Nathan Bossart <nathandbossart@gmail.com> writes:
> On Thu, Jan 26, 2023 at 03:07:43PM -0500, Tom Lane wrote:
>> I think the password case needs to be kept separate, because the
>> conditions for it are different (specifically the exception that
>> you can alter your own password). Lumping the rest together
>> seems OK to me.
> Hm. In v2, the error message for both cases is the same:
> ERROR: permission denied to alter role
> DETAIL: You must have CREATEROLE privilege and ADMIN OPTION on role "regress_priv_user2".
> We could add "to change its attributes" and "to change its password" to
> separate the two, but I'm not sure that adds much. ISTM the current error
> message for ALTER ROLE PASSWORD implies that you can change your own
> password, and that's lost with my patch. Perhaps we should add an
> errhint() with that information instead. WDYT?
Well, it's not a hint. I think the above is fine for non-password
cases, but for passwords maybe
ERROR: permission denied to alter role password
DETAIL: To change another role's password, you must have CREATEROLE privilege and ADMIN OPTION on role "%s".
regards, tom lane