| From: | Darren Duncan <darren(at)darrenduncan(dot)net> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | Craig Ringer <ringerc(at)ringerc(dot)id(dot)au> |
| Subject: | Re: Raise a WARNING if a REVOKE affects nothing? |
| Date: | 2012-08-21 06:46:00 |
| Message-ID: | 50332EA8.9030708@darrenduncan.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
That sounds like a good change to me. -- Darren Duncan
Craig Ringer wrote:
> Hi all
>
> I'm seeing lots of confusion from people about why:
>
> REVOKE CONNECT ON DATABASE foo FROM someuser;
>
> doesn't stop them connecting. Users seem to struggle to understand that:
>
> - There's a default GRANT to public; and
> - REVOKE removes existing permissions, it doesn't add deny rules
>
> It'd really help if REVOKE consistently raised warnings when it didn't
> actually revoke anything.
>
> Even better, a special case for REVOKEs on objects that only have owner
> and public permissions could say:
>
> WARNING: REVOKE didn't remove any permissions for user <blah>. This
> <table/db/whatever>
> has default permissions, so there were no GRANTs for user <blah> to
> revoke. See the documentation
> for REVOKE for more information.
>
>
> Opinions?
>
>
> --
> Craig Ringer
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kaare Rasmussen | 2012-08-21 07:35:09 | Re: Unexpected plperl difference between 8.4 and 9.1 |
| Previous Message | Craig Ringer | 2012-08-21 06:31:29 | Raise a WARNING if a REVOKE affects nothing? |