Re: ALTER DEFAULT PRIVILEGES FOR ROLE is broken

Noah Misch <noah@leadboat.com> writes:
> The particular restriction at hand, namely that a role have CREATE rights on a
> schema before assigning role-specific default privileges, seems like needless
> paternalism.  It would be akin to forbidding ALTER ROLE ... PASSWORD on a
> NOLOGIN role.  I'd support removing it when such a proposal arrives.

Hm.  I defended that restriction earlier, but it now occurs to me to
wonder if it doesn't create a dump/reload sequencing hazard.  I don't
recall that pg_dump is aware of any particular constraints on the order
in which it dumps privilege-grant commands.  If it gets this right,
that's mostly luck, I suspect.

> If
> anything, require that the user executing the ALTER DEFAULT PRIVILEGES, not
> the subject of the command, has CREATE rights on the schema.

That would be just as dangerous from this angle.
        regards, tom lane