Received: from maia.hub.org (maia-3.hub.org [200.46.204.243])
	by mail.postgresql.org (Postfix) with ESMTP id 80259B5DC34
	for <pgsql-docs-postgresql.org@mail.postgresql.org>;
	Fri, 20 May 2011 12:42:42 -0300 (ADT)
Received: from mail.postgresql.org ([200.46.204.86])
	by maia.hub.org (mx1.hub.org [200.46.204.243]) (amavisd-maia,
	port 10024) with ESMTP id 68968-01 for
	<pgsql-docs-postgresql.org@mail.postgresql.org>;
	Fri, 20 May 2011 15:42:34 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-bw0-f46.google.com (mail-bw0-f46.google.com
	[209.85.214.46])
	by mail.postgresql.org (Postfix) with ESMTP id 4D36CB5DC35
	for <pgsql-docs@postgresql.org>; Fri, 20 May 2011 12:42:34 -0300 (ADT)
Received: by bwz15 with SMTP id 15so3065833bwz.19
	for <pgsql-docs@postgresql.org>; Fri, 20 May 2011 08:42:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=7S2UHgH5tzJE0NdY6tBkuAD4WkUvtiGgNg1pzABkUFg=;
	b=xJ4MUr04mnTnWih7IuRuG4X37enHxybUY8bCxBgnh1Hay2Hh378ZaRIw9RF99oyCJX
	+yfNhqLTdmqSk4U+RKDH2dmX3M9Z2Xuem28SXfhALMBafT1xu8M8LTpA9/G5A6W3RBKd
	yiR1gKv9kN9iLQXhR9edc45nxcunQIF1ymjwg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=u3TNVImRkNRTiRYcfObEJ8DosFdWe7BOX7Y9EeaX/ewLAF5/lFfKWLc1+9O4MclEt3
	2xjADcxXZn/E1hLlNzZlc+paBgC498IESr95bI/YItvDgJu8++3I76rIKrh08IP1BR4x
	81ZYW+j3v6Za3+2l5otUhGjdRe8a9ZUc7lFDk=
MIME-Version: 1.0
Received: by 10.204.144.194 with SMTP id a2mr1365310bkv.93.1305906152808; Fri,
	20 May 2011 08:42:32 -0700 (PDT)
Received: by 10.204.39.140 with HTTP; Fri, 20 May 2011 08:42:32 -0700 (PDT)
Date: Fri, 20 May 2011 11:42:32 -0400
Message-ID: <BANLkTikpQfBj8EMwjwrA1kXOF1F8J4H6Hw@mail.gmail.com>
Subject: DROP TABLE can be issued by schema owner as well as table owner
From: Derrick Rice <derrick.rice@gmail.com>
To: pgsql-docs@postgresql.org
Content-Type: multipart/alternative; boundary=0015174c199259208f04a3b6f8b3
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: No, hits=-1.887 tagged_above=-5 required=5 tests=BAYES_00=-1.9,
	FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RFC_ABUSE_POST=0.001,
	T_TO_NO_BRKTS_FREEMAIL=0.01
X-Spam-Level: 
X-Archive-Number: 201105/72
X-Sequence-Number: 6747

--0015174c199259208f04a3b6f8b3
Content-Type: text/plain; charset=ISO-8859-1

According to

http://www.postgresql.org/docs/9.0/interactive/sql-droptable.html

"DROP TABLE removes tables from the database. Only its owner can drop a
table."

In fact, the schema owner can drop the table, which is clearly stated here:

http://www.postgresql.org/docs/9.0/interactive/sql-dropschema.html

"A schema can only be dropped by its owner or a superuser. Note that the
owner can drop the schema (and thereby all contained objects) even if he
does not own some of the objects within the schema."

There are likely other places besides the DROP TABLE page which can be
misleading with regard to ability to drop a table.  This should be made more
clear, since in (possibly contrived) circumstances, being able to drop a
table and recreate an exactly similar table may be a vulnerability (if the
design assumed the table could only be dropped by the owner).

(Just joined the list to post this -- sorry if it has already been brought
up)

Derrick

--0015174c199259208f04a3b6f8b3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

According to<br><br><a href=3D"http://www.postgresql.org/docs/9.0/interacti=
ve/sql-droptable.html" target=3D"_blank">http://www.postgresql.org/docs/9.0=
/interactive/sql-droptable.html</a><br><br>&quot;DROP TABLE removes tables =
from the database. Only its owner can drop a table.&quot;<br>

<br>In fact, the schema owner can drop the table, which is clearly stated h=
ere:<br><br><a href=3D"http://www.postgresql.org/docs/9.0/interactive/sql-d=
ropschema.html">http://www.postgresql.org/docs/9.0/interactive/sql-dropsche=
ma.html</a><br>
<br>&quot;A schema can only be dropped by its owner or a superuser. Note th=
at the owner can drop the schema (and thereby all contained objects) even i=
f he does not own some of the objects within the schema.&quot;<br><br>There=
 are likely other places besides the DROP TABLE page which can be misleadin=
g with regard to ability to drop a table.=A0 This should be made more clear=
, since in (possibly contrived) circumstances, being able to drop a table a=
nd recreate an exactly similar table may be a vulnerability (if the design =
assumed the table could only be dropped by the owner).<br>
<br>(Just joined the list to post this -- sorry if it has already been brou=
ght up)<br><br>Derrick<br>

--0015174c199259208f04a3b6f8b3--