Re: Re: Re: Revoke Connect Privilege from Database not working
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: "Ing. Marijo Kristo" <marijo.kristo@icloud.com>,
PostgreSQL Bug List <pgsql-bugs@lists.postgresql.org>
Date: 2025-04-07T16:06:17Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow choosing specific grantors via GRANT/REVOKE ... GRANTED BY.
- dd1398f13787 19 (unreleased) landed
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On master, confirmed that after this command the privilege: > test_user=c/test_admin (on database testdb) still exists. That seems like > a bug. Its at least a POLA violation and I cannot figure out how to read > the revoke reference page in a way that explains it. I believe what's going on there is explained by the rule that "grants and revokes done by a superuser are done as if issued by the object owner". So here, what would be revoked is test_user=c/postgres, which isn't the privilege at issue. Include GRANTED BY in the REVOKE to override the default choice of grantor. IIRC, said rule was invented before we had the GRANTED BY syntax. It probably doesn't make as much sense today, but I'd be very afraid of breaking peoples' work flows by changing it. regards, tom lane