On Wed, Jul 12, 2006 at 06:09:31PM -0400, Bruce Momjian wrote:
> Phil Frost wrote:
> > On Wed, Jul 12, 2006 at 11:37:37AM -0400, Bruce Momjian wrote:
> > >
> > > Updated text:
> > >
> > > For schemas, allows access to objects contained in the specified
> > > schema (assuming that the objects' own privilege requirements are
> > > also met). Essentially this allows the grantee to <quote>look up</>
> > > objects within the schema. Without this permission, it is still
> > > possible to see the object names by querying the system tables, but
> > > they cannot be accessed via SQL.
> >
> > No, this still misses the point entirely. See all my examples in this
> > thread for ways I have accessed objects without usage to their schema
> > with SQL.
>
> OK, well we are not putting a huge paragraph in there. Please suggest
> updated text.
Well, if you won't explain the whole situation, nor change it, then all
you can really say is it doesn't really work always. How about this:
For schemas, allows access to objects contained in the specified schema. Note that the converse is not true in
manycases: revoking usage on a schema is not sufficient to prevent access in all cases. There is precedent for new
waysto bypass this check being added in future releases. It would be unwise to give this privilege much security
value.