* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > Attached please find a patch to change how the permissions checking
> > for alter-owner is done. With roles there can be more than one
> > 'owner' of an object and therefore it becomes sensible to allow
> > specific cases of ownership change for non-superusers.
>
> Applied with minor revisions. The patch as submitted suffered a certain
> amount of copy-and-paste-itis (eg, trying to use pg_type_ownercheck on
> an opclass), and I really disliked using ACLCHECK_NOT_OWNER as the way
> to report "you can't assign ownership to that role because you are not
> a member of it". So I made a separate error message for that case.
Great, thanks! Sorry about the copy-and-paste-itis... Must have been a
case I wasn't sure about. The different error message makes perfect
sense. I see you also did the superuser-in-every-role change that I had
included, thanks.
When writing this patch it occurred to me that we nuke our
member-of-role cache for one-off lookups on occation. I don't
particularly like that, especially when we *know* it's a one-off lookup,
so I was considering adding a function for the one-off lookup case but
I couldn't come up with a way to avoid a fair bit of mostly-the-same
code as the current cache-regen code, without making the cache-regen
code alot slower which would negate the point.
Just some thoughts.
Thanks again,
Stephen
