From f23180508e7e9fb9f2fd85e17becfe418b2f61a0 Mon Sep 17 00:00:00 2001
From: douxin <xdou1995@163.com>
Date: Sat, 31 Aug 2024 19:49:54 +0800
Subject: [PATCH] [bugfix] repair access a table through a synonym when no
 permissions

---
 src/common/backend/catalog/namespace.cpp      |  4 +
 .../regress/expected/synonym_permission.out   | 86 +++++++++++++++++++
 src/test/regress/parallel_schedule0A          |  1 +
 src/test/regress/sql/synonym_permission.sql   | 48 +++++++++++
 4 files changed, 139 insertions(+)
 create mode 100644 src/test/regress/expected/synonym_permission.out
 create mode 100644 src/test/regress/sql/synonym_permission.sql

diff --git a/src/common/backend/catalog/namespace.cpp b/src/common/backend/catalog/namespace.cpp
index 5283da063..6c05470fa 100644
--- a/src/common/backend/catalog/namespace.cpp
+++ b/src/common/backend/catalog/namespace.cpp
@@ -305,6 +305,10 @@ Oid RangeVarGetRelidExtended(const RangeVar* relation, LOCKMODE lockmode, bool m
             if (isSupportSynonym) {
                 pfree_ext(errDetail);
                 errDetail = RelnameGetRelidExtended(relation->relname, &relId, refSynOid, detailInfo);
+                if (relId != NULL && OidIsValid(relId)) {
+                    Oid namespaceId = get_rel_namespace(relId);
+                    LookupExplicitNamespace(get_namespace_name(namespaceId));
+                }
             } else {
                 relId = RelnameGetRelid(relation->relname, detailInfo);
             }
diff --git a/src/test/regress/expected/synonym_permission.out b/src/test/regress/expected/synonym_permission.out
new file mode 100644
index 000000000..1571f8849
--- /dev/null
+++ b/src/test/regress/expected/synonym_permission.out
@@ -0,0 +1,86 @@
+drop database db_1138120;
+ERROR:  database "db_1138120" does not exist
+drop user user1_1138120;
+ERROR:  role "user1_1138120" does not exist
+drop user user2_1138120;
+ERROR:  role "user2_1138120" does not exist
+-- create database and user
+CREATE DATABASE db_1138120;
+\c db_1138120
+CREATE USER user1_1138120 PASSWORD 'Abc@1138120';
+grant all on database db_1138120 to user1_1138120;
+CREATE USER user2_1138120 PASSWORD 'Abc@1138120';
+grant all on database db_1138120 to user2_1138120;
+-- create synonym
+create or replace synonym user2_1138120.syn1_1138120 for user1_1138120.tab_1138120;
+-- \c - user1_1138120
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+create table tab_1138120 (id int,name text);
+insert into tab_1138120 values (1,'abc');
+select * from tab_1138120;
+ id | name 
+----+------
+  1 | abc
+(1 row)
+
+-- \c - user2_1138120
+-- no permission for table and schema
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+ERROR:  permission denied for schema user1_1138120
+LINE 1: select * from user1_1138120.tab_1138120;
+                      ^
+DETAIL:  N/A
+select * from syn1_1138120;
+ERROR:  permission denied for schema user1_1138120
+LINE 1: select * from syn1_1138120;
+                      ^
+DETAIL:  N/A
+-- add table permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+grant all privileges on table tab_1138120 to user2_1138120;
+-- no permission for schema
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+ERROR:  permission denied for schema user1_1138120
+LINE 1: select * from user1_1138120.tab_1138120;
+                      ^
+DETAIL:  N/A
+select * from syn1_1138120;
+ERROR:  permission denied for schema user1_1138120
+LINE 1: select * from syn1_1138120;
+                      ^
+DETAIL:  N/A
+-- add schema permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+grant usage on schema user1_1138120 to user2_1138120;
+-- have permission for schema and table, query success
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+ id | name 
+----+------
+  1 | abc
+(1 row)
+
+select * from syn1_1138120;
+ id | name 
+----+------
+  1 | abc
+(1 row)
+
+-- revoke table permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+revoke all privileges on table tab_1138120 from user2_1138120;
+-- no table permission
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+ERROR:  permission denied for relation tab_1138120
+DETAIL:  N/A
+select * from syn1_1138120;
+ERROR:  permission denied for relation tab_1138120
+DETAIL:  N/A
+--clear
+\c postgres
+drop database db_1138120;
+drop user user1_1138120;
+drop user user2_1138120;
diff --git a/src/test/regress/parallel_schedule0A b/src/test/regress/parallel_schedule0A
index 16918098b..809f43156 100644
--- a/src/test/regress/parallel_schedule0A
+++ b/src/test/regress/parallel_schedule0A
@@ -294,6 +294,7 @@ test: single_node_triggers
 # Synonym tests
 #test: single_node_synonym
 test: synonym_conflict_test
+test: synonym_permission
 
 # unsupported view tests
 test: single_node_unsupported_view
diff --git a/src/test/regress/sql/synonym_permission.sql b/src/test/regress/sql/synonym_permission.sql
new file mode 100644
index 000000000..5ef867a96
--- /dev/null
+++ b/src/test/regress/sql/synonym_permission.sql
@@ -0,0 +1,48 @@
+drop database db_1138120;
+drop user user1_1138120;
+drop user user2_1138120;
+-- create database and user
+CREATE DATABASE db_1138120;
+\c db_1138120
+CREATE USER user1_1138120 PASSWORD 'Abc@1138120';
+grant all on database db_1138120 to user1_1138120;
+CREATE USER user2_1138120 PASSWORD 'Abc@1138120';
+grant all on database db_1138120 to user2_1138120;
+-- create synonym
+create or replace synonym user2_1138120.syn1_1138120 for user1_1138120.tab_1138120;
+-- \c - user1_1138120
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+create table tab_1138120 (id int,name text);
+insert into tab_1138120 values (1,'abc');
+select * from tab_1138120;
+-- \c - user2_1138120
+-- no permission for table and schema
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+select * from syn1_1138120;
+-- add table permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+grant all privileges on table tab_1138120 to user2_1138120;
+-- no permission for schema
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+select * from syn1_1138120;
+-- add schema permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+grant usage on schema user1_1138120 to user2_1138120;
+-- have permission for schema and table, query success
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+select * from syn1_1138120;
+-- revoke table permission
+SET SESSION AUTHORIZATION user1_1138120 password 'Abc@1138120';
+revoke all privileges on table tab_1138120 from user2_1138120;
+-- no table permission
+SET SESSION AUTHORIZATION user2_1138120 password 'Abc@1138120';
+select * from user1_1138120.tab_1138120;
+select * from syn1_1138120;
+--clear
+\c postgres
+drop database db_1138120;
+drop user user1_1138120;
+drop user user2_1138120;