public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Dominique Devienne <[email protected]>
Cc: Guillaume Lelarge <[email protected]>
Cc: [email protected]
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
Date: Thu, 31 Jul 2025 10:11:53 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
References: <CAFCRh--AXoYUj8-WDuWpUcWXC0UNAL9gjbTp=1hU-NJhRyR0vQ@mail.gmail.com>
<[email protected]>
<CAFCRh-9AzsOBd6cPFsgmbw=Mf3nN5tHj9YYQQHZG0XqxDSMK=Q@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAFCRh-8D+R=xufTFYN8SDDeEVwDNCb7kcspt9hsRW2T-QOMoKg@mail.gmail.com>
<[email protected]>
<CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
Dominique Devienne <[email protected]> writes:
> On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> <[email protected]> wrote:
>> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
>> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
>> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
>> work without the SELECT privilege.
> Right on the money! Merci Guillaume!!! --DD
So the real problem here is that the "permission denied" error message
doesn't tell you which permission you lack. I think we've had prior
discussions about improving that, but it never got done. In some
cases it's a bit complicated -- for example, here either whole-table
SELECT or SELECT on the specific column would do. But even pointing
you in the direction of "you need SELECT" would likely have led to
the correct line of thought, so maybe giving 100% of the details
isn't necessary.
regards, tom lane
view thread (11+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox