On Saturday, September 8, 2018, PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:
>
> 1,execute "CREATE USER mytestuser WITH PASSWORD '12345678' CREATEDB
> CREATEROLE;" use a supper user;
>
So, reading the create role docs this seems to be working as designed.
“ Be careful with the CREATEROLE privilege. There is no concept of
inheritance for the privileges of a CREATEROLE-role. That means that even
if a role does not have a certain privilege but is allowed to create other
roles, it can easily create another role with different privileges than its
own (except for creating roles with superuser privileges)“
David J.