Re: Add sentence about SECURITY LABEL object ownership

Patrick Stählin <me@packi.ch>

From: Patrick Stählin <me@packi.ch>
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: pgsql-docs@lists.postgresql.org
Date: 2025-06-05T15:02:43Z
Lists: pgsql-docs

Attachments

On 6/5/25 4:21 PM, Laurenz Albe wrote:
>> +
>> +  <para>
>> +   You must own the database object to use the <command>SECURITY LABEL</command>.
>> +  </para>
>>    </refsect1>
>>   
>>    <refsect1>
> 
> Wouldn't it be more accurate to say that you have to be a member of the owning role?
> But perhaps that would be complicated enough to confuse many users.

We're calling check_object_ownership which errors out with:

    aclcheck_error(ACLCHECK_NOT_OWNER, [...])

which in turn then aborts with "must be owner of [...]". But checking 
the code, we do call has_privs_of_role, so you're absolutely right.

In doc/src/sgml/ref/alter_*.sgml we use the phrase "You must own the 
[...]" to describe the privileges needed. Let me know if you want me to 
change the wording.

While double checking I noticed that other docs don't have the extra 
"the " before "<command>[...] " so I dropped that in my v2 patch.

Thanks for reviewing!
Patrick

Commits

  1. Doc: you must own the target object to use SECURITY LABEL.