> On Thu, Mar 09, 2000 at 12:28:38PM -0500, Bruce Momjian wrote:
> > That is the issue? That UPDATE grants DELETE? I can UPDATE all fields
> > to NULL, and that is pretty much the same as DELETE. We can easily add
> > documentation on that "feature".
>
> Sure, do it, however you're still wrong.
>
> For the second time I receive a message from someone who thinks this.
> It's clearly false, and I'm surprised a major postgresql hacker
> does this mistake:
>
> suppose you want to grant delete but not update, and you're interested,
> for example in a "select count (*) from table" being accurate have the
> data been modified (with NULL) or not. Then in this case update and delete
> ARE NOT the same.
Yes, I realize they are not the same, but no one else shares your
concern that this is a serious security problem. Sorry.
--
Bruce Momjian | http://www.op.net/~candle
[EMAIL PROTECTED] | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
