Thread: BUG #7716: Only owner can drop trigger?

BUG #7716: Only owner can drop trigger?

From
keith@omniti.com
Date:
The following bug has been logged on the website:

Bug reference:      7716
Logged by:          Keith Fiske
Email address:      keith@omniti.com
PostgreSQL version: 9.2.1
Operating system:   Any
Description:        =


This is documented in the DROP TRIGGER section of the documentation, but it
doesn't seem to make any sense. If a role has permission to create a
trigger, why can that same role not have the same permissions to drop it,
even if that role doesn't own the table?

Re: BUG #7716: Only owner can drop trigger?

From
Jeff Davis
Date:
On Fri, 2012-11-30 at 23:41 +0000, keith@omniti.com wrote:
> The following bug has been logged on the website:
>
> Bug reference:      7716
> Logged by:          Keith Fiske
> Email address:      keith@omniti.com
> PostgreSQL version: 9.2.1
> Operating system:   Any
> Description:
>
> This is documented in the DROP TRIGGER section of the documentation, but it
> doesn't seem to make any sense. If a role has permission to create a
> trigger, why can that same role not have the same permissions to drop it,
> even if that role doesn't own the table?

My guess is that it's to prevent someone from dropping a trigger created
by someone else.

I agree that it's inconsistent. I'm not sure why they added the separate
"TRIGGER" privilege in the first place, but it was done more than 10
years ago.

Regards,
    Jeff Davis

Re: BUG #7716: Only owner can drop trigger?

From
Keith Fiske
Date:
On Fri, Nov 30, 2012 at 7:02 PM, Jeff Davis <pgsql@j-davis.com> wrote:
> On Fri, 2012-11-30 at 23:41 +0000, keith@omniti.com wrote:
>> The following bug has been logged on the website:
>>
>> Bug reference:      7716
>> Logged by:          Keith Fiske
>> Email address:      keith@omniti.com
>> PostgreSQL version: 9.2.1
>> Operating system:   Any
>> Description:
>>
>> This is documented in the DROP TRIGGER section of the documentation, but it
>> doesn't seem to make any sense. If a role has permission to create a
>> trigger, why can that same role not have the same permissions to drop it,
>> even if that role doesn't own the table?
>
> My guess is that it's to prevent someone from dropping a trigger created
> by someone else.
>
> I agree that it's inconsistent. I'm not sure why they added the separate
> "TRIGGER" privilege in the first place, but it was done more than 10
> years ago.
>
> Regards,
>         Jeff Davis
>
>
>

So then don't give that other role trigger permissions if you don't
want them to be able to drop a trigger. I'm actually thankful for the
trigger permission since it allows the extension I'm working on to
create triggers on tables the role doesn't own. But now it only
half-works because it can't clean up after itself when the trigger
needs to be dropped.

Keith

Re: BUG #7716: Only owner can drop trigger?

From
Jeff Davis
Date:
On Fri, 2012-11-30 at 20:08 -0500, Keith Fiske wrote:
> So then don't give that other role trigger permissions if you don't
> want them to be able to drop a trigger. I'm actually thankful for the
> trigger permission since it allows the extension I'm working on to
> create triggers on tables the role doesn't own. But now it only
> half-works because it can't clean up after itself when the trigger
> needs to be dropped.

Allowing any user with TRIGGER privileges to drop a trigger seem like a
reasonable change to me. The only alternative I can think of (aside from
dropping the separate TRIGGER privilege) is to track the owner of the
trigger separately from the owner of the table, but that would be
strange, too.

Regards,
    Jeff Davis