Re: has_privs_of_role vs. is_member_of_role, redux
| От | Tom Lane |
|---|---|
| Тема | Re: has_privs_of_role vs. is_member_of_role, redux |
| Дата | |
| Msg-id | 1567812.1661460067@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: has_privs_of_role vs. is_member_of_role, redux (Robert Haas <robertmhaas@gmail.com>) |
| Ответы |
Re: has_privs_of_role vs. is_member_of_role, redux
|
| Список | pgsql-hackers |
Robert Haas <robertmhaas@gmail.com> writes:
> I really hate back-patching this kind of change but it's possible that
> it's the right thing to do. There's no real security exposure because
> the member could always SET ROLE and then do the exact same thing, so
> back-patching feels to me like it has a significantly higher chance of
> turning happy users into unhappy ones than the reverse. On the other
> hand, it's pretty hard to defend the current behavior once you stop to
> think about it, so perhaps it should be back-patched on those grounds.
> On the third hand, the fact that this has gone undiscovered for a
> decade makes you wonder whether we've really had clear enough ideas
> about this to justify calling it a bug rather than, say, an elevation
> of our thinking on this topic.
Yeah, I'd lean against back-patching. This is the sort of behavioral
change that users tend not to like finding in minor releases.
regards, tom lane
В списке pgsql-hackers по дате отправления: