Re: Misleading error "permission denied for table" - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Misleading error "permission denied for table"
Date
Msg-id 185919.1729096902@sss.pgh.pa.us
Whole thread Raw
In response to Re: Misleading error "permission denied for table"  (Nathan Bossart <nathandbossart@gmail.com>)
List pgsql-hackers
Nathan Bossart <nathandbossart@gmail.com> writes:
> On Wed, Oct 16, 2024 at 07:36:29PM +0530, Ashutosh Bapat wrote:
>> Shouldn't we report "permission defined for column atest5.three?

> We do have "permission denied for column" messages in aclchk.c (e.g.,
> aclcheck_error_col()), but I don't see them actually used anywhere (or at
> least they don't show up in any expected regression test output).  I'm
> inclined to agree that a more specific error would be nice, but I worry
> there's some hidden complexity that's prevented it thus far...

See ExecCheckOneRelPerms, which seems to regard this as a TODO.
I think the hard part is how to report the cases that involve
pg_attribute_aclcheck_all(..., ACLMASK_ANY), which means

 * If 'how' is ACLMASK_ANY, then returns ACLCHECK_OK if user has any of the
 * privileges identified by 'mode' on any non-dropped column in the relation;

so that you can't really finger a specific column as being in
violation.  Maybe we could leave those cases as just mentioning the
rel; not sure if that leads to failing to move the goalposts much.
Otherwise, we could extend ExecCheckOneRelPerms and
pg_attribute_aclcheck_all to pass back a column number, and
then modify the error reporting in ExecCheckPermissions.

            regards, tom lane



pgsql-hackers by date:

Previous
From: "Daniel Verite"
Date:
Subject: Re: New "raw" COPY format
Next
From: Robert Haas
Date:
Subject: Re: allowing extensions to control planner behavior