Remove redundant privilege check from pg_sequences system view.

This commit adjusts pg_sequence_last_value() to return NULL instead
of ERROR-ing for sequences for which the current user lacks
privileges.  This allows us to remove the call to
has_sequence_privilege() in the definition of the pg_sequences
system view.

Bumps catversion.

Suggested-by: Michael Paquier
Reviewed-by: Michael Paquier, Tom Lane
Discussion: https://postgr.es/m/20240501005730.GA594666%40nathanxps13

diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index efb29adeb39cc5689980595f5328be3057ca2562..19cabc9a47fa0872a5810fd8444dbf522dc7d595 100644 (file)
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -176,11 +176,7 @@ CREATE VIEW pg_sequences AS
         S.seqincrement AS increment_by,
         S.seqcycle AS cycle,
         S.seqcache AS cache_size,
-        CASE
-            WHEN has_sequence_privilege(C.oid, 'SELECT,USAGE'::text)
-                THEN pg_sequence_last_value(C.oid)
-            ELSE NULL
-        END AS last_value
+        pg_sequence_last_value(C.oid) AS last_value
     FROM pg_sequence S JOIN pg_class C ON (C.oid = S.seqrelid)
          LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
     WHERE NOT pg_is_other_temp_schema(N.oid)

diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
index b4ad19c05396062e2b99861d23be77ee0ec9c5e6..9f28d40466b5a06762f4f4dde269377aea005783 100644 (file)
--- a/src/backend/commands/sequence.c
+++ b/src/backend/commands/sequence.c
@@ -1790,21 +1790,17 @@ pg_sequence_last_value(PG_FUNCTION_ARGS)
    /* open and lock sequence */
    init_sequence(relid, &elm, &seqrel);
 
-   if (pg_class_aclcheck(relid, GetUserId(), ACL_SELECT | ACL_USAGE) != ACLCHECK_OK)
-       ereport(ERROR,
-               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-                errmsg("permission denied for sequence %s",
-                       RelationGetRelationName(seqrel))));
-
    /*
     * We return NULL for other sessions' temporary sequences.  The
     * pg_sequences system view already filters those out, but this offers a
     * defense against ERRORs in case someone invokes this function directly.
     *
     * Also, for the benefit of the pg_sequences view, we return NULL for
-    * unlogged sequences on standbys instead of throwing an error.
+    * unlogged sequences on standbys and for sequences for which the current
+    * user lacks privileges instead of throwing an error.
     */
-   if (!RELATION_IS_OTHER_TEMP(seqrel) &&
+   if (pg_class_aclcheck(relid, GetUserId(), ACL_SELECT | ACL_USAGE) == ACLCHECK_OK &&
+       !RELATION_IS_OTHER_TEMP(seqrel) &&
        (RelationIsPermanent(seqrel) || !RecoveryInProgress()))
    {
        Buffer      buf;

diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index 7363a445fc475912b12b0acca3cc4b1543d4a946..969980afd694803c070ce5ed4c6c125c597d7f4b 100644 (file)
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -57,6 +57,6 @@
  */
 
 /*                         yyyymmddN */
-#define CATALOG_VERSION_NO 202407011
+#define CATALOG_VERSION_NO 202407012
 
 #endif

diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index e12ef4336a25d95e4ef72d1e4c5c2f74ef2154db..4c789279e5e633b52225b84e5c1b63502b02b3de 100644 (file)
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1700,10 +1700,7 @@ pg_sequences| SELECT n.nspname AS schemaname,
     s.seqincrement AS increment_by,
     s.seqcycle AS cycle,
     s.seqcache AS cache_size,
-        CASE
-            WHEN has_sequence_privilege(c.oid, 'SELECT,USAGE'::text) THEN pg_sequence_last_value((c.oid)::regclass)
-            ELSE NULL::bigint
-        END AS last_value
+    pg_sequence_last_value((c.oid)::regclass) AS last_value
    FROM ((pg_sequence s
      JOIN pg_class c ON ((c.oid = s.seqrelid)))
      LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace)))