From 40423811528a83d33eb60498c14e69065a2fc133 Mon Sep 17 00:00:00 2001
From: Konstantin Knizhnik <knizhnik@neon.tech>
Date: Thu, 22 Aug 2024 22:22:49 +0300
Subject: [PATCH] Allow neon_suprtuser to create event triggers

---
 src/backend/commands/event_trigger.c   |  2 +-
 src/backend/commands/publicationcmds.c |  7 -------
 src/backend/utils/adt/acl.c            | 13 +++++++++++++
 src/include/miscadmin.h                |  3 +++
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/backend/commands/event_trigger.c b/src/backend/commands/event_trigger.c
index d4b00d1a828..65f739ef8cc 100644
--- a/src/backend/commands/event_trigger.c
+++ b/src/backend/commands/event_trigger.c
@@ -119,7 +119,7 @@ CreateEventTrigger(CreateEventTrigStmt *stmt)
 	 * this, but there are obvious privilege escalation risks which would have
 	 * to somehow be plugged first.
 	 */
-	if (!superuser())
+	if (!superuser() && !is_neon_superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("permission denied to create event trigger \"%s\"",
diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c
index a618ac5c7b2..727c59559fa 100644
--- a/src/backend/commands/publicationcmds.c
+++ b/src/backend/commands/publicationcmds.c
@@ -728,13 +728,6 @@ CheckPubRelationColumnList(char *pubname, List *tables,
 	}
 }
 
-static bool
-is_neon_superuser(void)
-{
-	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
-	return neon_superuser_oid != InvalidOid && has_privs_of_role(GetUserId(), neon_superuser_oid);
-}
-
 /*
  * Create new publication.
  */
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 883e09393a4..5255e57b9d8 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -123,6 +123,19 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
 
 static void RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue);
 
+bool
+is_neon_superuser(void)
+{
+	return is_neon_superuser_arg(GetUserId());
+}
+
+bool
+is_neon_superuser_arg(Oid roleid)
+{
+	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
+	return neon_superuser_oid != InvalidOid && has_privs_of_role(roleid, neon_superuser_oid);
+}
+
 
 /*
  * getid
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index 95d19a761fc..505fce2ebe7 100644
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -381,6 +381,9 @@ extern const char *GetSystemUser(void);
 extern bool superuser(void);	/* current user is superuser */
 extern bool superuser_arg(Oid roleid);	/* given user is superuser */
 
+/* in utils/adt/acl.c */
+extern bool is_neon_superuser(void); /* current user is neon_superuser */
+extern bool is_neon_superuser_arg(Oid roleid); /* given user is neon_superuser */
 
 /*****************************************************************************
  *	  pmod.h --																 *