Re: BUG #1150: grant options not properly checked - Mailing list pgsql-bugs

From Fabien COELHO
Subject Re: BUG #1150: grant options not properly checked
Date
Msg-id Pine.LNX.4.58.0405111658360.21629@sablons.cri.ensmp.fr
Whole thread Raw
In response to Re: BUG #1150: grant options not properly checked  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-bugs
Dear Tom,

> ...
> Note that says WARNING, not ERROR.  So I guess what we need to do is
> narrow the privilege set and issue a warning message.

Yep.

> I think this also bears on the question that was raised before about
> whether REVOKE should raise an error if you don't have the right to
> revoke the privileges you're listing.  We don't, and based on this
> I think we shouldn't --- but maybe we should issue a warning.

There are two close but different issues.

(1) REVOKE ALL ON SCHEMA foo FROM calvin;

I agree with you that it looks it is allowed, as narrow would mean empty.
I really think a warning is desirable in such a case...


(2) REVOKE USAGE ON SCHEMA foo FROM calvin;

Where USAGE (or any specific right) is not grantable by the issuer.

While browsing the Access Rules of <revoke statement>... it is unclear.
I guess maybe a "grantable" word is missing in my version of the standard,
because otherwise I cannot really extract a semantics from access rule 1
case a in 12.7. Case b is much more explicit in my version for <revoke
role statement>, you need a "WITH ADMIN OPTION".

If my guess is correct and that an access rule is violated, then this
case should result in an error.


--
Fabien Coelho - coelho@cri.ensmp.fr

pgsql-bugs by date:

Previous
From: Nick Wellnhofer
Date:
Subject: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
Next
From: Fabien COELHO
Date:
Subject: Re: BUG #1150: grant options not properly checked