Home > mailing lists

Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function - Mailing list pgsql-general

From	Tom Lane
Subject	Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
Date	July 31 17:11:53
Msg-id	2071880.1753971113@sss.pgh.pa.us Whole thread Raw
In response to	Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function (Dominique Devienne <ddevienne@gmail.com>)
Responses	Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
List	pgsql-general

Tree view

Dominique Devienne <ddevienne@gmail.com> writes:
> On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> <guillaume.lelarge@dalibo.com> wrote:
>> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
>> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
>> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
>> work without the SELECT privilege.

> Right on the money! Merci Guillaume!!! --DD

So the real problem here is that the "permission denied" error message
doesn't tell you which permission you lack.  I think we've had prior
discussions about improving that, but it never got done.  In some
cases it's a bit complicated -- for example, here either whole-table
SELECT or SELECT on the specific column would do.  But even pointing
you in the direction of "you need SELECT" would likely have led to
the correct line of thought, so maybe giving 100% of the details
isn't necessary.

            regards, tom lane

pgsql-general by date:

From: Dominique Devienne
Date: 31 July, 15:34:47
Subject: Re: Yet more ROLE changes in v18 beta1???

From: Adrian Klaver
Date: 31 July, 17:13:16
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function

Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function - Mailing list pgsql-general

Previous

Next