Use has_privs_for_roles for predefined role checks: round 2

jconway · jconway · commit 9752436f0494 · 2022-04-02T13:24:38.000-04:00
Similar to commit 6198420, replace is_member_of_role with has_privs_for_role for predefined role access checks in recently committed basebackup code. In passing fix a double-word error in a nearby comment. Discussion: https://postgr.es/m/flat/CAGB+Vh4Zv_TvKt2tv3QNS6tUM_F_9icmuj0zjywwcgVi4PAhFA@mail.gmail.com
diff --git a/contrib/basebackup_to_shell/basebackup_to_shell.c b/contrib/basebackup_to_shell/basebackup_to_shell.c
@@ -90,7 +90,7 @@ _PG_init(void)
 }
 
 /*
- * We choose to defer sanity sanity checking until shell_get_sink(), and so
+ * We choose to defer sanity checking until shell_get_sink(), and so
  * just pass the target detail through without doing anything. However, we do
  * permissions checks here, before any real work has been done.
  */
@@ -103,7 +103,7 @@ shell_check_detail(char *target, char *target_detail)
 
 		StartTransactionCommand();
 		roleid = get_role_oid(shell_required_role, true);
-		if (!is_member_of_role(GetUserId(), roleid))
+		if (!has_privs_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to use basebackup_to_shell")));
diff --git a/doc/src/sgml/ref/pg_basebackup.sgml b/doc/src/sgml/ref/pg_basebackup.sgml
@@ -237,7 +237,7 @@ PostgreSQL documentation
         <literal>server:/some/path</literal>, the backup will be stored on
         the machine where the server is running in the
         <literal>/some/path</literal> directory. Storing a backup on the
-        server requires superuser privileges or being granted the
+        server requires superuser privileges or having privileges of the
         <literal>pg_write_server_files</literal> role. If the target is set to
         <literal>blackhole</literal>, the contents are discarded and not
         stored anywhere. This should only be used for testing purposes, as you
diff --git a/src/backend/replication/basebackup_server.c b/src/backend/replication/basebackup_server.c
@@ -69,10 +69,10 @@ bbsink_server_new(bbsink *next, char *pathname)
 
 	/* Replication permission is not sufficient in this case. */
 	StartTransactionCommand();
-	if (!is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
+	if (!has_privs_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("must be superuser or a member of the pg_write_server_files role to create server backup")));
+				 errmsg("must be superuser or a role with privileges of the pg_write_server_files role to create server backup")));
 	CommitTransactionCommand();
 
 	/*
