On Thu, Mar 16, 2023 at 04:24:07PM +0100, Peter Eisentraut wrote:
> I have committed two pieces that were not message changes separately.
Thanks!
> I think the following change in DropRole() is incorrect:
>
> if (!is_admin_of_role(GetUserId(), roleid))
> ereport(ERROR,
> (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
> - errmsg("must have admin option on role \"%s\"",
> - role)));
> + errmsg("permission denied to drop role"),
> + errdetail("Only roles with the %s attribute and the %s
> option on role \"%s\" may drop this role.",
> + "CREATEROLE", "ADMIN",
> NameStr(roleform->rolname))));
>
> The message does not reflect what check is actually performed. (Perhaps
> this was confused with a similar but not exactly the same check in
> RenameRole().)
Hm. Is your point that we should only mention the admin option here? I
mentioned both createrole and admin option in this message (and the
createrole check above this point) in an attempt to avoid giving partial
information.
> In file_fdw_validator(), the option names "filename" and "program" could be
> parameterized.
>
>
> In DropOwnedObjects() and ReassignOwnedObjects(), I suggest the following
> changes, for clarity:
>
> - errdetail("Only roles with privileges of role \"%s\" may drop its
> objects.",
> + errdetail("Only roles with privileges of role \"%s\" may drop objects
> owned by it.",
>
> - errdetail("Only roles with privileges of role \"%s\" may reassign its
> objects.",
> + errdetail("Only roles with privileges of role \"%s\" may reassign objects
> owned by it.",
Will do.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
