Re: User with BYPASSRLS privilege can't change password

> diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
> index 9ce9a66921..5cd479a649 100644
> --- a/src/backend/commands/user.c
> +++ b/src/backend/commands/user.c
> @@ -709,8 +709,10 @@ AlterRole(AlterRoleStmt *stmt)
>       roleid = authform->oid;
> 
>       /*
> -      * To mess with a superuser you gotta be superuser; else you need
> -      * createrole, or just want to change your own password
> +      * To mess with a superuser or replication role in any way you gotta be
> +      * superuser.  We also insist on superuser to change the BYPASSRLS
> +      * property.  Otherwise, if you don't have createrole, you're only allowed
> +      * to change your own password.
>        */
>       if (authform->rolsuper || issuper >= 0)
>       {
> @@ -726,7 +728,7 @@ AlterRole(AlterRoleStmt *stmt)
>                                       (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
>                                        errmsg("must be superuser to alter replication users")));
>       }
> -     else if (authform->rolbypassrls || bypassrls >= 0)
> +     else if (bypassrls >= 0)
>       {
>               if (!superuser())
>                       ereport(ERROR,

This change looks correct, we shouldn't be worrying about what's already
been set on the role.