On 10/21/21 09:53, Tom Lane wrote:
> Adrian Klaver <adrian.klaver@aklaver.com> writes:
> It's fairly obvious what's happening here: psql sends ALTER USER xxx
> PASSWORD ..., where it gets xxx from PQuser(), so that is the role name
> that was logged in with. There are any number of reasons why that might
> not be the currently active role.
>
> The psql man page says
>
> \password [ username ]
> Changes the password of the specified user (by default, the
> current user).
>
> So I'd say this is not doing what the documentation says.
Oops. That is where I got hung up.
>
> With server versions >= 9.5 we could dodge the issue by sending
> ALTER USER CURRENT_USER PASSWORD .... For older servers,
> I suppose we could do "SELECT CURRENT_USER" first.
>
> I'm not sure if we want to change a security-relevant behavior
> in released branches. But if we don't, we probably need to
> change the docs to something like "(by default, the logged-in
> user)".
I would suggest session(_)user to make it match with the rest of
documentation.
>
> regards, tom lane
>
--
Adrian Klaver
adrian.klaver@aklaver.com