On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote: > Laurenz Albe <laurenz.a...@cybertec.at> writes: > > I realized only today that if role A is a member of role B, > > A can ALTER and DROP objects owned by B. > > I don't have a problem with that, but the documentation seems to > > suggest otherwise. For example, for DROP TABLE: > > Only the table owner, the schema owner, and superuser can drop a table. > > Generally, if you are a member of a role, that means you are the role for > privilege-test purposes. I'm not on board with adding "(or a member of > that role)" to every place it could conceivably be added; I think that > would be more annoying than helpful. > > It might be worth clarifying this point in section 5.7, > > https://www.postgresql.org/docs/devel/ddl-priv.html > > but let's not duplicate that in every ref/ page.
That's much better. I have attached a proposed patch. Yours, Laurenz Albe
From badfe59750dec82dffe18a5a43fb16f72f283a7d Mon Sep 17 00:00:00 2001 From: Laurenz Albe <laurenz.a...@cybertec.at> Date: Fri, 15 Nov 2019 10:28:26 +0100 Subject: [PATCH] Document that the right to ALTER or DROP can be inherited Discussion: https://postgr.es/m/504497aca66bf34bdcdd90bd0bcebdc3a33f577b.ca...@cybertec.at --- doc/src/sgml/ddl.sgml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index d7158c1b03..51e1957f85 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -1579,7 +1579,8 @@ ALTER TABLE products RENAME TO items; <para> The right to modify or destroy an object is always the privilege of - the owner only. + the owner. Like all privileges, that right can be inherited by members of + the owning role. </para> <para> -- 2.21.0
