On 4/23/19 11:52 AM, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/11/sql-set-role.html
> Description:
>
> In the course of trying to sanitise our roles and permissions I found the
> notes in the SET ROLE docs a little misleading:
>
> "If the session user role has the INHERITS attribute, then it automatically
> has all the privileges of every role that it could SET ROLE to; in this case
> SET ROLE effectively drops all the privileges assigned directly to the
> session user and to the other roles it is a member of, leaving only the
> privileges available to the named role."
> This doesn't seem to be true. Consider the following:
Additionally s/INHERITS/INHERIT/
And similarly this sentence is wrong or at least not completely clear:
8<-----------
The specified role_name must be a role that the current session user is
a member of.
8<-----------
The wording should be something like
8<-----------
The specified role_name must be a role that the current session user is
a member of directly or indirectly.
8<-----------
I believe the paragraph you cite should be reworded, but I am at a loss
as to how best to describe the actual situation clearly. Maybe something
like:
8<-----------
If the session user role has the INHERIT attribute, then it
automatically has all the privileges of every role that it is a member
of directly, and any that it is a member of indirectly which is not
blocked by a NOINHERIT attribute of another reachable role; in this case
SET ROLE effectively drops all the privileges assigned directly to the
session user and to the other roles it is a member of, leaving only the
privileges available to the named role.
8<-----------
Thoughts?
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development