM atest5; -- fail
ERROR:  permission denied for relation atest5
COPY atest5 (one,two) TO stdout; -- fail
ERROR:  permission denied for relation atest5
SELECT 1 FROM atest5; -- ok
 ?column? 
----------
        1
(1 row)

SELECT 1 FROM atest5 a JOIN atest5 b USING (one); -- ok
 ?column? 
----------
        1
(1 row)

SELECT 1 FROM atest5 a JOIN atest5 b USING (two); -- fail
ERROR:  permission denied for relation atest5
SELECT 1 FROM atest5 a NATURAL JOIN atest5 b; -- fail
ERROR:  permission denied for relation atest5
SELECT (j.*) IS NULL FROM (atest5 a JOIN atest5 b USING (one)) j; -- fail
ERROR:  permission denied for relation atest5
SELECT 1 FROM atest5 WHERE two = 2; -- fail
ERROR:  permission denied for relation atest5
SELECT * FROM atest1, atest5; -- fail
ERROR:  permission denied for relation atest5
SELECT atest1.* FROM atest1, atest5; -- ok
 a |  b  
---+-----
 1 | two
 1 | two
(2 rows)

SELECT atest1.*,atest5.one FROM atest1, atest5; -- ok
 a |  b  | one 
---+-----+-----
 1 | two |   1
 1 | two |   1
(2 rows)

SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.two); -- fail
ERROR:  permission denied for relation atest5
SELECT atest1.*,atest5.one FROM atest1 JOIN atest5 ON (atest1.a = atest5.one); -- ok
 a |  b  | one 
---+-----+-----
 1 | two |   1
 1 | two |   1
(2 rows)

SELECT one, two FROM atest5; -- fail
ERROR:  permission denied for relation atest5
SET SESSION AUTHORIZATION regressuser1;
GRANT SELECT (one,two) ON atest6 TO regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT one, two FROM atest5 NATURAL JOIN atest6; -- fail still
ERROR:  permission denied for relation atest5
SET SESSION AUTHORIZATION regressuser1;
GRANT SELECT (two) ON atest5 TO regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT one, two FROM atest5 NATURAL JOIN atest6; -- ok now
 one | two 
-----+-----
(0 rows)

-- test column-level privileges for INSERT and UPDATE
INSERT INTO atest5 (two) VALUES (3); -- ok
COPY atest5 FROM stdin; -- fail
ERROR:  permission denied for relation atest5
COPY atest5 (two) FROM stdin; -- ok
INSERT INTO atest5 (three) VALUES (4); -- fail
ERROR:  permission denied for relation atest5
INSERT INTO atest5 VALUES (5,5,5); -- fail
ERROR:  permission denied for relation atest5
UPDATE atest5 SET three = 10; -- ok
UPDATE atest5 SET one = 8; -- fail
ERROR:  permission denied for relation atest5
UPDATE atest5 SET three = 5, one = 2; -- fail
ERROR:  permission denied for relation atest5
SET SESSION AUTHORIZATION regressuser1;
REVOKE ALL (one) ON atest5 FROM regressuser4;
GRANT SELECT (one,two,blue) ON atest6 TO regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT one FROM atest5; -- fail
ERROR:  permission denied for relation atest5
UPDATE atest5 SET one = 1; -- fail
ERROR:  permission denied for relation atest5
SELECT atest6 FROM atest6; -- ok
 atest6 
--------
(0 rows)

COPY atest6 TO stdout; -- ok
-- test column-level privileges when involved with DELETE
SET SESSION AUTHORIZATION regressuser1;
ALTER TABLE atest6 ADD COLUMN three integer;
GRANT DELETE ON atest5 TO regressuser3;
GRANT SELECT (two) ON atest5 TO regressuser3;
REVOKE ALL (one) ON atest5 FROM regressuser3;
GRANT SELECT (one) ON atest5 TO regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT atest6 FROM atest6; -- fail
ERROR:  permission denied for relation atest6
SELECT one FROM atest5 NATURAL JOIN atest6; -- fail
ERROR:  permission denied for relation atest5
SET SESSION AUTHORIZATION regressuser1;
ALTER TABLE atest6 DROP COLUMN three;
SET SESSION AUTHORIZATION regressuser4;
SELECT atest6 FROM atest6; -- ok
 atest6 
--------
(0 rows)

