public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: William Sescu (Suva) <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: SELECT has_database_privilege('user01', 'db01', 'connect');
Date: Thu, 28 Apr 2022 04:57:04 -0700
Message-ID: <CAKFQuwY8sg4NOtzwmTKw2oq-8ths3knGvdJGzXffgrSD2Y4r6w@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On Thursday, April 28, 2022, William Sescu (Suva) <[email protected]>
wrote:
> Hello %
>
> I am kinda confused, if I miss something. I have two questions:
>
> * A new created user should not have the connect privilege per default, if
> the user is not the owner of the db, right?
> * The function has_database_privilege should return false, if I revoke the
> connect privilege, right?
>
> (postgres@[local]:55042)[postgres]> CREATE USER user01 ENCRYPTED PASSWORD
> 'user01';
> CREATE ROLE
> (postgres@[local]:55042)[postgres]> CREATE DATABASE db01 WITH OWNER =
> postgres;
> CREATE DATABASE
> (postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01',
> 'db01', 'connect');
> has_database_privilege
> ------------------------
> t <= have expected false here
> (1 row)
Not how it works, see default privileges, namely for “public”.
> (postgres@[local]:55042)[postgres]> REVOKE CONNECT ON DATABASE db01 FROM
> user01;
> REVOKE
> (postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01',
> 'db01', 'connect');
> has_database_privilege
> ------------------------
> t <= have expected false here even more after the
> revoke statement
> (1 row)
>
> Or do I have some misunderstanding in regards of how it should work?
>
The privilege being found is inherited, you revoked a non-existent grant
which doesn’t do anything. You need to revoke the privilege being
inherited, from “public”.
David J.
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: SELECT has_database_privilege('user01', 'db01', 'connect');
In-Reply-To: <CAKFQuwY8sg4NOtzwmTKw2oq-8ths3knGvdJGzXffgrSD2Y4r6w@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox