Skip site navigation (1) Skip section navigation (2)

pgsql: Adjust the permissions required for COMMENT ON ROLE.

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Adjust the permissions required for COMMENT ON ROLE.
Date: 2011-03-09 16:28:58
Message-ID: E1PxMFu-0008UD-50@gemulon.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-committers
Adjust the permissions required for COMMENT ON ROLE.

Formerly, any member of a role could change the role's comment, as of
course could superusers; but holders of CREATEROLE privilege could not,
unless they were also members.  This led to the odd situation that a
CREATEROLE holder could create a role but then could not comment on it.
It also seems a bit dubious to let an unprivileged user change his own
comment, let alone those of group roles he belongs to.  So, change the
rule to be "you must be superuser to comment on a superuser role, or
hold CREATEROLE to comment on non-superuser roles".  This is the same
as the privilege check for creating/dropping roles, and thus fits much
better with the rule for other object types, namely that only the owner
of an object can comment on it.

In passing, clean up the documentation for COMMENT a little bit.

Per complaint from Owen Jacobson and subsequent discussion.

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/49a08ca1e968860fe02fa3331cc0aba361d76e02

Modified Files
--------------
doc/src/sgml/func.sgml              |   12 ++++----
doc/src/sgml/ref/comment.sgml       |   52 ++++++++++++++++++++++-------------
src/backend/catalog/aclchk.c        |   30 ++++++++++++++++++++
src/backend/catalog/objectaddress.c |   27 +++++++++++++-----
src/backend/commands/user.c         |   15 +---------
src/include/utils/acl.h             |    1 +
6 files changed, 91 insertions(+), 46 deletions(-)

pgsql-committers by date

Next:From: pgsqlDate: 2011-03-09 16:35:48
Subject: pgsql: Tag refs/tags/REL9_1_ALPHA4 was created
Previous:From: Bruce MomjianDate: 2011-03-09 14:48:39
Subject: pgsql: Remove '=' from initdb switch syntax.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group