Re: Re: Re: Revoke Connect Privilege from Database not working
Вложения
В списке pgsql-bugs по дате отправления:
| От | Nathan Bossart |
|---|---|
| Тема | Re: Re: Re: Revoke Connect Privilege from Database not working |
| Дата | |
| Msg-id | aRYLkTpazxKhnS_w@nathan обсуждение исходный текст |
| Ответ на | Re: Re: Re: Revoke Connect Privilege from Database not working ("David G. Johnston" <david.g.johnston@gmail.com>) |
| Ответы |
Re: Revoke Connect Privilege from Database not working
|
| Список | pgsql-bugs |
On Mon, Apr 07, 2025 at 09:22:45AM -0700, David G. Johnston wrote: > On Mon, Apr 7, 2025 at 9:06 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I believe what's going on there is explained by the rule that >> "grants and revokes done by a superuser are done as if issued >> by the object owner". So here, what would be revoked is >> test_user=c/postgres, which isn't the privilege at issue. >> Include GRANTED BY in the REVOKE to override the default >> choice of grantor. > > The command in question did include "granted by" which is why this is a > bug. The explicit granted by specification is being ignored if the > invoking user is a superuser. This is admittedly a half-formed idea, but perhaps we could have whatever's specified in GRANTED BY override select_best_grantor(), like in the attached patch. I've no idea if this is the intention of the standard, but it should at least address the reported issue. FWIW I recently received an independent report about the same thing. -- nathan
В списке pgsql-bugs по дате отправления:
Сайт использует файлы cookie для корректной работы и повышения удобства. Нажимая кнопку «Принять» или продолжая пользоваться сайтом, вы соглашаетесь на их использование в соответствии с Политикой в отношении обработки cookie ООО «ППГ», в том числе на передачу данных из файлов cookie сторонним статистическим и рекламным службам. Вы можете управлять настройками cookie через параметры вашего браузера