Alvaro Herrera <alvherre@xxxxxxxxxxxxxxxxx> writes: > donniehan wrote: >> I'm sorry to bother you. i really care about this behavior, but i couldn't find the discussions you mentioned in pgsql-hackers archives. >> Would you please tell me more about the discussions(about date? the related issue?), so that i can search it and find it more easily? > Maybe he's referring to this discussion: > http://archives.postgresql.org/message-id/1176775180.4152.97.camel%40dogma.v10.wvs No, it's a lot older than that. See http://archives.postgresql.org/pgsql-hackers/2003-10/msg01497.php http://archives.postgresql.org/pgsql-committers/2003-10/msg00305.php The original 7.4-devel behavior made it effectively impossible for a superuser to *revoke* privileges, which is certainly not acceptable in practice. Looking at the CVS history of aclchk.c, I notice that we later installed a similar provision with respect to roles: grants/revokes are done as the role that owns the object, not as the role member that is actually issuing the command. Otherwise other role members can't adjust the privileges. This comes down to the fact that privileges granted on the same object by two different roles are distinct, and you can only revoke the ones you granted. Which AFAICT is required behavior per SQL spec. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
