Dear Tom,
> [...]
> Even more interesting, the superuser can't fix it either,
Due to how ACL are defined in SQL, I restate my suggestion that the super
user should be able to change ANY right, including the GRANTOR field, with
an appropriate syntax, something like:
REVOKE ALL ON TABLE foo FROM GRANTOR [USER] alice;
The super user must really be a *super* user.
> ISTM that reasonable behavior for ALTER OWNER would include doing
> surgery on the object's ACL to replace references to the old owner by
> references to the new owner. [...]
I'm about so submit a fix for "create database" so that ownership and acl
would be fixed wrt to the owner of the database. This patch will include a
function to switch grantor rights that might be of interest for the above
purpose, as it may save you little time. I'll try to send the patch
submission this week-end.
> I think there are corner cases where the merging might produce
> unintuitive results, but it couldn't be as spectacularly bad as
> doing nothing is.
I agree that these is work to do in the ACL area...
As an additionnal suggestion, I noticed in my tests that nothing is really
tested in the regression tests. It would be useful to have tests cases of
acl with accesses allowed or forbidden, maybe with a systematic and
exhaustive approach... It takes time to do that, but I think it would be
useful so as to measure what is needed.
Have a nice day,
--
Fabien Coelho - coelho@cri.ensmp.fr