Petr Jelinek <pjmo...@pjmodos.net> writes: > [ latest default-ACLs patch ]
Applied with a fair amount of editorial polishing. Notably I changed the permissions requirements a bit: * for IN SCHEMA, the *target* role has to have CREATE permission on the target schema. Without this, the command is a bit pointless since the permissions can never be used. The original coding checked whether the *calling* role had USAGE, which seems rather irrelevant. * I simplified the target-role permission test to is_member_of. The original check for ADMIN seemed pointlessly strong, because if you're a member of the role you can just become the role and set owned objects' permissions however you like. I didn't see the point of the CREATEROLE exemption either, and am generally suspicious of anything that would let people change permissions on stuff they didn't own. One thing that seems like it's likely to be an annoyance in practice is the need to explicitly do DROP OWNED BY to get rid of pg_default_acl entries for a role to be dropped. But I can't see any very good way around that, since the entries might be in some other database. One thing that might at least reduce the number of keystrokes is to have REASSIGN OWNED act as DROP OWNED BY for default ACLs. I can't convince myself whether that's a good idea though, so I left it as-is for the moment. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers