* Stephen Frost ([EMAIL PROTECTED]) wrote: > Doing this doesn't seem entirely unreasonable but we don't currently > have a way of handling 'SET ROLE none;'. We'd need to make some changes > but I think we could handle it, and correctly handle a specific > 'SET ROLE <role>', which under Oracle does appear to drop any other > roles you currently have.
Thinking about this a bit more.. Basically what we have is: An implicit 'SET ROLE all;' on session connect, like Oracle does. Support from the patch for an explicit 'SET ROLE <role>;', which drops privileges for all other roles except the role set. The only change to correctly support that would be to add 'CURRENT_USER' back into the resulting set of 'enabled_roles' (but not doing so recursively or we're back to 'SET ROLE all;'). You don't appear to be able to drop rights which you have via CURRENT_USER. To support having certain roles turned on and certain roles turned off would be some additional effort. I think we'd need a list of 'ENABLED_ROLES' and then correct recursion based off of that list instead of just starting from a single point like we do now. Thanks, Stephen
signature.asc
Description: Digital signature