SELECT one FROM atest5 NATURAL JOIN atest6; -- ok
 one 
-----
(0 rows)

SET SESSION AUTHORIZATION regressuser1;
ALTER TABLE atest6 DROP COLUMN two;
REVOKE SELECT (one,blue) ON atest6 FROM regressuser4;
SET SESSION AUTHORIZATION regressuser4;
SELECT * FROM atest6; -- fail
ERROR:  permission denied for relation atest6
SELECT 1 FROM atest6; -- fail
ERROR:  permission denied for relation atest6
SET SESSION AUTHORIZATION regressuser3;
DELETE FROM atest5 WHERE one = 1; -- fail
ERROR:  permission denied for relation atest5
DELETE FROM atest5 WHERE two = 2; -- ok
-- check inheritance cases
SET SESSION AUTHORIZATION regressuser1;
CREATE TABLE atestp1 (f1 int, f2 int) WITH OIDS;
CREATE TABLE atestp2 (fx int, fy int) WITH OIDS;
CREATE TABLE atestc (fz int) INHERITS (atestp1, atestp2);
GRANT SELECT(fx,fy,oid) ON atestp2 TO regressuser2;
GRANT SELECT(fx) ON atestc TO regressuser2;
SET SESSION AUTHORIZATION regressuser2;
SELECT fx FROM atestp2; -- ok
 fx 
----
(0 rows)

SELECT fy FROM atestp2; -- fail, no privilege on atestc.fy
ERROR:  permission denied for relation atestc
SELECT atestp2 FROM atestp2; -- fail, no privilege on atestc.fy
ERROR:  permission denied for relation atestc
SELECT oid FROM atestp2; -- fail, no privilege on atestc.oid
ERROR:  permission denied for relation atestc
SET SESSION AUTHORIZATION regressuser1;
GRANT SELECT(fy,oid) ON atestc TO regressuser2;
SET SESSION AUTHORIZATION regressuser2;
SELECT fx FROM atestp2; -- still ok
 fx 
----
(0 rows)

SELECT fy FROM atestp2; -- ok
 fy 
----
(0 rows)

SELECT atestp2 FROM atestp2; -- ok
 atestp2 
---------
(0 rows)

SELECT oid FROM atestp2; -- ok
 oid 
-----
(0 rows)

-- privileges on functions, languages
-- switch to superuser
\c -
REVOKE ALL PRIVILEGES ON LANGUAGE sql FROM PUBLIC;
GRANT USAGE ON LANGUAGE sql TO regressuser1; -- ok
GRANT USAGE ON LANGUAGE c TO PUBLIC; -- fail
ERROR:  language "c" is not trusted
HINT:  Only superusers can use untrusted languages.
SET SESSION AUTHORIZATION regressuser1;
GRANT USAGE ON LANGUAGE sql TO regressuser2; -- fail
WARNING:  no privileges were granted for "sql"
CREATE FUNCTION testfunc1(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql;
CREATE FUNCTION testfunc2(int) RETURNS int AS 'select 3 * $1;' LANGUAGE sql;
REVOKE ALL ON FUNCTION testfunc1(int), testfunc2(int) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION testfunc1(int), testfunc2(int) TO regressuser2;
GRANT USAGE ON FUNCTION testfunc1(int) TO regressuser3; -- semantic error
ERROR:  invalid privilege type USAGE for function
GRANT ALL PRIVILEGES ON FUNCTION testfunc1(int) TO regressuser4;
GRANT ALL PRIVILEGES ON FUNCTION testfunc_nosuch(int) TO regressuser4;
ERROR:  function testfunc_nosuch(integer) does not exist
CREATE FUNCTION testfunc4(boolean) RETURNS text
  AS 'select col1 from atest2 where col2 = $1;'
  LANGUAGE sql SECURITY DEFINER;
GRANT EXECUTE ON FUNCTION testfunc4(boolean) TO regressuser3;
SET SESSION AUTHORIZATION regressuser2;
SELECT testfunc1(5), testfunc2(5); -- ok
 testfunc1 | testfunc2 
-----------+-----------
        10 |        15
(1 row)

