Re: [HACKERS] Table permissions problem

> > Would that solve the problem?  Maybe not because you would have to rip
> > apart the plan, wouldn't you?
> >
> > --
> > Bruce Momjian                          |  830 Blythe Avenue
>
>     I  checked  it.   It's all already there. The rewrite handler
>     checks for all the range table entries he adds to the  query,
>     if   the   rule   owner   has   the  appropriate  permissions
>     (read/write). And it sets the skipAcl field for  these  rte's
>     so the executor later will ignore them.
>
>     The  only  thing  missing is that CREATE VIEW and CREATE RULE
>     require write access to pg_rewrite (create view does a create
>     table  and create rule internally). But we cannot grant write
>     access on pg_rewrite to looser users. So  I  think  a  global
>     variable,  turning  off the whole ACL system temporary, would
>     do.

I understand.  We don't have APPEND rights separate from MODIFY rights.
Actually, I think they are defined in the system, but not used.  We have
a similar problem with pg_database.  People who can create databases can
remove other database entries from pg_database.

--
Bruce Momjian                          |  830 Blythe Avenue
maillist@candle.pha.pa.us              |  Drexel Hill, Pennsylvania 19026
  +  If your life is a hard drive,     |  (610) 353-9879(w)
  +  Christ can be your backup.        |  (610) 853-3000(h)