> Right. I wonder if there's any good reason why we shouldn't extend
> aclerror() to, in all cases, add a DETAIL line along the lines of
>
> ERROR: permission denied for schema web
> DETAIL: This operation requires role X to have privilege Y.
>
> Is there any scenario where this'd be exposing too much info?
Not that I can think of. The fact that role X doesn't have create on
schema Y isn't exactly privileged info. Further, to make any use of
that information, you'd have to be able to SET ROLE X, in which case you
can just test for yourself if X has CREATE permission.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com