From: | Loren Siebert <loren(at)paradigm(dot)xyz> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
Subject: | Re: BUG #17626: Permission denied errors should list role as well as user |
Date: | 2022-10-03 17:12:44 |
Message-ID: | CAG5U2QJGnjO5=Sf7Ewg2UYLFejauF7K3Wa8uZOP=dwCr3v-boA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
I think what may be happening here is that the Postgres error and "permission
denied for table foo" message are getting caught by the ORM I am using
(Prisma) and it is prepending "user=elevated_user" to that but no role
information. That's probably the more appropriate place for me to take this
up.
Thank you Tom and David for looking into this and for your work on Postgres!
On Mon, Oct 3, 2022 at 8:53 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> > Basically, a permission check requires two things and the complaint is
> that
> > only one of those things is mentioned in the error message.
>
> No, the complaint is that the wrong thing is shown --- but I don't
> know what's showing it; aclcheck_error() certainly doesn't.
>
> There's a separate conversation to be had perhaps about whether
> aclcheck_error's standard message *should* include the role name
> whose permissions were checked. I have a vague feeling that that
> omission was intentional, but it was so long ago that I don't
> recall for sure. It seems like something that'd be good to show
> in more complicated situations with views, security definer
> functions, etc.
>
> regards, tom lane
>
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2022-10-03 22:04:27 | Re: BUG #17626: Permission denied errors should list role as well as user |
Previous Message | Tom Lane | 2022-10-03 15:53:31 | Re: BUG #17626: Permission denied errors should list role as well as user |