From: | Josh Berkus <josh(at)agliodbs(dot)com> |
---|---|
To: | Pg Docs <pgsql-docs(at)postgresql(dot)org> |
Subject: | Add remark about column privileges to clarify |
Date: | 2012-02-09 23:22:50 |
Message-ID: | 4F34554A.7040303@agliodbs.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
All,
To avoid confusion, I think we should add the following sentence to
http://www.postgresql.org/docs/current/static/sql-revoke.html:
Current para:
"Note that any particular role will have the sum of privileges granted
directly to it, privileges granted to any role it is presently a member
of, and privileges granted to PUBLIC. Thus, for example, revoking SELECT
privilege from PUBLIC does not necessarily mean that all roles have lost
SELECT privilege on the object: those who have it granted directly or
via another role will still have it. Similarly, revoking SELECT from a
user might not prevent that user from using SELECT if PUBLIC or another
membership role still has SELECT rights."
Suggested improvement:
"Note that any particular role will have the sum of privileges granted
directly to it, privileges granted to any role it is presently a member
of, and privileges granted to PUBLIC. Thus, for example, revoking SELECT
privilege from PUBLIC does not necessarily mean that all roles have lost
SELECT privilege on the object: those who have it granted directly or
via another role will still have it. Similarly, revoking SELECT from a
user might not prevent that user from using SELECT if PUBLIC or another
membership role still has SELECT rights. Similarly, if a role has been
GRANTed privileges on an entire table, REVOKEing the same privileges
from individual columns will have no effect."
A quick poll of #postgresql revealed that most users, even folks who
have been using Postgres for years, are unclear on how REVOKEing
privileges on columns is supposed to work.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com
From | Date | Subject | |
---|---|---|---|
Next Message | Jay Levitt | 2012-02-12 16:54:31 | HTML Page titles in HTML version? |
Previous Message | Bruce Momjian | 2012-02-08 01:30:31 | Re: building the docs on Debian |