Re: Must be owner to truncate?

Bruce Momjian schrob:

> Stephen Frost wrote:
> -- Start of PGP signed section.
>> * Jim C. Nasby (decibel@decibel.org) wrote:
>> > On Thu, Jul 07, 2005 at 01:48:59PM -0400, Tom Lane wrote:
>> > > I don't really agree with the viewpoint that truncate is just a quick
>> > > DELETE, and so I do not agree that DELETE permissions should be enough
>> > > to let you do a TRUNCATE.
>> > 
>> > What about adding a truncate permission? I would find it useful, as it
>> > seems would others.
>> 
>> That would be acceptable for me as well.  I'd prefer it just work off
>> delete, but as long as I can grant truncate to someone w/o giving them
>> ownership rights on the table I'd be happy.
>
> Added to TODO:
>
>     * Add TRUNCATE permission
>     
>       Currently only the owner can TRUNCATE a table because triggers are not
>       called, and the table is locked in exclusive mode.

Is anyone working on this yet? I looked at the code involved, and it
seems there are just a couple of lines needed, some regression test
and documentation updates, and most importantly, tab-completion
updates.

However, a question arose quickly: According to the standard, revoking
INSERT, UPDATE and DELETE after GRANT ALL PRIVILEGES would leave the
relation read-only, but with the TRUNCATE privilege lying around, this
would no longer be true for PostgreSQL. Would this open a security
hole or is it okay as far as extensions to the standard go?

regards,
Andreas
--