| From: | Patrick Stählin <me(at)packi(dot)ch> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | pgsql-docs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Add sentence about SECURITY LABEL object ownership |
| Date: | 2025-06-05 15:02:43 |
| Message-ID: | 69cd888d-2223-4880-9f57-dfe31bf2481a@packi.ch |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On 6/5/25 4:21 PM, Laurenz Albe wrote:
>> +
>> + <para>
>> + You must own the database object to use the <command>SECURITY LABEL</command>.
>> + </para>
>> </refsect1>
>>
>> <refsect1>
>
> Wouldn't it be more accurate to say that you have to be a member of the owning role?
> But perhaps that would be complicated enough to confuse many users.
We're calling check_object_ownership which errors out with:
aclcheck_error(ACLCHECK_NOT_OWNER, [...])
which in turn then aborts with "must be owner of [...]". But checking
the code, we do call has_privs_of_role, so you're absolutely right.
In doc/src/sgml/ref/alter_*.sgml we use the phrase "You must own the
[...]" to describe the privileges needed. Let me know if you want me to
change the wording.
While double checking I noticed that other docs don't have the extra
"the " before "<command>[...] " so I dropped that in my v2 patch.
Thanks for reviewing!
Patrick
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Document-ownership-requirement-for-SECURITY-LABEL-v2.patch | text/x-patch | 980 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2025-06-05 15:19:02 | Re: Add sentence about SECURITY LABEL object ownership |
| Previous Message | Laurenz Albe | 2025-06-05 14:21:47 | Re: Add sentence about SECURITY LABEL object ownership |