diff options
Diffstat (limited to 'src/backend/commands')
| -rw-r--r-- | src/backend/commands/portalcmds.c | 5 | ||||
| -rw-r--r-- | src/backend/commands/trigger.c | 12 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/backend/commands/portalcmds.c b/src/backend/commands/portalcmds.c index e52830f7ec2..ff744ecf1a8 100644 --- a/src/backend/commands/portalcmds.c +++ b/src/backend/commands/portalcmds.c @@ -27,6 +27,7 @@ #include "commands/portalcmds.h" #include "executor/executor.h" #include "executor/tstoreReceiver.h" +#include "miscadmin.h" #include "tcop/pquery.h" #include "utils/memutils.h" #include "utils/snapmgr.h" @@ -67,6 +68,10 @@ PerformCursorOpen(PlannedStmt *stmt, ParamListInfo params, */ if (!(cstmt->options & CURSOR_OPT_HOLD)) RequireTransactionChain(isTopLevel, "DECLARE CURSOR"); + else if (InSecurityRestrictedOperation()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("cannot create a cursor WITH HOLD within security-restricted operation"))); /* * Create a portal and copy the plan and queryString into its memory. diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index ae0aa2cde69..9638fb0a016 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -3701,6 +3701,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, bool immediate_only) { bool found = false; + bool deferred_found = false; AfterTriggerEvent event; AfterTriggerEventChunk *chunk; @@ -3736,6 +3737,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, */ if (defer_it && move_list != NULL) { + deferred_found = true; /* add it to move_list */ afterTriggerAddEvent(move_list, event, evtshared); /* mark original copy "done" so we don't do it again */ @@ -3743,6 +3745,16 @@ afterTriggerMarkEvents(AfterTriggerEventList *events, } } + /* + * We could allow deferred triggers if, before the end of the + * security-restricted operation, we were to verify that a SET CONSTRAINTS + * ... IMMEDIATE has fired all such triggers. For now, don't bother. + */ + if (deferred_found && InSecurityRestrictedOperation()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("cannot fire deferred trigger within security-restricted operation"))); + return found; } |