Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhU5K-000V1D-EO
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 14:16:42 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhU5J-001IrR-9S
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 14:16:41 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uhU25-001DrK-GT
	for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 14:13:21 +0000
Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uhU22-00027K-1w
	for pgsql-general@lists.postgresql.org;
	Thu, 31 Jul 2025 14:13:21 +0000
Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44])
	by mailfhigh.stl.internal (Postfix) with ESMTP id 899EC7A1C82;
	Thu, 31 Jul 2025 10:13:17 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-04.internal (MEProxy); Thu, 31 Jul 2025 10:13:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1753971197;
	 x=1754057597; bh=JUgw/L54wAPKOI+r9+nxlgb4hnqFNabLOSHmd5/eOf8=; b=
	iMOE8AA1Ktf0aEVknOjCFGEKwrj+IJDRWRRq4/0/CwL+dsdPbvXl92EyURSbTYRu
	vEj88qOSdnWEixh3uVdRfQM4Z1ojs3khASW8SBbOC6xvGDPpkCZKDIOCT83rjAQE
	TOa/5wO7kwxG7GDlOZzCcr3rpXrl02Roaqr8LThMhaAQpx7137jlos6CVexA6ZQM
	LlegbixHhotNCuQ8jOvmL6Wg0SZwRvJGcf1tzXaoFgTmvcIdOMP0rRsh82Bs5s+b
	mJyD2v7/GcGDM/IRxfmXrXDNJJKZ+K0PLt84pSGsani5YdSHQbVHpF05c1EjYAtu
	H4LfsDqqsSRNgOgpRq7UGQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1753971197; x=
	1754057597; bh=JUgw/L54wAPKOI+r9+nxlgb4hnqFNabLOSHmd5/eOf8=; b=c
	jvaZnW9hBsh4MiJ93mMW9y5pHYLMxbr3sgBEAiGkGTyaeFdqxN5GFFGYQnVNWuAX
	H+4/mw/sAavTAFwFRad7qm7DXlkeAoNiLDXJqwqUDnlhCiTzll/ZxqphLU3klxI8
	8F8bZGqYOcq1syZRu6ou0Y70kTtHIc6+JIXlvcT8PM+pOyT+hGNvoQQvcdrytD+C
	SCGfF262NNZtkf38InFnjpY+9dwqs2szKVy43WkMyZk7F/oXZX65dpzOCdQCvQT2
	Y8AFsJipqVnI1ABn9RN80BwozgjjZYDblMr3vp09Hm6DHOqtISGlY8Zxx7qzYCDG
	GHHwhNDSSPi1zf9IVVg1A==
X-ME-Sender: <xms:_XmLaD7t-hJt39faqRZar8ZPauNELch24Vlycj4qEScPKOvlQruI8w>
    <xme:_XmLaMK_ojNaHj3F_jfkSMwW_3x2CQzTW-FMFV7Et2l5d6N3-Ubi9Q6ejvOUfTVMG
    a3hH50JoSsPorg>
X-ME-Received: <xmr:_XmLaD51NiDCdNek2I2NdUVh4K912KYwlb0fo5ADwbD6DCRuthR7MxUriFdX6oKjKSKza2L7me6kxwympSDojdAhubMYFw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddutddutddvucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughrihgr
    nhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomh
    eqnecuggftrfgrthhtvghrnhepfeegfeeiuedtgffgteeggfehkeejheetieeliefgteei
    keejvdeiveeigfehvedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg
    hilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgs
    pghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepugguvghvih
    gvnhhnvgesghhmrghilhdrtghomhdprhgtphhtthhopehguhhilhhlrghumhgvrdhlvghl
    rghrghgvsegurghlihgsohdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrg
    hlsehlihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:_XmLaPwaD-g40PsjWPUoNuhyZFzc7DtcMoR5ArXAFnBrywOZOxiF-Q>
    <xmx:_XmLaHZmjtNViQPebWkn6RmG6alZsAoXndrglDJwtKk-MSPzpxl1sg>
    <xmx:_XmLaBSuSjro004jJIjeAuTHEaIp3zSmLzsRQyY1EE3WEDPLg6oz8g>
    <xmx:_XmLaBzX0B-mjB7Qrw9hoW-a6Zf9nIPcy-yQR_NXzsIMZPpRYYPDQA>
    <xmx:_XmLaLHwkSuEJ5QRgnZHcZbbdUAiuKTEvOhTg8nJF5rzXlsPtgPxc4EH>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 31 Jul 2025 10:13:16 -0400 (EDT)
Message-ID: <bc2b9760-3597-477a-b199-633ba3ac36e5@aklaver.com>
Date: Thu, 31 Jul 2025 07:13:16 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql)
 function
To: Dominique Devienne <ddevienne@gmail.com>,
 Guillaume Lelarge <guillaume.lelarge@dalibo.com>
Cc: pgsql-general@lists.postgresql.org
References: <CAFCRh--AXoYUj8-WDuWpUcWXC0UNAL9gjbTp=1hU-NJhRyR0vQ@mail.gmail.com>
 <fa68fc72-e109-452e-8642-2b99c613f870@aklaver.com>
 <CAFCRh-9AzsOBd6cPFsgmbw=Mf3nN5tHj9YYQQHZG0XqxDSMK=Q@mail.gmail.com>
 <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com>
 <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com>
 <CAFCRh-8D+R=xufTFYN8SDDeEVwDNCb7kcspt9hsRW2T-QOMoKg@mail.gmail.com>
 <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com>
 <CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/bc2b9760-3597-477a-b199-633ba3ac36e5%40aklaver.com>
Precedence: bulk

On 7/31/25 04:37, Dominique Devienne wrote:
> On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> <guillaume.lelarge@dalibo.com> wrote:
>> On 31/07/2025 10:41, Dominique Devienne wrote:
>>> On Wed, Jul 30, 2025 at 9:42 PM Adrian Klaver <adrian.klaver@aklaver.com> wrote:
>>> how can has_table_privilege() "lie" like this?
>>
>> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
>> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
>> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
>> work without the SELECT privilege.
> 
> Right on the money! Merci Guillaume!!! --DD
> 
> PQ: NOTICE: can DELETE = t
> PQ: NOTICE: can SELECT = f

So the below from the original post was not correct:

"My setup ensures that the role I SET LOCAL ROLE to, has (indirectly)
been granted DMLs on that table."


-- 
Adrian Klaver
adrian.klaver@aklaver.com