From 076f9f54225079e0117227481fbe22f2dff81687 Mon Sep 17 00:00:00 2001
From: Robert Treat <rob@xzilla.net>
Date: Wed, 28 Oct 2020 01:18:52 -0400
Subject: [PATCH] Consider group membership when testing owned_only

Based on code and suggestions from @cathysax, ultimately I used the internal
pg_has_role function to test whether a user has ownership rights based on
group membership. I actually check for 'USAGE' rights, since that implies the
role has rights without need to `set role`, which users wouldn't be able to do
with a normal PPA login. Loosely tested back to 9.5.
This fixes https://github.com/phppgadmin/phppgadmin/issues/102
---
 classes/database/Postgres.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/database/Postgres.php b/classes/database/Postgres.php
index bfd04a87..e83227f6 100644
--- a/classes/database/Postgres.php
+++ b/classes/database/Postgres.php
@@ -450,7 +450,7 @@ class Postgres extends ADODB_base {
 		if (isset($conf['owned_only']) && $conf['owned_only'] && !$this->isSuperUser()) {
 			$username = $server_info['username'];
 			$this->clean($username);
-			$clause = " AND pr.rolname='{$username}'";
+			$clause = " AND pg_has_role('{$username}'::name,pr.rolname,'USAGE')";
 		}
 		else $clause = '';
 
-- 
2.39.5