... BTW, I think this patch is not correct yet. What I read in
catalogs.sgml is
... If a global entry is present then
it <emphasis>overrides</emphasis> the normal hard-wired default privileges
for the object type. A per-schema entry, if present, represents privileges
to be <emphasis>added to</emphasis> the global or hard-wired default privileges.
I didn't check the code, but if that last bit is correct, then non-global
entries aren't necessarily relative to the acldefault privileges either.
I kind of wonder now whether the existing behavior is correct for either
case. Why aren't we simply regurgitating the pg_default_acl entries
verbatim? That is, I think maybe we don't need the acldefault call at
all; we should just use null/empty as the starting ACL in all cases
when printing pg_default_acl entries. Like this:
buildACLQueries(acl_subquery, racl_subquery, initacl_subquery,
initracl_subquery, "defaclacl", "defaclrole",
"pip.initprivs",
- "CASE WHEN defaclobjtype = 'S' THEN 's' ELSE defaclobjtype END::\"char\"",
+ "NULL",
dopt->binary_upgrade);
I didn't test that. I suspect it will cause some regression test
changes, but will they be wrong?
regards, tom lane