Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
>> The problem here is not with pg_dump; the problem is that dropping
>> privileges doesn't cascade to dropping objects that are dependent on
>> those privileges. AFAICS the SQL spec requires us to be able to do
>> the latter.
> The spec really requires that?? So basically we have RESTRICT and
> CASCADE on REVOKE?
Well, the spec doesn't have create permissions per se, but they do have
a "usage" right on domains, and they specify that revoking that results
in dropping objects:
7) For every abandoned domain descriptor DO, let S1.DN be the <domain name> of DO. The following
<dropdomain statement> is effectively executed without further Access Rule checking:
DROP DOMAIN S1.DN CASCADE
Similarly, revoking access to tables etc. results in physical changes to
views that reference those tables. So I think the idea is pretty clear.
regards, tom lane
