On Mon, 2006-03-13 at 12:51 +0300, Eugene E. wrote:
> Hi all
> the serious problem with permissions is encountered
>
> NOTE: the following example is really useful but there is no room to
> describe it's use.
>
>
> db=# CREATE USER u;
> db=# CREATE TABLE t (i int, a text);
> db=# REVOKE all ON t FROM u;
> db=# GRANT update,insert,delete ON t TO u;
> db=# \c - u
>
> db=> INSERT INTO t VALUES (1,'x');
> INSERT
> db=> UPDATE t SET a='y' WHERE i=1;
> ERROR: Permission denied for relation t;
> db=> UPDATE t SET a='y';
> UPDATE
>
> 1) The user "u" is permitted but unable to perfom the operation !
> 2) A user is able to update WHOLE table but unable to update ANY part of
> it !
>
Good chance this was on purpose.
BEGIN; UPDATE compensation SET salary = salary WHERE name = 'Tom' and salary BETWEEN 50000 and
60000; -- No rows updated -- that's not Toms salary rollback; BEGIN; UPDATE compensation
SETsalary = salary WHERE name = 'Tom' and salary BETWEEN 60000 and 70000; -- One row updated so I found the
range,I need a raise! rollback;
By allowing the user a where clause you grant them select privileges.
You will find that delete works the same way.
This is one of those times when per column permissions are useful. You
could grant them select access on the "name" column but not the "salary"
column.
--