Thread: BUG #7716: Only owner can drop trigger?
The following bug has been logged on the website: Bug reference: 7716 Logged by: Keith Fiske Email address: keith@omniti.com PostgreSQL version: 9.2.1 Operating system: Any Description: = This is documented in the DROP TRIGGER section of the documentation, but it doesn't seem to make any sense. If a role has permission to create a trigger, why can that same role not have the same permissions to drop it, even if that role doesn't own the table?
On Fri, 2012-11-30 at 23:41 +0000, keith@omniti.com wrote: > The following bug has been logged on the website: > > Bug reference: 7716 > Logged by: Keith Fiske > Email address: keith@omniti.com > PostgreSQL version: 9.2.1 > Operating system: Any > Description: > > This is documented in the DROP TRIGGER section of the documentation, but it > doesn't seem to make any sense. If a role has permission to create a > trigger, why can that same role not have the same permissions to drop it, > even if that role doesn't own the table? My guess is that it's to prevent someone from dropping a trigger created by someone else. I agree that it's inconsistent. I'm not sure why they added the separate "TRIGGER" privilege in the first place, but it was done more than 10 years ago. Regards, Jeff Davis
On Fri, Nov 30, 2012 at 7:02 PM, Jeff Davis <pgsql@j-davis.com> wrote: > On Fri, 2012-11-30 at 23:41 +0000, keith@omniti.com wrote: >> The following bug has been logged on the website: >> >> Bug reference: 7716 >> Logged by: Keith Fiske >> Email address: keith@omniti.com >> PostgreSQL version: 9.2.1 >> Operating system: Any >> Description: >> >> This is documented in the DROP TRIGGER section of the documentation, but it >> doesn't seem to make any sense. If a role has permission to create a >> trigger, why can that same role not have the same permissions to drop it, >> even if that role doesn't own the table? > > My guess is that it's to prevent someone from dropping a trigger created > by someone else. > > I agree that it's inconsistent. I'm not sure why they added the separate > "TRIGGER" privilege in the first place, but it was done more than 10 > years ago. > > Regards, > Jeff Davis > > > So then don't give that other role trigger permissions if you don't want them to be able to drop a trigger. I'm actually thankful for the trigger permission since it allows the extension I'm working on to create triggers on tables the role doesn't own. But now it only half-works because it can't clean up after itself when the trigger needs to be dropped. Keith
On Fri, 2012-11-30 at 20:08 -0500, Keith Fiske wrote: > So then don't give that other role trigger permissions if you don't > want them to be able to drop a trigger. I'm actually thankful for the > trigger permission since it allows the extension I'm working on to > create triggers on tables the role doesn't own. But now it only > half-works because it can't clean up after itself when the trigger > needs to be dropped. Allowing any user with TRIGGER privileges to drop a trigger seem like a reasonable change to me. The only alternative I can think of (aside from dropping the separate TRIGGER privilege) is to track the owner of the trigger separately from the owner of the table, but that would be strange, too. Regards, Jeff Davis