From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Yeb Havinga <yebhavinga(at)gmail(dot)com> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: patch for type privileges |
Date: | 2011-12-12 19:53:22 |
Message-ID: | 1323719602.20924.8.camel@vanquo.pezone.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On sön, 2011-12-11 at 21:21 +0200, Peter Eisentraut wrote:
> > * Cannot restrict access to array types. After revoking usage from the
> > element type, the error is perhaps a bit misleading. (smallint[] vs
> > smallint)
> >
> > postgres=> create table a (a int2[]);
> > ERROR: permission denied for type smallint[]
>
> OK, that error message should be improved.
Fixing this is easy, but I'd like to look into refactoring this a bit.
Let's ignore that for now; it's easy to do later.
>
> > * The patch adds the following text explaining the USAGE privilege on types.
> >
> > For types and domains, this privilege allow the use of the type or
> > domain in the definition of tables, functions, and other schema objects.
> >
> > Since other paragraphs in USAGE use the word 'creation' instead of
> > 'definition', I believe here the word 'creation' should be used too.
Fix for that included.
> > * The information schema view 'attributes' has this additional condition:
> > AND (pg_has_role(t.typowner, 'USAGE')
> > OR has_type_privilege(t.oid, 'USAGE'));
> >
> > What happens is that attributes in a composite type are shown, or not,
> > if the current user has USAGE rights. The strange thing here, is that
> > the attribute in the type being show or not, doesn't match being able to
> > use it (in the creation of e.g. a table).
>
> Yeah, that's a bug. That should be something like
>
> AND (pg_has_role(c.relowner, 'USAGE')
> OR has_type_privilege(c.reltype, 'USAGE'));
And fix for that included.
New patch attached.
Attachment | Content-Type | Size |
---|---|---|
typacl-v4.patch | text/x-patch | 127.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Kevin Grittner | 2011-12-12 19:55:05 | Re: [REVIEW] Patch for cursor calling with named parameters |
Previous Message | Peter Eisentraut | 2011-12-12 19:49:26 | Re: static or dynamic libpgport |