The following bug has been logged on the website:
Bug reference: 16124
Logged by: John Doe
Email address: john.doe@example.com
PostgreSQL version: 11.5
Operating system: NixOS
Description:
Altering default privileges in specific schema to revoke all privileges on
types from PUBLIC does nothing.
Steps to reproduce:
- Connect as superuser and execute:
CREATE ROLE ownerrole WITH INHERIT LOGIN PASSWORD 'ownerrole';
CREATE ROLE approle WITH INHERIT LOGIN PASSWORD 'approle';
CREATE DATABASE test1 ENCODING = 'UTF8' OWNER = ownerrole;
CREATE DATABASE test2 ENCODING = 'UTF8' OWNER = ownerrole;
Test 1
- Setup: Connect as ownerrole to test1 and execute the following commands:
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
IN SCHEMA myschema
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test1 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
The myschema.table table is created.
- Expected result:
The table creation should fail due to the following error:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test1
psql (11.5)
Type "help" for help.
test1=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-------+--------+------+-------------------
(0 rows)
Test 2
- Setup: Connect as ownerrole to test2 and execute the following commands
(ALTER DEFAULT PRIVILEGES is not specific to any schema):
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test2 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
ERROR: permission denied for type myschema.comment
- Expected result:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test2
psql (11.5)
Type "help" for help.
test2=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-----------+--------+------+-----------------------
ownerrole | | type | ownerrole=U/ownerrole
(1 row)