Re: User with BYPASSRLS privilege can't change password

Tom Lane:
> It's a little more subtle than that, but not much.  Commit 491c029db
> copied-and-pasted the logic used to deny non-superusers the privilege
> to change anything about a superuser role.  That was certainly not the
> intention, because the error message was phrased differently from the
> superuser case, but that was the effect.  I propose the attached.

Wouldn't the following change allow a non-superuser with createrole 
privilege to grant the replication privilege to a role that does not 
have that privilege, yet? This should still be forbidden, I think.

@@ -739,7 +741,6 @@ AlterRole(AlterRoleStmt *stmt)
                createrole < 0 &&
                createdb < 0 &&
                canlogin < 0 &&
-              isreplication < 0 &&
                !dconnlimit &&
                !rolemembers &&
                !validUntil &&

This is because the "must be superuser to alter replication users" 
condition only triggers when the altered role already has isrepliaction, 
so isreplication could very well be >= 0 here.

The other change looks good.

Best

Wolfgang