Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function

On 7/30/25 04:37, Dominique Devienne wrote:
> Hi. PostgreSQL v17 here.
> 
> I'm stumped by something, and would like pointers to sort something out.
> Inside my function, I do:
> ------------
>      EXECUTE format('SET LOCAL ROLE %I', schema_owner);
>      raise notice 'CURRENT_USER = %, can DELETE = %', CURRENT_USER,
> has_table_privilege('SchemaMapping', 'DELETE');
> 
>      DELETE FROM SchemaMapping
>       WHERE "schema" = schema_name;
> -----------
> 
> PQ: NOTICE: CURRENT_USER = Joe, can DELETE = t
> 
> ERROR: permission denied for table schemamapping CONTEXT: SQL
> statement "DELETE FROM SchemaMapping WHERE "schema" = schema_name"
> PL/pgSQL function foo(text,text) line 28 at SQL statement
> 
> The raise notice output is correct, and as expected. The DELETE error isn't.
> How can has_table_privilege() return true, yet the DELETE fail? I don't get it.
> 
> My setup ensures that the role I SET LOCAL ROLE to, has (indirectly)
> been granted DMLs on that table.
> 
> I also double-checked outside the routine, directly in code, for that privilege:
> 
>      c.ctx().setRole(schema_owner);
>      auto rset = pq::exec(c, "select
> has_table_privilege('SchemaMapping', 'DELETE')");
>      bool has_delete_mapping = rset.scalar<bool>();
>      BOOST_CHECK(has_delete_mapping);
> 
> Are there special consideration I'm unaware of, regarding SET ROLE
> inside routines?
> 
> (beside the fact you can't SET ROLE in a SECURITY DEFINER routime! As
> I discovered recently...).
> 
> I'd really appreciate some help here, as I don't understand what's going on.

What is the ROLE that defined the function?

What does "My setup ensures that the role I SET LOCAL ROLE to, has 
(indirectly) been granted DMLs on that table." in terms of actual GRANTs?


> 
> Thanks, --DD
> 
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com