Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function

On Thu, Jul 31, 2025 at 4:11 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Dominique Devienne <ddevienne@gmail.com> writes:
> > On Thu, Jul 31, 2025 at 11:35 AM Guillaume Lelarge
> > <guillaume.lelarge@dalibo.com> wrote:
> >> It doesn't lie. The role has DELETE privilege. I guess what it lacks is
> >> the SELECT privilege. If you do a "DELETE FROM ... WHERE ...", you need
> >> the SELECT privilege to perform the WHERE. Without "WHERE ...", it would
> >> work without the SELECT privilege.
>
> > Right on the money! Merci Guillaume!!! --DD
>
> So the real problem here is that the "permission denied" error message
> doesn't tell you which permission you lack.  I think we've had prior
> discussions about improving that, but it never got done.

Indeed, a hint would have helped I'm sure.

But also, it's weird DELETE allows you to delete all rows.
Yet prevents you from deleting just one, i.e. a subset.
I get it, a WHERE needs to read, so needs SELECT.
Still, it obviously tripped me up here. And it's my bad.