Re: improving user.c error messages
От | Nathan Bossart |
---|---|
Тема | Re: improving user.c error messages |
Дата | |
Msg-id | 20230126195929.GB1702315@nathanxps13 обсуждение исходный текст |
Ответ на | Re: improving user.c error messages (Robert Haas <robertmhaas@gmail.com>) |
Ответы |
Re: improving user.c error messages
|
Список | pgsql-hackers |
On Thu, Jan 26, 2023 at 02:42:05PM -0500, Robert Haas wrote: > @@ -758,16 +776,13 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt) > { > /* things an unprivileged user certainly can't do */ > if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit || > - dvalidUntil || disreplication || dbypassRLS) > + dvalidUntil || disreplication || dbypassRLS || > + (dpassword && roleid != currentUserId)) > ereport(ERROR, > (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), > - errmsg("permission denied"))); > - > - /* an unprivileged user can change their own password */ > - if (dpassword && roleid != currentUserId) > - ereport(ERROR, > - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), > - errmsg("must have CREATEROLE privilege to change another user's password"))); > + errmsg("permission denied to alter role"), > + errdetail("You must have %s privilege and %s on role \"%s\".", > + "CREATEROLE", "ADMIN OPTION", rolename))); > } > else if (!superuser()) > { > > Basically my question is whether having one error message for all of > those cases is good enough, or whether we should be trying harder. I > don't mind if the conclusion is that it's OK as-is, and I'm not > entirely sure what would be better. But when I was working on this > code, all of those cases OR'd together feeding into a single error > message seemed a little sketchy to me, so I am wondering what others > think. I wondered the same thing, but I hesitated because I didn't want to change too much in a patch for error messaging. I can give it a try. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
В списке pgsql-hackers по дате отправления: