Re: Why is_admin_of_role() use ROLERECURSE_MEMBERS rather than ROLERECURSE_PRIVS?

> On Nov 18, 2025, at 16:41, cca5507 <cca5507(at)qq(dot)com> wrote:
>
> Hi,
>
> When reading the code, I find is_admin_of_role() use ROLERECURSE_MEMBERS while select_best_admin() use ROLERECURSE_PRIVS.
>
> Why they are dismatch?
>
> The following case will have is_admin_of_role() return true and select_best_admin() return InvalidOid:
>
> create user u1;
> create user u2;
> create user u3;
> create user u4;
> grant u2 to u1 with admin true ;
> grant u3 to u2 with admin true ;
> revoke inherit option for u2 from u1 ;
> set session authorization u1;
> grant u3 to u4;
>
> The "grant u3 to u4;" will report error "no possible grantors" rather than "permission denied to grant role".
>
> Is this the expected behavior?
>

Let’s do a simpler test:
```
create user u1;
create user u2;
create user u3;
set session authorization u1;
grant u2 to u3;
```

In this test, u1 doesn’t administer u2, so when u1 runs “grant u2 to u3”, the error is “permission denied to grant role u2”.

Then back to ChangAo’s test, after revoking u2 from u1, u1 no longer can administer u3, so that when u1 runs “grant u2 to u3”, the error should also be “permission denied”. From this perspective, the current error “no possible grantors” is unexpected.

Reviewing v2, overall LGTM, my only nitpick is:
```
+-- ok, now regress_role_admin is admin of regress_plainrole
```

In this test comment, “now” is not needed. I think “now” is just from this patch’s perspective, but in the scope of the test script, this test case is just one test step. None of other comments in the same file have wordings of “now”, “then” or so.

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/