On Wed, Mar 13, 2024 at 02:32:55PM -0400, Tom Lane wrote:
> I think there's been a policy of being minimalistic on
> permission-denied errors to avoid giving away security information,
> but I'm not sure how much sense that really makes. We already show
> the specific object that didn't have permissions. I think it would
> be good for these errors to also mention the specific role whose
> permissions were checked. Perhaps also show the specific privileges
> that were missing --- although it might be hard to do that in a
> non-confusing way for complicated cases, such as queries that are
> valid if you have either table- or column-level permissions.
>
> If we just add the role I'd envision
>
> ERROR: permission denied to role "foo" for [object]
>
> although with any more detail that would get too long.
> Another way could be
>
> ERROR: permission denied for [object]
> DETAIL: Role "foo" lacks permission [permission].
>
> Mentioning the role that was checked should address the concern
> of "I'm a superuser, why did I get this error?". However,
> fixing it requires knowing which privilege to grant. I'm not
> sure if that's always obvious.
If we don't want to expand the error, and I can see why we might not
want to, giving the detailed error only for the superuser would be safe,
I think, since they are already the superuser.
Personal note: my son Matthew got this error when using photoview
software, and I was confused why the superuser was getting a permission
error.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
