| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
| Cc: | Guillaume Lelarge <guillaume(dot)lelarge(at)dalibo(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |
| Date: | 2025-07-31 14:11:53 |
| Message-ID: | 2071880.1753971113@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Dominique Devienne <ddevienne(at)gmail(dot)com> writes:
> On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> <guillaume(dot)lelarge(at)dalibo(dot)com> wrote:
>> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
>> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
>> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
>> work without the SELECT privilege.
> Right on the money! Merci Guillaume!!! --DD
So the real problem here is that the "permission denied" error message
doesn't tell you which permission you lack. I think we've had prior
discussions about improving that, but it never got done. In some
cases it's a bit complicated -- for example, here either whole-table
SELECT or SELECT on the specific column would do. But even pointing
you in the direction of "you need SELECT" would likely have led to
the correct line of thought, so maybe giving 100% of the details
isn't necessary.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-07-31 14:13:16 | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |
| Previous Message | Dominique Devienne | 2025-07-31 12:34:47 | Re: Yet more ROLE changes in v18 beta1??? |