Re: patch for type privileges

Peter Eisentraut <peter_e@gmx.net>

From: Peter Eisentraut <peter_e@gmx.net>
To: Yeb Havinga <yebhavinga@gmail.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2011-12-12T19:53:22Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Support range data types.

Attachments

On sön, 2011-12-11 at 21:21 +0200, Peter Eisentraut wrote:
> > * Cannot restrict access to array types. After revoking usage from the 
> > element type, the error is perhaps a bit misleading. (smallint[] vs 
> > smallint)
> > 
> > postgres=> create table a (a int2[]);
> > ERROR:  permission denied for type smallint[]
> 
> OK, that error message should be improved.

Fixing this is easy, but I'd like to look into refactoring this a bit.
Let's ignore that for now; it's easy to do later.

> 
> > * The patch adds the following text explaining the USAGE privilege on types.
> > 
> >    For types and domains, this privilege allow the use of the type or
> >    domain in the definition of tables, functions, and other schema objects.
> > 
> > Since other paragraphs in USAGE use the word 'creation' instead of 
> > 'definition', I believe here the word 'creation' should be used too.  

Fix for that included.

> > * The information schema view 'attributes' has this additional condition:
> >            AND (pg_has_role(t.typowner, 'USAGE')
> >                 OR has_type_privilege(t.oid, 'USAGE'));
> > 
> > What happens is that attributes in a composite type are shown, or not, 
> > if the current user has USAGE rights. The strange thing here, is that 
> > the attribute in the type being show or not, doesn't match being able to 
> > use it (in the creation of e.g. a table).
> 
> Yeah, that's a bug.  That should be something like
> 
> AND (pg_has_role(c.relowner, 'USAGE')
>      OR has_type_privilege(c.reltype, 'USAGE'));

And fix for that included.

New patch attached.