CREATE FUNCTION testfunc3(int) RETURNS int AS 'select 2 * $1;' LANGUAGE sql; -- fail
ERROR:  permission denied for language sql
SET SESSION AUTHORIZATION regressuser3;
SELECT testfunc1(5); -- fail
ERROR:  permission denied for function testfunc1
SELECT col1 FROM atest2 WHERE col2 = true; -- fail
ERROR:  permission denied for relation atest2
SELECT testfunc4(true); -- ok
 testfunc4 
-----------
 bar
(1 row)

SET SESSION AUTHORIZATION regressuser4;
SELECT testfunc1(5); -- ok
 testfunc1 
-----------
        10
(1 row)

DROP FUNCTION testfunc1(int); -- fail
ERROR:  must be owner of function testfunc1
\c -
DROP FUNCTION testfunc1(int); -- ok
-- restore to sanity
GRANT ALL PRIVILEGES ON LANGUAGE sql TO PUBLIC;
-- truncate
SET SESSION AUTHORIZATION regressuser5;
TRUNCATE atest2; -- ok
TRUNCATE atest3; -- fail
ERROR:  permission denied for relation atest3
-- has_table_privilege function
-- bad-input checks
select has_table_privilege(NULL,'pg_authid','select');
 has_table_privilege 
---------------------
 
(1 row)

select has_table_privilege('pg_shad','select');
ERROR:  relation "pg_shad" does not exist
select has_table_privilege('nosuchuser','pg_authid','select');
ERROR:  role "nosuchuser" does not exist
select has_table_privilege('pg_authid','sel');
ERROR:  unrecognized privilege type: "sel"
select has_table_privilege(-999999,'pg_authid','update');
ERROR:  role with OID 4293967297 does not exist
select has_table_privilege(1,'select');
 has_table_privilege 
---------------------
 
(1 row)

-- superuser
\c -
select has_table_privilege(current_user,'pg_authid','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'pg_authid','insert');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,'pg_authid','update')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,'pg_authid','delete')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

-- 'rule' privilege no longer exists, but for backwards compatibility
-- has_table_privilege still recognizes the keyword and says FALSE
select has_table_privilege(current_user,t1.oid,'rule')
from (select oid from pg_class where relname = 'pg_authid') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'pg_authid') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,t1.oid,'select')
from (select oid from pg_class where relname = 'pg_authid') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,t1.oid,'insert')
from (select oid from pg_class where relname = 'pg_authid') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege('pg_authid','update');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege('pg_authid','delete');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege('pg_authid','truncate');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'pg_authid') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'pg_authid') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

-- non-superuser
SET SESSION AUTHORIZATION regressuser3;
select has_table_privilege(current_user,'pg_class','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'pg_class','insert');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,'pg_class','update')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,'pg_class','delete')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,t1.oid,'select')
from (select oid from pg_class where relname = 'pg_class') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,t1.oid,'insert')
from (select oid from pg_class where relname = 'pg_class') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('pg_class','update');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('pg_class','delete');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('pg_class','truncate');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'pg_class') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,'atest1','select');
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(current_user,'atest1','insert');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,'atest1','update')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,'atest1','delete')
from (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(current_user,t1.oid,'references')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t2.oid,t1.oid,'select')
from (select oid from pg_class where relname = 'atest1') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t2.oid,t1.oid,'insert')
from (select oid from pg_class where relname = 'atest1') as t1,
  (select oid from pg_roles where rolname = current_user) as t2;
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('atest1','update');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('atest1','delete');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege('atest1','truncate');
 has_table_privilege 
---------------------
 f
(1 row)

select has_table_privilege(t1.oid,'select')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 t
(1 row)

select has_table_privilege(t1.oid,'trigger')
from (select oid from pg_class where relname = 'atest1') as t1;
 has_table_privilege 
---------------------
 f
(1 row)

