| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Steve Chavez <steve(at)supabase(dot)io> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Report column-level error when lacking privilege |
| Date: | 2026-03-30 03:34:56 |
| Message-ID: | CAKFQuwaiP+kYLCtUh_5Hdd7XKUHHH_Y5JAvb-0x2JQevJevVeA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Mar 29, 2026 at 6:07 PM Steve Chavez <steve(at)supabase(dot)io> wrote:
> When a role `xx` has `grant select (name) on items to xx;`, a generic
> table-level error is given:
>
> select * from items;
> ERROR: permission denied for table items
>
> With this patch, we now give:
>
> select * from items;
> ERROR: permission denied for column "id" of relation "items"
>
>
Not too fond of picking one column as a representative for the error
message. Better to say something like:
ERROR: permission denied for column subset of table items
Haven't looked but it should be doable to run a query for a given relation
and role and report for each column whether a grant is available or not;
which would be the one-stop shop for figuring out which columns at least
don't have permissions granted. The user would still have to know which
ones their query is actually using.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | shveta malik | 2026-03-30 03:59:29 | Re: Skipping schema changes in publication |
| Previous Message | John Naylor | 2026-03-30 03:21:54 | Re: Adjust error message for CREATE STATISTICS to account for expressions |