Re: Removing pg_auth_members.grantor (was Grantor name gets lost when grantor role dropped)

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > If you're saying we don't currently warn if a revoke leaves the
> > priviledges in-tact for the right and target, I'm not sure you can
> > currently get in a state where it'd be possible to run into that.
>
> I'm thinking of the case that comes up periodically where newbies think
> that revoking a right from a particular user overrides a grant to PUBLIC
> of the same right.

Technically, the grant to public is a different target from the target
of the revoke in such a case. Following the spec would mean that even
when the grant and the revoke target is the same (unless you're the
original grantor) the right won't be removed. I'm not against adding a
warning in the case you describe though, but I don't see it being as
necessary for that case. What the spec describes is, at least in my
view, much more counter-intuitive than how PG currently works.

Thanks,

Stephen