Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhRcd-0006XE-Dz
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 11:38:55 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhRbc-0004Q8-Oc
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 11:37:52 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ddevienne@gmail.com>)
	id 1uhRbc-0004Pz-BP
	for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 11:37:52 +0000
Received: from mail-oo1-xc2b.google.com ([2607:f8b0:4864:20::c2b])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ddevienne@gmail.com>)
	id 1uhRbZ-0000O5-26
	for pgsql-general@lists.postgresql.org;
	Thu, 31 Jul 2025 11:37:51 +0000
Received: by mail-oo1-xc2b.google.com with SMTP id 006d021491bc7-6197e13b6b8so3861eaf.3
        for <pgsql-general@lists.postgresql.org>; Thu, 31 Jul 2025 04:37:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1753961870; x=1754566670; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=m2ZlAQAatIrDcyAK9vVewMlY8mxtagYFMoU7ps/LDYU=;
        b=OP64gNa3T21OeeXnABnMHtsdrJyuurwYKn6hwwHNRED0vANWbGt5ovvbUKwcWCiK2k
         YB7C0YUOFGrVeN+BXXE09kALbWPdr/42sYhwm3y0Uphz5cxhF5qTe+Hti4wuEhD9rjri
         HZSXnlLoPKWW7Csw1wVI+20VnC1o0uWk7WtP4Py7Xxg1ekknu2OKgxVXvzy257Phnab/
         FlSFGBl/Boe066A77c8RatW8r82xrpcoKZVdefc170leh96CEODtahObJ57rPUc91SHX
         ig5ivpUnee7WuDCsfoVvK5ARJoXr7cWbtWpFkqPDHIyyGCxZz4+RbQ+N7H4/44zqGVGS
         aPqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753961870; x=1754566670;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=m2ZlAQAatIrDcyAK9vVewMlY8mxtagYFMoU7ps/LDYU=;
        b=vCl748aqx0BPwnt141D+5gSjcDwsrwAHMeuzCp7D6koLRdC0kv6Oe0yWO06BoJTokZ
         7Lv6ccfATE2psNh+sDq1pNFMVFH8aq818nfE0nQkQwgUlFmLnxGw0t5AxWseksbAvvaV
         Ja5L7vxY6VfV8JuJwa4xziEVYBqOMbv/U9cUIwlapG4uDBGyI1ikbaXIOTzm/09OZdbb
         +Qm+DhtB4MptQ21yJgCD/V4OuGcXMPc5PW0qbaky3ELDH77oYT7ymOQyYY0fKhbivE26
         jCuD1N475bsTkDAuEAf+V6lHUisRehYuaS1AsN5KfthbIoz32XCVUeEmYmpsMtGjtrN1
         QApw==
X-Gm-Message-State: AOJu0YyyaG7pQ40NHkWUzs8CBu7/dDPMkc5MPUksU9D7kYQRyLOH2Gb5
	lc8ZoiVCBj3aBuF2/bY/CMfSbjNz3gYLVO4boChxYXKCRN7vq5giaqpj2JWN321DiTZ/DDIv0LN
	hCXkBP8Itr/NvUSnAUlasVVXUVFgt8sA=
X-Gm-Gg: ASbGncvDae/fZkaeKTgTno1WLVRDsLTzm2PtnpuYKw8YKZ3B4Gi7bjoMSnBonc6/3+M
	H5RG9pCDTYoNuf64RKiCbh0EYBSxsHMD2mKs54d3uiXINUxxZccUYDVkLh9yrLw9TCS6hCETDU0
	igIwVWeFMovC0ZRdHvgfLJdUxl6IahBIBFwPeF3QmPhCI9kWbQQwamsNVHUaAvPI7dVRrAO8OZI
	UPFUQpmJg==
X-Google-Smtp-Source: AGHT+IHCgoaECahPWnsxwe1psxE3GQwTX2etFM27Oowe67gsilR66SBdYz+Uoo/X/33g10HidYwAF4RWiGtK31R3pYY=
X-Received: by 2002:a05:6820:207:b0:619:355c:f279 with SMTP id
 006d021491bc7-6195d2a3e58mr3781900eaf.4.1753961869664; Thu, 31 Jul 2025
 04:37:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAFCRh--AXoYUj8-WDuWpUcWXC0UNAL9gjbTp=1hU-NJhRyR0vQ@mail.gmail.com>
 <fa68fc72-e109-452e-8642-2b99c613f870@aklaver.com> <CAFCRh-9AzsOBd6cPFsgmbw=Mf3nN5tHj9YYQQHZG0XqxDSMK=Q@mail.gmail.com>
 <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com> <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com>
 <CAFCRh-8D+R=xufTFYN8SDDeEVwDNCb7kcspt9hsRW2T-QOMoKg@mail.gmail.com> <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com>
In-Reply-To: <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com>
From: Dominique Devienne <ddevienne@gmail.com>
Date: Thu, 31 Jul 2025 13:37:37 +0200
X-Gm-Features: Ac12FXyuIV0-CZOsYDADwEnXAAqOSfoRxAAy9U7kV8ujfRNrGosQoUfwAldg1hQ
Message-ID: <CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
To: Guillaume Lelarge <guillaume.lelarge@dalibo.com>
Cc: pgsql-general@lists.postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w%40mail.gmail.com>
Precedence: bulk

On Thu, Jul 31, 2025 at 11:35=E2=80=AFAM Guillaume Lelarge
<guillaume.lelarge@dalibo.com> wrote:
> On 31/07/2025 10:41, Dominique Devienne wrote:
> > On Wed, Jul 30, 2025 at 9:42=E2=80=AFPM Adrian Klaver <adrian.klaver@ak=
laver.com> wrote:
> > how can has_table_privilege() "lie" like this?
>
> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
> work without the SELECT privilege.

Right on the money! Merci Guillaume!!! --DD

PQ: NOTICE: can DELETE =3D t
PQ: NOTICE: can SELECT =3D f