Re: [HACKERS] Re: [PATCHES] NO-CREATE-TABLE and NO-LOCK-TABLE

Karel Zak <zakkr@zf.jcu.cz>

From: Karel Zak - Zakkr <zakkr@zf.jcu.cz>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: Thomas Lockhart <lockhart@alumni.caltech.edu>, PostgreSQL Development <pgsql-hackers@postgresql.org>
Date: 2000-03-01T15:44:49Z
Lists: pgsql-hackers
> I would like to take a look at SQL3 first, because they define some more
> privilege stuff which we could take into account (ROLES, for example).

 Yes. Just today I look at Oracle's documentation for ROLEs, PROFILEs
... my idea is prepare acl/account code for this freatures too. What?

IMHO this discussion good adept for any new-acl&accout project. Agree?

> By the way: Regarding your original patch that disallowed LOCK to users, I

  ... and I see your web page, you listen good music :-)

> looked it up in the source and it turns out that in order to lock a table
> you need write access to it. Isn't that sufficient?

 You mean this original PG's code (?):

    if (lockstmt->mode == AccessShareLock)
                aclresult = pg_aclcheck(lockstmt->relname, GetPgUserName(), ACL
    else
                aclresult = pg_aclcheck(lockstmt->relname, GetPgUserName(), ACL

    if (aclresult != ACLCHECK_OK)
                elog(ERROR, "LOCK TABLE: permission denied");

 
 Yes. The my patch create a lock-permission level over this current code. 
It is global setting and example for all non-AccessShareLocks you must have 
pg_shadow->locktable privilege and 'write' privilage for table. 

 It is because I have users which needs update/insert access to tables, but 
I not want allow a lock command for these users. 

						Karel