Re: Role membership and DROP

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Laurenz Albe <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Cc: [email protected]
Subject: Re: Role membership and DROP
Date: Fri, 15 Nov 2019 10:32:11 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>

On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
> Laurenz Albe <[email protected]> writes:
> > I realized only today that if role A is a member of role B,
> > A can ALTER and DROP objects owned by B.
> > I don't have a problem with that, but the documentation seems to
> > suggest otherwise.  For example, for DROP TABLE:
> >     Only the table owner, the schema owner, and superuser can drop a table.
> 
> Generally, if you are a member of a role, that means you are the role for
> privilege-test purposes.  I'm not on board with adding "(or a member of
> that role)" to every place it could conceivably be added; I think that
> would be more annoying than helpful.
> 
> It might be worth clarifying this point in section 5.7,
> 
> https://www.postgresql.org/docs/devel/ddl-priv.html
> 
> but let's not duplicate that in every ref/ page.

That's much better.

I have attached a proposed patch.

Yours,
Laurenz Albe


Attachments:

  [text/x-patch] 0001-Document-that-the-right-to-ALTER-or-DROP-can-be-inhe.patch (856B, 2-0001-Document-that-the-right-to-ALTER-or-DROP-can-be-inhe.patch)
  download | inline diff:
From badfe59750dec82dffe18a5a43fb16f72f283a7d Mon Sep 17 00:00:00 2001
From: Laurenz Albe <[email protected]>
Date: Fri, 15 Nov 2019 10:28:26 +0100
Subject: [PATCH] Document that the right to ALTER or DROP can be inherited

Discussion: https://postgr.es/m/[email protected]
---
 doc/src/sgml/ddl.sgml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index d7158c1b03..51e1957f85 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1579,7 +1579,8 @@ ALTER TABLE products RENAME TO items;
 
   <para>
    The right to modify or destroy an object is always the privilege of
-   the owner only.
+   the owner.  Like all privileges, that right can be inherited by members of
+   the owning role.
   </para>
 
   <para>
-- 
2.21.0

view thread (8+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Role membership and DROP
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox