Re: superuser() shortcuts

* Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> On 2014-11-21 10:12:40 -0500, Stephen Frost wrote:
> > * Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> > > I still think this change makes the error message more verbose, without
> > > any win in clarity.
> >
> > Can we agree that there should be consistency?
>
> Consistency with what? Are you thinking of the messages in
> aclck.c:no_priv_msg? I don't think that's really comparable. A
> permission denied on a relation is much easier to understand than
> replication permissions and such.

The discussion around wording started here, I believe:

20141022231834(dot)GA1587(at)alvin(dot)alvh(dot)no-ip(dot)org

Perhaps more to your question though, all checks of
'have_createdb_privilege' return 'permission denied to' style errors,
'have_createrole_privilege' returns 'permission denied' style for all
except where it returns the more specific 'must have admin option',
the 'has_rolcatupdate' check returns 'permission denied', and the
'has_bypassrls_privilege' check returns 'insufficient privilege' (note:
I'm in favor of changing that to use 'permission denied' instead too).

With regard to ereport() calls which return
ERRCODE_INSUFFICIENT_PRIVILEGE, things are pretty mixed up. Some places
places say 'permission denied to' and then have 'must be superuser' as a
hint while others just say 'must be superuser' and then others are just
'permission denied' (such as aclchk.c:no_priv_msg).

> It'd surely not be better if pg_basebackup would a error message bar
> actually helpful information.

ENOPARSE. I certainly agree that we want useful information to be
returned, in general..

> Btw, the replication permission use in
> postinit.c isn't related to slots.

Err, no, of course not, that should still be referring to starting
walsender.

Thanks!

Stephen