Robert Haas napsal(a): <blockquote cite="mid:603c8f070910011820w5ed09055n399811239af4ba0c@mail.gmail.com"
type="cite"><prewrap="">On Thu, Oct 1, 2009 at 1:37 PM, Tom Lane <a class="moz-txt-link-rfc2396E"
href="mailto:tgl@sss.pgh.pa.us"><tgl@sss.pgh.pa.us></a>wrote: </pre><blockquote type="cite"><pre wrap="">Petr
Jelinek<a class="moz-txt-link-rfc2396E" href="mailto:pjmodos@pjmodos.net"><pjmodos@pjmodos.net></a> writes:
</pre><blockquotetype="cite"><pre wrap="">because it seems like merging privileges seems to be acceptable for most
(although I am not sure I like it, but I don't have better solution for
managing conflicts), I changed the patch to do just that. </pre></blockquote><pre wrap="">It's not clear to me
whetherwe have consensus on this approach.
Last chance for objections, anyone?
The main argument I can see against doing it this way is that it doesn't
provide a means for overriding the hard-wired public grants for object
types that have such (principally functions). I think that a reasonable
way to address that issue would be for a follow-on patch that allows
changing the hard-wired default privileges for object types. It might
well be that no one cares enough for it to matter, though. I think that
in most simple cases what's needed is a way to add privileges, not
subtract them --- and we're already agreed that this mechanism is only
meant to simplify simple cases. </pre></blockquote><pre wrap="">
I'm going to reiterate what I suggested upthread... let's let the
default, global default ACL contain the hard-wired privileges, instead
of making them hardwired. Then your objects will get those privileges
not because they are hard-wired, but because you haven't changed your
global default ACL to not contain them. </pre></blockquote><br /> That's somewhat how I implemented it although not
juston global level but in any single filter, what we now have as defaults (before this patch) is used as template for
defaultacls and you can revoke it. You just can't revoke anything you granted anywhere in the default acls chain.<br
/><br/><pre class="moz-signature" cols="72">--
Regards
Petr Jelinek (PJMODOS)</pre>
