Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tuskd-00DJqa-Pt for pgadmin-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 12:42:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tuskc-003h1v-GJ for pgadmin-hackers@arkaria.postgresql.org; Wed, 19 Mar 2025 12:42:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tuskc-003gxJ-47 for pgadmin-hackers@lists.postgresql.org; Wed, 19 Mar 2025 12:42:26 +0000 Received: from mail-lj1-x229.google.com ([2a00:1450:4864:20::229]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tuska-003h4a-08 for pgadmin-hackers@postgresql.org; Wed, 19 Mar 2025 12:42:25 +0000 Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-30bee278c2aso7756651fa.0 for ; Wed, 19 Mar 2025 05:42:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1742388142; x=1742992942; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rrrgvYqw+q6r3qK2TIGk2neTz1nJpsF1XLykUaj9R54=; b=YHSgRm1eapGIT1IaTvs+kZq0VaAzOTGtCNrFboKjf6ZUyjd1OD7obnShMdPeHPuUTr L3aoCaeIH5JI9PN1zbQoAJ+zKwkNaggCLEpwyNhQqDbo7cHvCrc38djHlGUs3ND70gMG K/62vlujp8REHzuPmuopjJFvJnF9B1WWBY0BjGXnhvKE+hnf/XodIHQCM/SukrwUmTcE +hDmziAXzflvAtlZ+M2lGPUBiHNmRZNAbP8A2jCLGAFbrZFcOFv5ZKh1W0JLQOv5CzRY bGbf2abR60Bb6UntzvLCAzoRgMkGFBR3B3qltFvxQFUOkq/PfpDhnjziGz6MTGc4QySE vilw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742388142; x=1742992942; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rrrgvYqw+q6r3qK2TIGk2neTz1nJpsF1XLykUaj9R54=; b=h/jbPEX9NlJoIax5XKSot3UBOgel1LP8yQ0GqAhFkMtFZL0hFkyZBln1q5tT9fMIta FfA2CKrYeyDNZfqGKEPpmkrtdDrSfU2e44sTCwYrTlfeOsawbG4VQtKDM5KwODTmPXpZ k/hZQHjdUL+7fNG9B+pYkORIDXncJyANPOSAAJaABadQ+mAS6nC5C3TcvsZPGzT4eTOy zy+ceEsHsgOiHP+evrcCY60r52OR0wW4LRxKsfEX6IgvRrIW/wWiz7xAVW7FTNlKNJsn qVWrErYDTx92SOb7GxM9RZFVG92EZmI+1syrfIq/NWvV87pBhG+AaJPtDl2/2yn1tvED 1oIw== X-Gm-Message-State: AOJu0Yz7LggfC2A51cXkSdb7pqcttjHd8XFG/eN78PL5loj1pXhHpJby 4DC1XnTjedZBLpUbV8saqopO9LvB2paeg44guUkOttIOE0aaydSblUarIhnqp67ne28v7DUJQft AS80RTM1pEx2MYELttn81TaGHSbU3vxp22N3g X-Gm-Gg: ASbGncsNLFECnzdNLM+otFZgfV9q9hOAEgrWUQjUZBqR+Iinvs88mHDZM03P7DtBI4X koKcMVgXWMq6+TAsfKSFQiAArYX23N+kKljCDOz65DHZL3ketrQDvJmCWYLjTkX7gndgETUdmC/ AqMRb5+zYBdCgBL3TODcNp0irEGLahCeW43PxlwmsySb6HIG/YmX+FDstvULI= X-Google-Smtp-Source: AGHT+IHzR2Q4CKSKTqsjQwNVp2PLo31k43NDnv7HCzThKCsG8/bkj0ydhiFPtJnpHXRI3hsgc9BdEIotqdp9HY1spKc= X-Received: by 2002:a05:6512:104c:b0:549:929c:e896 with SMTP id 2adb3069b0e04-54a304876a9mr4282419e87.11.1742388142201; Wed, 19 Mar 2025 05:42:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Akshay Joshi Date: Wed, 19 Mar 2025 18:12:10 +0530 X-Gm-Features: AQ5f1JqUhSjAjeFSgxLVrgZaaQjDX8Ej0QZs4xSLyLlD96JJP1d1wt4l9VxfLpk Message-ID: Subject: Re: Regarding Feature #5305 To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="00000000000046fbef0630b15a31" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000046fbef0630b15a31 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Mar 19, 2025 at 5:11=E2=80=AFPM Dave Page wrote= : > > > On Wed, 19 Mar 2025 at 11:12, Akshay Joshi > wrote: > >> Hi Dave/Hackers, >> >> I have started working on the feature #5305 >> . Based on my >> understanding, the Object Explorer should only display nodes or objects >> where the currently logged-in user has at least one permission granted i= n >> the ACL. In other words, the user must have some level of access to each >> object displayed. >> >> For example, consider two users: 'postgres' (the default user) and >> 'test'. There are objects, such as a table, where the 'test' user does n= ot >> have any permissions. This table was created by the 'postgres' user, who >> has revoked all permissions for other users. Now, if the 'test' user log= s >> into the database server, we need to check whether the logged-in user ha= s >> any permissions on the object. If not, it should not be displayed in the >> Object Explorer. >> >> We will have a preference for whether to apply this check or not. There >> are following two solutions that can be implemented: >> 1) Change the *nodes.sql* to filter out the nodes based on privileges. >> It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in = the >> WHERE clause, and other different attempts to filter out Table nodes, bu= t >> seems we will find some solution for sure). >> 2) Once nodes are fetched then filter out the data at the backend. >> >> Any other solution or suggestion? >> > > This seems like it would be a very large amount of work, for very little > gain, and would certainly be inconsistent with how we would expect to > browse files and folders for example. I do not think it is worth the effo= rt. > OK Thanks, So should we keep this feature request open or close it? > > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > pgEdge: https://www.pgedge.com > > --00000000000046fbef0630b15a31 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed, Mar 19,= 2025 at 5:11=E2=80=AFPM Dave Page <dpage@pgadmin.org> wrote:


On Wed, 19 Mar 2025= at 11:12, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
Hi D= ave/Hackers,

I have started working on the feature= #5305.=C2=A0Based on my understanding, the Object Explorer shou= ld only display nodes or objects where the currently logged-in user has at = least one permission granted in the ACL. In other words, the user must have= some level of access to each object displayed.

Fo= r example, consider two users: 'postgres' (the default user) and &#= 39;test'. There are objects, such as a table, where the 'test' = user does not have any permissions. This table was created by the 'post= gres' user, who has revoked all permissions for other users. Now, if th= e 'test' user logs into the database server, we need to check wheth= er the logged-in user has any permissions on the object. If not, it should = not be displayed in the Object Explorer.

We will h= ave a preference for whether to apply this check or not. There are followin= g two solutions that can be implemented:=C2=A0
1) Change the n= odes.sql to filter out the nodes based on privileges. It's challeng= ing, as I tried with aclexplode(relacl), unnest(relacl) in the WHERE clause= , and other different attempts to filter out Table nodes, but seems we will= find some solution for sure).
2) Once nodes are fetched then fil= ter out the data at the backend.

Any other solutio= n or suggestion? =C2=A0

This se= ems like it would be a very large amount of work, for very little gain, and= would certainly be inconsistent with how we would expect to browse files a= nd folders for example. I do not think it is worth the effort.
<= /div>

=C2=A0 =C2=A0 OK Thanks, So should we= keep this feature request open or close it?=C2=A0
=C2=A0
-- <= br>
Dave PagepgAdmin: https://ww= w.pgadmin.org
--00000000000046fbef0630b15a31--