Re: [PATCH] Report column-level error when lacking privilege

Hi Steve,

On Mon, Mar 30, 2026 at 6:37 AM Steve Chavez <steve(at)supabase(dot)io> wrote:
>
> Hello hackers,
>
> When a role `xx` has `grant select (name) on items to xx;`, a generic table-level error is given:
>
> select * from items;
> ERROR: permission denied for table items
>
> With this patch, we now give:
>
> select * from items;
> ERROR: permission denied for column "id" of relation "items"
>
> This only when the user has column-level privileges, if it doesn't have any the same regular table-level error is given. This makes the most sense and also keeps current tests mostly the same.
>
> * It also works for UPDATE and INSERT.
> * Clears the TODO mentioned on lines
> https://github.com/postgres/postgres/blob/45cdaf3665bedfbabb908bb84284f3db26781ad3/src/backend/executor/execMain.c#L691-L693
> * This patch is on top of the patch mentioned on https://www.postgresql.org/message-id/CAGRrpzYP%2B3zEk__KZu-a5uWySfwgRFk6eoPXKrA5AdtBTXR%3Dng%40mail.gmail.com, which refactors the code to make it simpler to review.

I had started on this some time ago [1], but couldn't finish it for
the want of time. There are some suggestions from Nathan and Tom which
may be applicable to you approach as well. I am fine if you would like
to use my patches if those help.

[1] https://www.postgresql.org/message-id/CAExHW5swFANiB9JmqRoGg_Rkr+M=qh+ci_zfOtQXFT+A=+jB-A@mail.gmail.com

--
Best Wishes,
Ashutosh Bapat