Hi,
while writing the chapter about Rules and permissions I
remember that there was a problem with non privileged users.
As soon as someone without superuser privs does a GRANT or
REVOKE on his relations, he must GRANT explicitly to himself
too or will get a "permission denied". I think since the
table owner allway has the right to change ACL's, this
doesn't make sense. I'll dig it up and send in a patch soon.
While doing this, should I exclude RULE permission from GRANT
ALL? I think it's dangerous to have it included, because the
usual way to give full access is a GRANT ALL and someone
might forget that this includes the right to disable rule
actions for a moment. The output of pg_rules gives anyone the
knowledge to reinstall the correct rules after. An explicitly
required GRANT RULE is better IMHO. And the RULE right isn't
standard, is it?
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck@debis.com (Jan Wieck) #