Re: Regarding Feature #5305 - Mailing list pgadmin-hackers

On Wed, Mar 19, 2025 at 5:11 PM Dave Page <dpage@pgadmin.org> wrote:

On Wed, 19 Mar 2025 at 11:12, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Dave/Hackers,

I have started working on the feature #5305. Based on my understanding, the Object Explorer should only display nodes or objects where the currently logged-in user has at least one permission granted in the ACL. In other words, the user must have some level of access to each object displayed.

For example, consider two users: 'postgres' (the default user) and 'test'. There are objects, such as a table, where the 'test' user does not have any permissions. This table was created by the 'postgres' user, who has revoked all permissions for other users. Now, if the 'test' user logs into the database server, we need to check whether the logged-in user has any permissions on the object. If not, it should not be displayed in the Object Explorer.

We will have a preference for whether to apply this check or not. There are following two solutions that can be implemented: 

1) Change the nodes.sql to filter out the nodes based on privileges. It's challenging, as I tried with aclexplode(relacl), unnest(relacl) in the WHERE clause, and other different attempts to filter out Table nodes, but seems we will find some solution for sure).

2) Once nodes are fetched then filter out the data at the backend.

Any other solution or suggestion?  

This seems like it would be a very large amount of work, for very little gain, and would certainly be inconsistent with how we would expect to browse files and folders for example. I do not think it is worth the effort.

    OK Thanks, So should we keep this feature request open or close it?