> Partyka Robert <bobson@saturn.alpha.pl> writes:
> > #create user bobson with password '1' nocreatedb nocreateuser;
> > CREATE
> > #create table a (a int4);
> > CREATE
> > #revoke all on a from public;
> > CHANGE
> > and now from user bobson after conecting to test database:
> > #insert into a values ('1');
> > INSERT 19104 1
>
> > hmmm... looks like bug. Or I miss something?
>
> Oops. Strange though, this looks like it must be a very long-standing
> bug: aclinsert3 thinks it can delete any zero-permissions item from an
> ACL array, whereas aclcheck has a hard-wired assumption that the world
> item is always there. Could we have missed this for this long?
In 6.5.3 I've found other strange thing. When I give user INSERT, UPDATE
permissions such user can do DELETE without DELETE permissions so in fact
if I do
# grant UPDATE, INSERT, SELECT on a to user1;
it was treat as:
# grant UPDATE, INSERT, DELETE, SELECT on a to user1;
Today I want to test it on lastest CVS, but ... you know ;)
regards
Robert 'BoBsoN' Partyka
