fix: identifier double escaping

soedirgo · soedirgo · commit 75da739c9307 · 2023-08-09T14:01:32.000+08:00
`::regclass` already escapes identifier names, no need to `%I` it
diff --git a/src/lib/PostgresMetaColumnPrivileges.ts b/src/lib/PostgresMetaColumnPrivileges.ts
@@ -69,7 +69,7 @@ where a.attrelid = ${literal(relationId)}
   and a.attnum = ${literal(columnNumber)}
 into col;
 execute format(
-  'grant ${privilege_type} (%I) on %I to ${
+  'grant ${privilege_type} (%I) on %s to ${
       grantee.toLowerCase() === 'public' ? 'public' : ident(grantee)
     } ${is_grantable ? 'with grant option' : ''}',
   col.attname,
@@ -113,7 +113,7 @@ where a.attrelid = ${literal(relationId)}
   and a.attnum = ${literal(columnNumber)}
 into col;
 execute format(
-  'revoke ${privilege_type} (%I) on %I from ${
+  'revoke ${privilege_type} (%I) on %s from ${
       grantee.toLowerCase() === 'public' ? 'public' : ident(grantee)
     }',
   col.attname,
diff --git a/src/lib/PostgresMetaTablePrivileges.ts b/src/lib/PostgresMetaTablePrivileges.ts
@@ -115,7 +115,7 @@ begin
 ${grants
   .map(
     ({ privilege_type, relation_id, grantee, is_grantable }) =>
-      `execute format('grant ${privilege_type} on table %I to ${
+      `execute format('grant ${privilege_type} on table %s to ${
         grantee.toLowerCase() === 'public' ? 'public' : ident(grantee)
       } ${is_grantable ? 'with grant option' : ''}', ${relation_id}::regclass);`
   )
@@ -147,7 +147,7 @@ begin
 ${revokes
   .map(
     (revoke) =>
-      `execute format('revoke ${revoke.privilege_type} on table %I from ${revoke.grantee}', ${revoke.relation_id}::regclass);`
+      `execute format('revoke ${revoke.privilege_type} on table %s from ${revoke.grantee}', ${revoke.relation_id}::regclass);`
   )
   .join('\n')}
 end $$;
diff --git a/test/server/column-privileges.ts b/test/server/column-privileges.ts
@@ -81,7 +81,7 @@ test('revoke & grant column privileges', async () => {
     ],
   })
   let privs = res.json<PostgresColumnPrivileges[]>()
-  expect(privs.length === 1)
+  expect(privs.length).toBe(1)
   expect(privs[0]).toMatchInlineSnapshot(
     { column_id: expect.stringMatching(/^\d+\.\d+$/) },
     `
@@ -156,7 +156,7 @@ test('revoke & grant column privileges', async () => {
     ],
   })
   privs = res.json<PostgresColumnPrivileges[]>()
-  expect(privs.length === 1)
+  expect(privs.length).toBe(1)
   expect(privs[0]).toMatchInlineSnapshot(
     { column_id: expect.stringMatching(/^\d+\.\d+$/) },
     `
@@ -206,3 +206,158 @@ test('revoke & grant column privileges', async () => {
     throw new Error(res.payload)
   }
 })
+
+test('revoke & grant column privileges w/ quoted column name', async () => {
+  let res = await app.inject({
+    method: 'POST',
+    path: '/query',
+    payload: {
+      query: `create role r; create table "t 1"("c 1" int8);`,
+    },
+  })
+  if (res.json().error) {
+    throw new Error(res.payload)
+  }
+
+  res = await app.inject({ method: 'GET', path: '/column-privileges' })
+  const { column_id } = res
+    .json<PostgresColumnPrivileges[]>()
+    .find(({ relation_name, column_name }) => relation_name === 't 1' && column_name === 'c 1')!
+
+  res = await app.inject({
+    method: 'POST',
+    path: '/column-privileges',
+    payload: [
+      {
+        column_id,
+        grantee: 'r',
+        privilege_type: 'ALL',
+      },
+    ],
+  })
+  let privs = res.json<PostgresColumnPrivileges[]>()
+  expect(privs.length).toBe(1)
+  expect(privs[0]).toMatchInlineSnapshot(
+    { column_id: expect.stringMatching(/^\d+\.\d+$/) },
+    `
+    {
+      "column_id": StringMatching /\\^\\\\d\\+\\\\\\.\\\\d\\+\\$/,
+      "column_name": "c 1",
+      "privileges": [
+        {
+          "grantee": "r",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "UPDATE",
+        },
+        {
+          "grantee": "r",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "SELECT",
+        },
+        {
+          "grantee": "r",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "REFERENCES",
+        },
+        {
+          "grantee": "r",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "INSERT",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "UPDATE",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "SELECT",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "REFERENCES",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "INSERT",
+        },
+      ],
+      "relation_name": "t 1",
+      "relation_schema": "public",
+    }
+  `
+  )
+
+  res = await app.inject({
+    method: 'DELETE',
+    path: '/column-privileges',
+    payload: [
+      {
+        column_id,
+        grantee: 'r',
+        privilege_type: 'ALL',
+      },
+    ],
+  })
+  privs = res.json<PostgresColumnPrivileges[]>()
+  expect(privs.length).toBe(1)
+  expect(privs[0]).toMatchInlineSnapshot(
+    { column_id: expect.stringMatching(/^\d+\.\d+$/) },
+    `
+    {
+      "column_id": StringMatching /\\^\\\\d\\+\\\\\\.\\\\d\\+\\$/,
+      "column_name": "c 1",
+      "privileges": [
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "UPDATE",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "SELECT",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "REFERENCES",
+        },
+        {
+          "grantee": "postgres",
+          "grantor": "postgres",
+          "is_grantable": false,
+          "privilege_type": "INSERT",
+        },
+      ],
+      "relation_name": "t 1",
+      "relation_schema": "public",
+    }
+  `
+  )
+
+  res = await app.inject({
+    method: 'POST',
+    path: '/query',
+    payload: {
+      query: `drop role r; drop table "t 1";`,
+    },
+  })
+  if (res.json().error) {
+    throw new Error(res.payload)
+  }
+})
diff --git a/test/server/table-privileges.ts b/test/server/table-privileges.ts