-- Grant options
SET SESSION AUTHORIZATION regressuser1;
CREATE TABLE atest4 (a int);
GRANT SELECT ON atest4 TO regressuser2 WITH GRANT OPTION;
GRANT UPDATE ON atest4 TO regressuser2;
GRANT SELECT ON atest4 TO GROUP regressgroup1 WITH GRANT OPTION;
SET SESSION AUTHORIZATION regressuser2;
GRANT SELECT ON atest4 TO regressuser3;
GRANT UPDATE ON atest4 TO regressuser3; -- fail
WARNING:  no privileges were granted for "atest4"
SET SESSION AUTHORIZATION regressuser1;
REVOKE SELECT ON atest4 FROM regressuser3; -- does nothing
SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- true
 has_table_privilege 
---------------------
 t
(1 row)

REVOKE SELECT ON atest4 FROM regressuser2; -- fail
ERROR:  dependent privileges exist
HINT:  Use CASCADE to revoke them too.
REVOKE GRANT OPTION FOR SELECT ON atest4 FROM regressuser2 CASCADE; -- ok
SELECT has_table_privilege('regressuser2', 'atest4', 'SELECT'); -- true
 has_table_privilege 
---------------------
 t
(1 row)

SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- false
 has_table_privilege 
---------------------
 f
(1 row)

SELECT has_table_privilege('regressuser1', 'atest4', 'SELECT WITH GRANT OPTION'); -- true
 has_table_privilege 
---------------------
 t
(1 row)

-- has_sequence_privilege tests
\c -
CREATE SEQUENCE x_seq;
GRANT USAGE on x_seq to regressuser2;
SELECT has_sequence_privilege('regressuser1', 'atest1', 'SELECT');
ERROR:  "atest1" is not a sequence
SELECT has_sequence_privilege('regressuser1', 'x_seq', 'INSERT');
ERROR:  unrecognized privilege type: "INSERT"
SELECT has_sequence_privilege('regressuser1', 'x_seq', 'SELECT');
 has_sequence_privilege 
------------------------
 f
(1 row)

SET SESSION AUTHORIZATION regressuser2;
SELECT has_sequence_privilege('x_seq', 'USAGE');
 has_sequence_privilege 
------------------------
 t
(1 row)

-- test default ACLs
\c -
CREATE SCHEMA testns;
GRANT ALL ON SCHEMA testns TO regressuser1;
CREATE TABLE testns.acltest1 (x int);
SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'SELECT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'INSERT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT SELECT ON TABLES TO public;
SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'SELECT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'INSERT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

DROP TABLE testns.acltest1;
CREATE TABLE testns.acltest1 (x int);
SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'SELECT'); -- yes
 has_table_privilege 
---------------------
 t
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'INSERT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT INSERT ON TABLES TO regressuser1;
DROP TABLE testns.acltest1;
CREATE TABLE testns.acltest1 (x int);
SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'SELECT'); -- yes
 has_table_privilege 
---------------------
 t
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'INSERT'); -- yes
 has_table_privilege 
---------------------
 t
(1 row)

ALTER DEFAULT PRIVILEGES IN SCHEMA testns REVOKE INSERT ON TABLES FROM regressuser1;
DROP TABLE testns.acltest1;
CREATE TABLE testns.acltest1 (x int);
SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'SELECT'); -- yes
 has_table_privilege 
---------------------
 t
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.acltest1', 'INSERT'); -- no
 has_table_privilege 
---------------------
 f
(1 row)

ALTER DEFAULT PRIVILEGES FOR ROLE regressuser1 REVOKE EXECUTE ON FUNCTIONS FROM public;
SET ROLE regressuser1;
CREATE FUNCTION testns.foo() RETURNS int AS 'select 1' LANGUAGE sql;
SELECT has_function_privilege('regressuser2', 'testns.foo()', 'EXECUTE'); -- no
 has_function_privilege 
------------------------
 f
(1 row)

ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT EXECUTE ON FUNCTIONS to public;
DROP FUNCTION testns.foo();
CREATE FUNCTION testns.foo() RETURNS int AS 'select 1' LANGUAGE sql;
SELECT has_function_privilege('regressuser2', 'testns.foo()', 'EXECUTE'); -- yes
 has_function_privilege 
------------------------
 t
(1 row)

DROP FUNCTION testns.foo();
RESET ROLE;
SELECT count(*)
  FROM pg_default_acl d LEFT JOIN pg_namespace n ON defaclnamespace = n.oid
  WHERE nspname = 'testns';
 count 
-------
     2
(1 row)

DROP SCHEMA testns CASCADE;
NOTICE:  drop cascades to table testns.acltest1
SELECT d.*     -- check that entries went away
  FROM pg_default_acl d LEFT JOIN pg_namespace n ON defaclnamespace = n.oid
  WHERE nspname IS NULL AND defaclnamespace != 0;
 defaclrole | defaclnamespace | defaclobjtype | defaclacl 
------------+-----------------+---------------+-----------
(0 rows)

-- Grant on all objects of given type in a schema
\c -
CREATE SCHEMA testns;
CREATE TABLE testns.t1 (f1 int);
CREATE TABLE testns.t2 (f1 int);
SELECT has_table_privilege('regressuser1', 'testns.t1', 'SELECT'); -- false
 has_table_privilege 
---------------------
 f
(1 row)

GRANT ALL ON ALL TABLES IN SCHEMA testns TO regressuser1;
SELECT has_table_privilege('regressuser1', 'testns.t1', 'SELECT'); -- true
 has_table_privilege 
---------------------
 t
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.t2', 'SELECT'); -- true
 has_table_privilege 
---------------------
 t
(1 row)

REVOKE ALL ON ALL TABLES IN SCHEMA testns FROM regressuser1;
SELECT has_table_privilege('regressuser1', 'testns.t1', 'SELECT'); -- false
 has_table_privilege 
---------------------
 f
(1 row)

SELECT has_table_privilege('regressuser1', 'testns.t2', 'SELECT'); -- false
 has_table_privilege 
---------------------
 f
(1 row)

CREATE FUNCTION testns.testfunc(int) RETURNS int AS 'select 3 * $1;' LANGUAGE sql;
SELECT has_function_privilege('regressuser1', 'testns.testfunc(int)', 'EXECUTE'); -- true by default
 has_function_privilege 
------------------------
 t
(1 row)

REVOKE ALL ON ALL FUNCTIONS IN SCHEMA testns FROM PUBLIC;
SELECT has_function_privilege('regressuser1', 'testns.testfunc(int)', 'EXECUTE'); -- false
 has_function_privilege 
------------------------
 f
(1 row)

SET client_min_messages TO 'warning';
DROP SCHEMA testns CASCADE;
RESET client_min_messages;
-- clean up
\c
drop sequence x_seq;
DROP FUNCTION testfunc2(int);
DROP FUNCTION testfunc4(boolean);
DROP VIEW atestv1;
DROP VIEW atestv2;
-- this should cascade to drop atestv4
DROP VIEW atestv3 CASCADE;
NOTICE:  drop cascades to view atestv4
-- this should complain "does not exist"
DROP VIEW atestv4;
ERROR:  view "atestv4" does not exist
DROP TABLE atest1;
DROP TABLE atest2;
DROP TABLE atest3;
DROP TABLE atest4;
DROP TABLE atest5;
DROP TABLE atest6;
DROP TABLE atestc;
DROP TABLE atestp1;
DROP TABLE atestp2;
DROP GROUP regressgroup1;
DROP GROUP regressgroup2;
-- these are needed to clean up permissions
REVOKE USAGE ON LANGUAGE sql FROM regressuser1;
DROP OWNED BY regressuser1;
DROP USER regressuser1;
DROP USER regressuser2;
DROP USER regressuser3;
DROP USER regressuser4;
DROP USER regressuser5;