On Mon, Apr 29, 2013 at 01:25:47PM -0400, Tom Lane wrote: > Josh Berkus <j...@agliodbs.com> writes: > > On 04/29/2013 09:59 AM, Tom Lane wrote: > >> As I pointed out to you last night, it does already say that. > >> I think the problem here is that we're just throwing a generic > >> permissions failure rather than identifying the particular permission > >> needed. > > > Yeah, a better error message would help a lot. My first thought was > > "WTF? I'm the superuser, whaddya mean, 'permission denied'"? > > Right. I wonder if there's any good reason why we shouldn't extend > aclerror() to, in all cases, add a DETAIL line along the lines of > > ERROR: permission denied for schema web > DETAIL: This operation requires role X to have privilege Y. > > Is there any scenario where this'd be exposing too much info?
Can't think of one. Seems safe and helpful. The particular restriction at hand, namely that a role have CREATE rights on a schema before assigning role-specific default privileges, seems like needless paternalism. It would be akin to forbidding ALTER ROLE ... PASSWORD on a NOLOGIN role. I'd support removing it when such a proposal arrives. If anything, require that the user executing the ALTER DEFAULT PRIVILEGES, not the subject of the command, has CREATE rights on the schema. -- Noah Misch EnterpriseDB http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
