Re: [PATCH] Report column-level error when lacking privilege

David G. Johnston <david.g.johnston@gmail.com>

From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Steve Chavez <steve@supabase.io>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2026-03-30T03:34:56Z
Lists: pgsql-hackers
On Sun, Mar 29, 2026 at 6:07 PM Steve Chavez <steve@supabase.io> wrote:

> When a role `xx` has `grant select (name) on items to xx;`, a generic
> table-level error is given:
>
> select * from items;
> ERROR:  permission denied for table items
>
> With this patch, we now give:
>
> select * from items;
> ERROR:  permission denied for column "id" of relation "items"
>
>
Not too fond of picking one column as a representative for the error
message.  Better to say something like:

ERROR:  permission denied for column subset of table items

Haven't looked but it should be doable to run a query for a given relation
and role and report for each column whether a grant is available or not;
which would be the one-stop shop for figuring out which columns at least
don't have permissions granted.  The user would still have to know which
ones their query is actually using.

David J.

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Make geometry cast functions error safe