SELECT has_database_privilege('user01', 'db01', 'connect');

public inbox for [email protected]  
help / color / mirror / Atom feed

SELECT has_database_privilege('user01', 'db01', 'connect');
2+ messages / 2 participants
[nested] [flat]

* SELECT has_database_privilege('user01', 'db01', 'connect');
@ 2022-04-28 09:47  William Sescu (Suva) <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: William Sescu (Suva) @ 2022-04-28 09:47 UTC (permalink / raw)
  To: '[email protected]' <[email protected]>

Hello %

I am kinda confused, if I miss something. I have two questions:

* A new created user should not have the connect privilege per default, if the user is not the owner of the db, right?
* The function has_database_privilege should return false, if I revoke the connect privilege, right?

(postgres@[local]:55042)[postgres]> CREATE USER user01 ENCRYPTED PASSWORD 'user01';
CREATE ROLE
(postgres@[local]:55042)[postgres]> CREATE DATABASE db01 WITH OWNER = postgres;
CREATE DATABASE
(postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01', 'db01', 'connect');
 has_database_privilege
------------------------
 t                         <= have expected false here
(1 row)
(postgres@[local]:55042)[postgres]> REVOKE CONNECT ON DATABASE db01 FROM user01;
REVOKE
(postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01', 'db01', 'connect');
 has_database_privilege
------------------------
 t                         <= have expected false here even more after the revoke statement
(1 row)

Or do I have some misunderstanding in regards of how it should work?

Cheers,
William

________________________________

Disclaimer:

Diese Nachricht und ihr eventuell angehängte Dateien sind nur für den Adressaten bestimmt. Sie kann vertrauliche oder gesetzlich geschützte Daten oder Informationen beinhalten. Falls Sie diese Nachricht irrtümlich erreicht hat, bitten wir Sie höflich, diese unter Ausschluss jeglicher Reproduktion zu löschen und die absendende Person zu benachrichtigen. Danke für Ihre Hilfe.

This message and any attached files are for the sole use of the recipient named above. It may contain confidential or legally protected data or information. If you have received this message in error, please delete it without making any copies whatsoever and notify the sender. Thank you for your assistance.

Attachments:

  [application/pkcs7-signature] smime.p7s (5.7K, 2-smime.p7s)
  download

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: SELECT has_database_privilege('user01', 'db01', 'connect');
@ 2022-04-28 11:57  David G. Johnston <[email protected]>
  parent: William Sescu (Suva) <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: David G. Johnston @ 2022-04-28 11:57 UTC (permalink / raw)
  To: William Sescu (Suva) <[email protected]>; +Cc: [email protected] <[email protected]>

On Thursday, April 28, 2022, William Sescu (Suva) <[email protected]>
wrote:

> Hello %
>
> I am kinda confused, if I miss something. I have two questions:
>
> * A new created user should not have the connect privilege per default, if
> the user is not the owner of the db, right?
> * The function has_database_privilege should return false, if I revoke the
> connect privilege, right?
>
> (postgres@[local]:55042)[postgres]> CREATE USER user01 ENCRYPTED PASSWORD
> 'user01';
> CREATE ROLE
> (postgres@[local]:55042)[postgres]> CREATE DATABASE db01 WITH OWNER =
> postgres;
> CREATE DATABASE
> (postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01',
> 'db01', 'connect');
>  has_database_privilege
> ------------------------
>  t                         <= have expected false here
> (1 row)


Not how it works, see default privileges, namely for “public”.


> (postgres@[local]:55042)[postgres]> REVOKE CONNECT ON DATABASE db01 FROM
> user01;
> REVOKE
> (postgres@[local]:55042)[postgres]> SELECT has_database_privilege('user01',
> 'db01', 'connect');
>  has_database_privilege
> ------------------------
>  t                         <= have expected false here even more after the
> revoke statement
> (1 row)
>
> Or do I have some misunderstanding in regards of how it should work?
>

The privilege being found is inherited, you revoked a non-existent grant
which doesn’t do anything.  You need to revoke the privilege being
inherited, from “public”.

David J.


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2022-04-28 11:57 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2022-04-28 09:47 SELECT has_database_privilege('user01', 'db01', 'connect'); William Sescu (Suva) <[email protected]>
2022-04-28 11:57 ` David G. Johnston <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox