Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhPgu-00EK9G-FF for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 09:35:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uhPgt-00Edxz-KM for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 09:35:11 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uhPgt-00Edxr-9V for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 09:35:11 +0000 Received: from mail1.dalibo.net ([51.159.93.128] helo=mail.dalibo.com) by makus.postgresql.org with smtp (Exim 4.96) (envelope-from ) id 1uhPgq-001hdk-0B for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 09:35:10 +0000 Received: from [192.168.1.131] (246.111.220.81.rev.sfr.net [81.220.111.246]) by mail.dalibo.com (Postfix) with ESMTPSA id 0B756279B6 for ; Thu, 31 Jul 2025 11:35:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dalibo.com; s=a; t=1753954506; bh=yD/GfJUIO3RGjCkArGvPIqTNqoSp5HIOhgyPsD0X0jQ=; h=Date:Subject:To:References:From:In-Reply-To:From; b=gb7o8NsHdWR9nOTUeS/X9ZmDgDZlPfZC+5lfjopGLdHTQ1YXW1otUlJPBGfxU6jQY zyHXMMkghLY9FT06fNWbcwM1MOTx1VFnFoerfdHT4EafUJUxJR/BIMz3wzC5kP0yLR +uMJpOn22U+9UOhgohWmeOFfSwWWh7o5E1Dun1CI= Message-ID: <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com> Date: Thu, 31 Jul 2025 11:35:05 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function To: pgsql-general@lists.postgresql.org References: <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com> Content-Language: fr From: Guillaume Lelarge Organization: Dalibo In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 31/07/2025 10:41, Dominique Devienne wrote: > On Wed, Jul 30, 2025 at 9:42=E2=80=AFPM Adrian Klaver wrote: >> My suspicion is that there is a missing piece in your chain of roles. >=20 > But my point Adrian is that, in my case, has_table_privilege() returns > true (t) yet the delete fails. Contrary to your example above. I can > easily accept that the problem lies on my side, but how can > has_table_privilege() "lie" like this? >=20 >=20 It doesn't lie. The role has DELETE privilege. I guess what it lacks is=20 the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need=20 the SELECT privilege to perform the WHERE. Without "WHERE ...", it would=20 work without the SELECT privilege. Quick test case: postgres@rpm18 =3D# create role u1 login; CREATE ROLE postgres@rpm18 =3D# create table t1 (id integer); CREATE TABLE postgres@rpm18 =3D# grant delete on t1 to u1; GRANT postgres@rpm18 =3D# \c - u1 You are now connected to database "postgres" as user "u1". postgres@rpm18 =3D> delete from t1; DELETE 0 postgres@rpm18 =3D> delete from t1 where id=3D10; ERROR: permission denied for table t1 postgres@rpm18 =3D> \c - postgres You are now connected to database "postgres" as user "postgres". =F0=9F=90=98 on postgres@rpm18 =3D# grant select on t1 to u1; GRANT postgres@rpm18 =3D# \c - u1 You are now connected to database "postgres" as user "u1". postgres@rpm18 =3D> delete from t1 where id=3D10; DELETE 0 --=20 Guillaume Lelarge Consultant https://dalibo.com