Bruce Momjian <bruce@momjian.us> writes:
> On Fri, Oct 30, 2020 at 02:03:48PM -0400, John Naylor wrote:
>> + In the SQL standard, <command>REVOKE</command> only revokes the privilege
>> + as granted by the invoking role. In <productname>PostgreSQL</productname>,
>> + this will also revoke privileges granted by other roles.
> John, should this 2020 patch still be applied?
[ raised eyebrow... ] I do not think that was ever true as written,
and it's demonstrably not true now.
regression=# create user alice;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# create table subject (id int);
CREATE TABLE
regression=# grant select on table subject to alice with grant option;
GRANT
regression=# grant select on table subject to bob with grant option;
GRANT
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> grant select on table subject to public;
GRANT
regression=> \c - bob
You are now connected to database "regression" as user "bob".
regression=> grant select on table subject to public;
GRANT
regression=> \dp subject
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------+-------+---------------------------+-------------------+----------
public | subject | table | postgres=arwdDxt/postgres+| |
| | | alice=r*/postgres +| |
| | | bob=r*/postgres +| |
| | | =r/alice +| |
| | | =r/bob | |
(1 row)
regression=> revoke select on table subject from public;
REVOKE
regression=> \dp subject
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------+-------+---------------------------+-------------------+----------
public | subject | table | postgres=arwdDxt/postgres+| |
| | | alice=r*/postgres +| |
| | | bob=r*/postgres +| |
| | | =r/alice | |
(1 row)
Maybe there's some related point that needs to be made,
but not that one.
regards, tom lane