On Sat, Oct 28, 2023 at 11:01:59AM +0200, Michael Banck wrote:
> On Fri, Oct 27, 2023 at 05:49:42PM +0200, Laurenz Albe wrote:
> > True. I have done that in the attached patch.
> > In this patch, it is mentioned *twice* that ALTER DEFAULT PRIVILEGES
> > only affects objects created by the current user. I thought that
> > would not harm, but if it is too redundant, I can remove the second
> > mention.
>
> I think it is fine, and I have marked the patch as ready-for-committer.
>
> I think it should be applied to all branches, not just 14/15 as
> mentioned in the subject.
I have developed the attached patch on top of the alter default patch I
just applied. It is more radical, making FOR ROLE clearer, and also
moving my new FOR ROLE text up to the first paragraph, and reordering
the paragraphs to be clearer.
I think this is too radical for backpatch to 11/12, but I think
16/master makes sense after the minor releases next week.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index 8a6006188d..43fd2c3888 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -90,23 +90,14 @@ REVOKE [ GRANT OPTION FOR ]
<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
- affect privileges assigned to already-existing objects.) Currently,
- only the privileges for schemas, tables (including views and foreign
- tables), sequences, functions, and types (including domains) can be
- altered. For this command, functions include aggregates and procedures.
- The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
- equivalent in this command. (<literal>ROUTINES</literal> is preferred
- going forward as the standard term for functions and procedures taken
- together. In earlier PostgreSQL releases, only the
- word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
- default privileges for functions and procedures separately.)
- </para>
-
- <para>
- You can change default privileges only for objects that will be created by
- yourself or by roles that you are a member of. The privileges can be set
- globally (i.e., for all objects created in the current database),
- or just for objects created in specified schemas.
+ affect privileges assigned to already-existing objects.)
+ As a non-superuser, you can change default privileges only for yourself
+ and for roles that you are a member of. These privileges are not
+ inherited, so member roles must use <command>SET ROLE</command> to
+ access these privileges, or <command>ALTER DEFAULT PRIVILEGES</command>
+ must be run for each member role. Privileges can be set globally
+ (i.e., for all objects created in the current database), or just for
+ objects created in specified schemas.
</para>
<para>
@@ -118,6 +109,19 @@ REVOKE [ GRANT OPTION FOR ]
<command>ALTER DEFAULT PRIVILEGES</command>.
</para>
+ <para>
+ Currently,
+ only the privileges for schemas, tables (including views and foreign
+ tables), sequences, functions, and types (including domains) can be
+ altered. For this command, functions include aggregates and procedures.
+ The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
+ equivalent in this command. (<literal>ROUTINES</literal> is preferred
+ going forward as the standard term for functions and procedures taken
+ together. In earlier PostgreSQL releases, only the
+ word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
+ default privileges for functions and procedures separately.)
+ </para>
+
<para>
Default privileges that are specified per-schema are added to whatever
the global default privileges are for the particular object type.
@@ -136,12 +140,9 @@ REVOKE [ GRANT OPTION FOR ]
<term><replaceable>target_role</replaceable></term>
<listitem>
<para>
- The name of an existing role of which the current role is a member.
- Default access privileges are not inherited, so member roles
- must use <command>SET ROLE</command> to access these privileges,
- or <command>ALTER DEFAULT PRIVILEGES</command> must be run for
- each member role. If <literal>FOR ROLE</literal> is omitted,
- the current role is assumed.
+ If <literal>FOR ROLE</literal> is specified, this is the role that
+ will be assigned the new default privileges, or the current role
+ if not specified.
</para>
</listitem>
</varlistentry>
