Re: patch for type privileges

On sön, 2011-12-11 at 21:21 +0200, Peter Eisentraut wrote:
> > * Cannot restrict access to array types. After revoking usage from the
> > element type, the error is perhaps a bit misleading. (smallint[] vs
> > smallint)
> >
> > postgres=> create table a (a int2[]);
> > ERROR:  permission denied for type smallint[]
>
> OK, that error message should be improved.

Fixing this is easy, but I'd like to look into refactoring this a bit.
Let's ignore that for now; it's easy to do later.

>
> > * The patch adds the following text explaining the USAGE privilege on types.
> >
> >    For types and domains, this privilege allow the use of the type or
> >    domain in the definition of tables, functions, and other schema objects.
> >
> > Since other paragraphs in USAGE use the word 'creation' instead of
> > 'definition', I believe here the word 'creation' should be used too.

Fix for that included.

> > * The information schema view 'attributes' has this additional condition:
> >            AND (pg_has_role(t.typowner, 'USAGE')
> >                 OR has_type_privilege(t.oid, 'USAGE'));
> >
> > What happens is that attributes in a composite type are shown, or not,
> > if the current user has USAGE rights. The strange thing here, is that
> > the attribute in the type being show or not, doesn't match being able to
> > use it (in the creation of e.g. a table).
>
> Yeah, that's a bug.  That should be something like
>
> AND (pg_has_role(c.relowner, 'USAGE')
>      OR has_type_privilege(c.reltype, 'USAGE'));

And fix for that included.

New patch attached.