Re: Regarding TODO item "%Add a separate TRUNCATE permission"

* Gevik Babakhani (pgdev(at)xs4all(dot)nl) wrote:
> On Wed, 2006-04-26 at 13:31 -0400, Stephen Frost wrote:
> > * Gevik Babakhani (pgdev(at)xs4all(dot)nl) wrote:
> > > The new TRUNCATE permission:
> > > Is it meant to be a general truncating permission on all tables,
> > > schema's like: ???I, the DBA give you the privilege to TRUNCATE???
> > > Or is this a per-table, per-schema truncate privilege.
>
> > It would be a per-table, table-level privilege.
>
> Would the privilege apply to the table depending on the table being
> truncated?

eh? It's just like 'select', 'update', 'delete', etc. Either you have
permission to truncate the table(s), or you don't. The main problem
you'll run into here is not the implementation (it's trivial and I've
already done it actually) for this specific permission but that we need
to redesign the permission system to allow for more permission bits
because otherwise we'll run out soon.

My initial thought on how to do this was to split the permissions into
"use" permissions and "admin" permissions. There's already a split
along these lines built into the system (lower-order bits are "use" and
higher-order bits are "admin", or the other way around) but *alot* of
things currently expect to be able to pass permissions around in 4
bytes. I'd be happy to look into this some more (and had planned to)
but I've been rather busy lately (finals coming up).

I think the use/admin split is the correct split because the "admin"
permissions aren't checked very frequently (mainly by grants and people
looking at the permission information). The "use" permissions are
checked very frequently and so need to be kept fast. I don't think that
would be very difficult to do though.

Thanks,

Stephen