@@ -42,6 +42,39 @@ CREATE TABLE IF NOT EXISTS @extschema@.pathman_config_params (
4242CREATE UNIQUE INDEX i_pathman_config_params
4343ON @extschema@.pathman_config_params(partrel);
4444
45+ GRANT SELECT , INSERT, UPDATE , DELETE
46+ ON @extschema@.pathman_config, @extschema@.pathman_config_params
47+ TO public;
48+
49+ /*
50+ * Check if current user can alter/drop specified relation
51+ */
52+ CREATE OR REPLACE FUNCTION @extschema@.can_manage_relation(relation regclass)
53+ RETURNS BOOL AS ' pg_pathman' ' can_manage_relation'
54+
55+ /*
56+ * Check user permissions. If permission denied then throw an error.
57+ */
58+ CREATE OR REPLACE FUNCTION @extschema@.check_permissions(relation regclass)
59+ RETURNS BOOL AS ' pg_pathman' ' check_permissions'
60+
61+ /*
62+ * Row security policy to restrict partitioning operations to owner and
63+ * superusers only
64+ */
65+ CREATE POLICY deny_modification ON @extschema@.pathman_config
66+ FOR ALL USING (can_manage_relation(partrel));
67+
68+ CREATE POLICY deny_modification ON @extschema@.pathman_config_params
69+ FOR ALL USING (can_manage_relation(partrel));
70+
71+ CREATE POLICY allow_select ON @extschema@.pathman_config FOR SELECT USING (true);
72+
73+ CREATE POLICY allow_select ON @extschema@.pathman_config_params FOR SELECT USING (true);
74+
75+ ALTER TABLE @extschema@.pathman_config ENABLE ROW LEVEL SECURITY;
76+ ALTER TABLE @extschema@.pathman_config_params ENABLE ROW LEVEL SECURITY;
77+
4578/*
4679 * Invalidate relcache every time someone changes parameters config.
4780 */
@@ -96,6 +129,8 @@ CREATE OR REPLACE FUNCTION @extschema@.pathman_set_param(
96129RETURNS VOID AS
97130$$
98131BEGIN
132+ PERFORM @extschema@.check_permissions(relation);
133+
99134 EXECUTE format(' INSERT INTO @extschema@.pathman_config_params
100135 (partrel, %1$s) VALUES ($1, $2)
101136 ON CONFLICT (partrel) DO UPDATE SET %1$s = $2' , param)
@@ -301,7 +336,7 @@ CREATE OR REPLACE FUNCTION @extschema@.disable_pathman_for(
301336RETURNS VOID AS
302337$$
303338BEGIN
304- PERFORM @extschema@.validate_relname (parent_relid);
339+ PERFORM @extschema@.check_permissions (parent_relid);
305340
306341 DELETE FROM @extschema@.pathman_config WHERE partrel = parent_relid;
307342 PERFORM @extschema@.drop_triggers(parent_relid);
400435$$
401436LANGUAGE plpgsql STRICT;
402437
403- /*
404- * Validates relation name. It must be schema qualified.
405- */
406- CREATE OR REPLACE FUNCTION @extschema@.validate_relname(
407- cls REGCLASS)
408- RETURNS TEXT AS
409- $$
410- DECLARE
411- relname TEXT ;
412-
413- BEGIN
414- relname = @extschema@.get_schema_qualified_name(cls);
415-
416- IF relname IS NULL THEN
417- RAISE EXCEPTION ' relation %s does not exist'
418- END IF;
419-
420- RETURN relname;
421- END
422- $$
423- LANGUAGE plpgsql;
424-
425438/*
426439 * Check if two relations have equal structures.
427440 */
@@ -517,7 +530,7 @@ DECLARE
517530 v_relkind CHAR ;
518531
519532BEGIN
520- PERFORM @extschema@.validate_relname (parent_relid);
533+ PERFORM @extschema@.check_permissions (parent_relid);
521534
522535 /* Drop trigger first */
523536 PERFORM @extschema@.drop_triggers(parent_relid);
@@ -586,9 +599,6 @@ DECLARE
586599 rec RECORD;
587600
588601BEGIN
589- PERFORM @extschema@.validate_relname(parent_relid);
590- PERFORM @extschema@.validate_relname(partition);
591-
592602 FOR rec IN (SELECT oid as conid FROM pg_catalog .pg_constraint
593603 WHERE conrelid = parent_relid AND contype = ' f'
594604 LOOP
0 commit comments