Privileges on functions and procedural languages

Author: petere

doc/src/sgml/catalogs.sgml

@@ -1,6 +1,6 @@
 <!--
  Documentation of the system catalogs, directed toward PostgreSQL developers
- $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.29 2001/11/21 05:53:40 thomas Exp $
+ $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.30 2002/02/18 23:10:59 petere Exp $
  -->
 
 <chapter id="catalogs">
@@ -1261,6 +1261,13 @@
       <entry></entry>
       <entry>not currently used</entry>
      </row>
+
+     <row>
+      <entry>lanacl</entry>
+      <entry><type>aclitem[]</type></entry>
+      <entry></entry>
+      <entry>Access permissions</entry>
+     </row>
     </tbody>
    </tgroup>
   </table>
@@ -1699,6 +1706,13 @@
       Again, the interpretation is language-specific.
       </entry>
      </row>
+
+     <row>
+      <entry>proacl</entry>
+      <entry><type>aclitem[]</type></entry>
+      <entry></entry>
+      <entry>Access permissions</entry>
+     </row>
     </tbody>
    </tgroup>
   </table>

doc/src/sgml/ref/create_function.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.30 2001/12/08 03:24:34 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_function.sgml,v 1.31 2002/02/18 23:11:02 petere Exp $
 -->
 
 <refentry id="SQL-CREATEFUNCTION">
@@ -270,6 +270,17 @@ CREATE [ OR REPLACE ] FUNCTION <replaceable class="parameter">name</replaceable>
     definition without breaking objects that refer to the function.
    </para>
 
+  <para>
+   To be able to define a function, the user must have the
+   <literal>USAGE</literal> privilege on the language.
+  </para>
+
+  <para>
+   By default, only the owner (creator) of the function has the right
+   to execute it.  Other users must be granted the
+   <literal>EXECUTE</literal> privilege on the function to be able to
+   use it.
+  </para>
  </refsect1>
 
 
@@ -369,7 +380,9 @@ Point * complex_to_point (Complex *z)
 
   <para>
    <xref linkend="sql-dropfunction">,
+   <xref linkend="sql-grant">,
    <xref linkend="sql-load">,
+   <xref linkend="sql-revoke">,
    <citetitle>PostgreSQL Programmer's Guide</citetitle>
   </para>
  </refsect1>

doc/src/sgml/ref/create_language.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_language.sgml,v 1.20 2001/12/08 03:24:34 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_language.sgml,v 1.21 2002/02/18 23:11:02 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -203,15 +203,22 @@ ERROR:  PL handler function <replaceable class="parameter">funcname</replaceable
    lanname   | lanispl | lanpltrusted | lanplcallfoid | lancompiler
 -------------+---------+--------------+---------------+-------------
  internal    | f       | f            |             0 | n/a
- C           | f       | f            |             0 | /bin/cc
- sql         | f       | f            |             0 | postgres
+ c           | f       | f            |             0 | /bin/cc
+ sql         | f       | t            |             0 | postgres
 </screen>
   </para>
 
   <para>
    At present, the definition of a procedural language cannot be
    changed once it has been created.
   </para>
+
+  <para>
+   To be able to use a procedural language, a user must be granted the
+   <literal>USAGE</literal> privilege.  The
+   <command>createlang</command> program automatically grants
+   permissions to everyone if the language is known to be trusted.
+  </para>
  </refsect1>
 
  <refsect1 id="sql-createlanguage-examples">
@@ -257,6 +264,8 @@ CREATE LANGUAGE plsample
     <member><xref linkend="sql-createfunction"></member>
     <member><xref linkend="app-droplang"></member>
     <member><xref linkend="sql-droplanguage"></member>
+    <member><xref linkend="sql-grant"></member>
+    <member><xref linkend="sql-revoke"></member>
     <member><citetitle>PostgreSQL Programmer's Guide</citetitle></member>
    </simplelist>
   </para>

doc/src/sgml/ref/grant.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.19 2002/01/20 22:19:57 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.20 2002/02/18 23:11:02 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -19,6 +19,14 @@ PostgreSQL documentation
 GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
     ON [ TABLE ] <replaceable class="PARAMETER">objectname</replaceable> [, ...]
     TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { EXECUTE | ALL [ PRIVILEGES ] }
+    ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { USAGE | ALL [ PRIVILEGES ] }
+    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
  </refsynopsisdiv>
 
@@ -27,8 +35,9 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,..
 
   <para>
    The <command>GRANT</command> command gives specific permissions on
-   an object (table, view, sequence) to one or more users or groups of users.
-   These permissions are added to those already granted, if any.
+   an object (table, view, sequence, function, procedural language) to
+   one or more users or groups of users.  These permissions are added
+   to those already granted, if any.
   </para>
 
   <para>
@@ -134,14 +143,36 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,..
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term>EXECUTE</term>
+     <listitem>
+      <para>
+       Allows the use of the specified function and the use of any
+       operators that are implemented on top of the function.  This is
+       the only type of privilege that is applicable to functions.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term>USAGE</term>
+     <listitem>
+      <para>
+       Allows the use of the specified procedural language for the
+       creation of functions in that language.  This is the only type
+       of privilege that is applicable to procedural languages.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term>ALL PRIVILEGES</term>
      <listitem>
       <para>
-       Grant all of the above privileges at once.  The
-       <literal>PRIVILEGES</literal> key word is optional in
-       <productname>PostgreSQL</productname>, though it is
-       required by strict SQL.
+       Grant all of the privileges applicable to the object at once.
+       The <literal>PRIVILEGES</literal> key word is optional in
+       <productname>PostgreSQL</productname>, though it is required by
+       strict SQL.
       </para>
      </listitem>
     </varlistentry>

doc/src/sgml/ref/revoke.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.19 2001/12/08 03:24:39 thomas Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.20 2002/02/18 23:11:03 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -19,6 +19,14 @@ PostgreSQL documentation
 REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
     ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
+    ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { USAGE | ALL [ PRIVILEGES ] }
+    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
  </refsynopsisdiv>
 

doc/src/sgml/release.sgml

@@ -1,10 +1,35 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.115 2002/01/31 21:20:03 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.116 2002/02/18 23:11:00 petere Exp $
 -->
 
 <appendix id="release">
  <title>Release Notes</title>
 
+ <sect1 id="release-devel">
+  <title>&version; Development Branch</title>
+
+  <para>
+   Below is a subset of the changes that have gone into the
+   development branch of PostgreSQL since version 7.2.  For a complete
+   list of changes, consult the CVS logs.
+  </para>
+
+<!--
+Developers: When you add a feature, mention it here.  This avoids
+lossiness when digging out the information from the CVS logs, and
+furthermore it advertises your feature to external parties at the
+earliest possible moment.
+ 
+CDATA means the content is "SGML-free", so you can write without
+worries about funny characters.
+-->
+<literallayout><![CDATA[
+Access privileges on functions
+Access privileges on procedural languages
+]]></literallayout>
+
+ </sect1>
+
  <sect1 id="release-7-2">
   <title>Release 7.2</title>