On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
> Laurenz Albe <laurenz.albe@cybertec.at> writes:
> > I realized only today that if role A is a member of role B,
> > A can ALTER and DROP objects owned by B.
> > I don't have a problem with that, but the documentation seems to
> > suggest otherwise. For example, for DROP TABLE:
> > Only the table owner, the schema owner, and superuser can drop a table.
>
> Generally, if you are a member of a role, that means you are the role for
> privilege-test purposes. I'm not on board with adding "(or a member of
> that role)" to every place it could conceivably be added; I think that
> would be more annoying than helpful.
>
> It might be worth clarifying this point in section 5.7,
>
> https://www.postgresql.org/docs/devel/ddl-priv.html
>
> but let's not duplicate that in every ref/ page.
That's much better.
I have attached a proposed patch.
Yours,
Laurenz Albe
