... btw, what is the reasoning behind the special cases for SELECT FOR
UPDATE in execMain.c?
/* Check if this is SELECT-FOR-UPDATE and handle * accordingly. */
if(remainingPerms & ACL_UPDATE && pg_attribute_aclcheck_all(relOid, userid,
ACL_UPDATE, ACLMASK_ALL) != ACLCHECK_OK) aclcheck_error(ACLCHECK_NO_PRIV,
ACL_KIND_CLASS, get_rel_name(relOid));
If there actually is a need to treat SELECT FOR UPDATE specially, then
this code is quite wrong because it will also fire on a plain UPDATE
(assuming the UPDATE reads any existing column values, which it usually
would). Offhand though I don't see why we can't just use code that is
symmetric with the SELECT case: if requiredPerms includes UPDATE but
there are no columns called out for UPDATE, then allow it if we have
UPDATE on any column.
regards, tom lane