The following bug has been logged on the website:
Bug reference: 15281
Logged by: Michal Wozny
Email address: torcher999@gmail.com
PostgreSQL version: 10.4
Operating system: Windows Server 2012 R2
Description:
Here are the two scenarios I tested:
1) as a session_user: superuser and current_user: non-superuser I can edit
others' tables
2) as a session_user: non-superuser and current_user: superuser I cannot
edit others' tables
The documentation contradicts 1) explicitly, 2) implicitly:
"when a superuser chooses to SET ROLE to a non-superuser role, they lose
their superuser privileges."
Source: https://www.postgresql.org/docs/current/static/sql-set-role.html
Steps to reproduce:
Preconditions:
create two non-superusers [user1, user2]
create one superuser [user0]
grant user0 to user1
create a table [u2_tab] with owner user2
1)
disconnect
connect as user0
set role user1
rename u2_tab
expected: cannot rename u2_tab
actual: can rename u2_tab
2)
disconnect
connect as user1
set role user0
rename u2_tab
expected: can rename u2_tab
actual: cannot rename u2_tab
SQL steps:
Preconditions:
CREATE USER user0 WITH SUPERUSER
CREATE USER user1
GRANT user0 to user1
CREATE USER user2
CREATE TABLE public.u2_tab
ALTER TABLE public.u2_tab OWNER TO user2
1)
DISCONNECT
CONNECT TO db AS user0
SET ROLE user1
ALTER TABLE public.u2_tab RENAME TO u2_tab1
2)
DISCONNECT
CONNECT TO db AS user1
SET ROLE user0
ALTER TABLE public.u2_tab1 RENAME TO u2_tab2
