| From: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Guillaume Lelarge <guillaume(dot)lelarge(at)dalibo(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |
| Date: | 2025-07-31 15:59:42 |
| Message-ID: | CAFCRh-_+=xT4oj2NgVd8+n_hECFqkKzHTRbsito89P=o8oG4TA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Jul 31, 2025 at 4:11 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Dominique Devienne <ddevienne(at)gmail(dot)com> writes:
> > On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> > <guillaume(dot)lelarge(at)dalibo(dot)com> wrote:
> >> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
> >> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
> >> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
> >> work without the SELECT privilege.
>
> > Right on the money! Merci Guillaume!!! --DD
>
> So the real problem here is that the "permission denied" error message
> doesn't tell you which permission you lack. I think we've had prior
> discussions about improving that, but it never got done.
Indeed, a hint would have helped I'm sure.
But also, it's weird DELETE allows you to delete all rows.
Yet prevents you from deleting just one, i.e. a subset.
I get it, a WHERE needs to read, so needs SELECT.
Still, it obviously tripped me up here. And it's my bad.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Álvaro Herrera | 2025-07-31 16:18:37 | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |
| Previous Message | Dominique Devienne | 2025-07-31 15:54:27 | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |