On Sat, Nov 19, 2022 at 12:41 AM Tom Lane <t...@sss.pgh.pa.us> wrote: > ... BTW, re-reading the commit message for a0ffa885e: > > One caveat is that PGC_USERSET GUCs are unaffected by the SET privilege > --- one could wish that those were handled by a revocable grant to > PUBLIC, but they are not, because we couldn't make it robust enough > for GUCs defined by extensions. > > it suddenly struck me to wonder if the later 13d838815 changed the > situation enough to allow revisiting that problem, and/or if storing > the source role's OID in pg_db_role_setting would help. > > I don't immediately recall all the problems that led us to leave USERSET > GUCs out of the feature, so maybe this is nuts; but maybe it isn't. > It'd be worth considering if we're trying to improve matters here.
I think if we implement the user-visible USERSET flag for ALTER ROLE, then we might just check permissions for such parameters from the target role. ------ Regards, Alexander Korotkov