X-Original-To: pgsql-bugs-postgresql.org@localhost.postgresql.org Received: from localhost (unknown [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id C474553B9C; Fri, 22 Apr 2005 05:03:24 -0300 (ADT) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 45517-05; Fri, 22 Apr 2005 08:03:19 +0000 (GMT) Received: from mail.metronet.co.uk (mail.metronet.co.uk [213.162.97.75]) by svr1.postgresql.org (Postfix) with ESMTP id 585C1536A9; Fri, 22 Apr 2005 05:03:18 -0300 (ADT) Received: from mainbox.archonet.com (84-51-143-99.archon037.adsl.metronet.co.uk [84.51.143.99]) by smtp.metronet.co.uk (MetroNet Mail) with ESMTP id D409A41429C; Fri, 22 Apr 2005 09:03:13 +0100 (BST) Received: from [192.168.1.17] (client17.archonet.com [192.168.1.17]) by mainbox.archonet.com (Postfix) with ESMTP id 1E9031621F; Fri, 22 Apr 2005 09:03:17 +0100 (BST) Message-ID: <4268AFC5.8080506@archonet.com> Date: Fri, 22 Apr 2005 09:03:17 +0100 From: Richard Huxton User-Agent: Mozilla Thunderbird 1.0 (X11/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Olleg Samoylov Cc: pgsql-bugs@postgresql.org, pgsql-docs@postgresql.org Subject: Rules and Permissions docs change (was Re: BUG #1610: rewrite rule and sequence) References: <20050421121944.15E03F0B53@svr2.postgresql.org> <4267CD7F.3090100@archonet.com> <42689AA6.6080007@mipt.ru> In-Reply-To: <42689AA6.6080007@mipt.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, hits=0.056 tagged_above=0 required=5 tests=AWL, FORGED_RCVD_HELO X-Spam-Level: X-Archive-Number: 200504/148 X-Sequence-Number: 11600 Olleg Samoylov wrote: > Richard Huxton wrote: > >> That's not a bug, it's a feature (as they say). I suppose you could >> argue that a sequence only used by one table could inherit that >> table's permissions by default, but I can see problems when people >> reorder GRANT statements. > It's not feature, it's bug. From postgresql documentation 33.4. Rules > and Privileges: > Relations that are used due to rules get checked against the > privileges of the rule owner, not the user invoking the rule. This means > that a user only needs the required privileges for the tables/views that > he names explicitly in his queries. > > This dont' true for tables with serial fields. Hmm - perhaps the documentation needs expanding. Certainly, if your view references functions you need to make sure permissions are set correctly on those. How about changes along the lines of: Ch 33.4, para 2 "... Relations that are used due to rules get checked against the privileges of the rule owner, not the user invoking the rule. This means that a user only needs the required privileges for the objects[1] that he names explicitly in his queries." then "[1] This includes permissions on tables and views you reference in your view definition. It might also include execute permissions on any functions referenced, and for updates, permissions on any sequences. This includes sequences automatically created by use of the SERIAL type." Perhaps we should also have a reminder to read the rules chapter in the serial description (ch 8.1.4) -- Richard Huxton Archonet Ltd