* Bruno Wolff III ([EMAIL PROTECTED]) wrote: > On Tue, Jun 28, 2005 at 14:45:06 -0400, > Stephen Frost <[EMAIL PROTECTED]> wrote: > > > > If you are the owner of the object to be changed (following the normal > > owner checking rules) AND would still be considered the owner of the > > object *after* the change, then you can change the ownership. > > That still isn't a good idea, because the new owner may not have had > access to create the object you just gave to them. Or you may not have > had access to drop the object you just gave away. That is going to > be a security hole.
If you're considered the owner of an object then you have access to drop it already. You have to be a member of the role to which you're changing the ownership. That role not having permission to create the object in place is an interesting question. That's an issue for SET ROLE too, to some extent I think, do you still have your role's permissions after you've SET ROLE to another role? If not then you'd have to grant CREATE on the schema to the role in order to create objects owned by that role, and I don't think that's necessairly something you'd want to do. Thanks, Stephen
signature.asc
Description: Digital signature