* Tom Lane ([EMAIL PROTECTED]) wrote: > Stephen Frost <[EMAIL PROTECTED]> writes: > > Attached please find a patch to change how the permissions checking > > for alter-owner is done. With roles there can be more than one > > 'owner' of an object and therefore it becomes sensible to allow > > specific cases of ownership change for non-superusers. > > Applied with minor revisions. The patch as submitted suffered a certain > amount of copy-and-paste-itis (eg, trying to use pg_type_ownercheck on > an opclass), and I really disliked using ACLCHECK_NOT_OWNER as the way > to report "you can't assign ownership to that role because you are not > a member of it". So I made a separate error message for that case.
Advertising
Great, thanks! Sorry about the copy-and-paste-itis... Must have been a
case I wasn't sure about. The different error message makes perfect
sense. I see you also did the superuser-in-every-role change that I had
included, thanks.
When writing this patch it occurred to me that we nuke our
member-of-role cache for one-off lookups on occation. I don't
particularly like that, especially when we *know* it's a one-off lookup,
so I was considering adding a function for the one-off lookup case but
I couldn't come up with a way to avoid a fair bit of mostly-the-same
code as the current cache-regen code, without making the cache-regen
code alot slower which would negate the point.
Just some thoughts.
Thanks again,
Stephen
signature.asc
Description: Digital signature
