Re: patch for type privileges

On 2011-12-12 20:53, Peter Eisentraut wrote:
> On sön, 2011-12-11 at 21:21 +0200, Peter Eisentraut wrote:
>>> * Cannot restrict access to array types. After revoking usage from the
>>> element type, the error is perhaps a bit misleading. (smallint[] vs
>>> smallint)
>>>
>>> postgres=>  create table a (a int2[]);
>>> ERROR:  permission denied for type smallint[]
>> OK, that error message should be improved.
> Fixing this is easy, but I'd like to look into refactoring this a bit.
> Let's ignore that for now; it's easy to do later.

My experience with ignoring things for now is not positive.
>>> * The information schema view 'attributes' has this additional condition:
>>>             AND (pg_has_role(t.typowner, 'USAGE')
>>>                  OR has_type_privilege(t.oid, 'USAGE'));
>>>
>>> What happens is that attributes in a composite type are shown, or not,
>>> if the current user has USAGE rights. The strange thing here, is that
>>> the attribute in the type being show or not, doesn't match being able to
>>> use it (in the creation of e.g. a table).
>> Yeah, that's a bug.  That should be something like
>>
>> AND (pg_has_role(c.relowner, 'USAGE')
>>       OR has_type_privilege(c.reltype, 'USAGE'));
> And fix for that included.

Confirmed that this now works as expected.

I have no remarks on the other parts of the patch code.

After puzzling a bit more with the udt and usage privileges views, it is 
clear that they should complement each other. That might be reflected by 
adding to the 'usage_privileges' section a link back to the 
'udt_privileges' section.

I have no further comments on this patch.

regards,
Yeb Havinga