I got a broader view of the whole picture and obviously my proposal
that the superuser automatically revokes the privileges granted by all
others does not make sense. So let me state the solutions I propose to
the problem I'm facing:
(1) In the documentation for REVOKE, after the paragraph that begins
with "A user can only revoke privileges that were granted directly by
that user." add another paragraph similar to this:
"The rule stated in the previous paragraph is also valid for the
superuser. The superuser can however issue SET ROLE commands to revoke
the privileges granted by the desired users."
(2) In the documentation for REVOKE, state clearly that REVOKE will
fail silently if the user issuing the command is not the grantor. Do so
preferably near the bit about the superuser above.
(3) When issuing the command REVOKE <PRIV> ON <OBJ> FROM <USER>, issue
a NOTICE or WARNING message when, after executing it, the user <USER>
has still privilege <PRIV> on object <OBJ>.
(4) Add a GRANTED BY <USER> extension to the REVOKE command which
allows to revoke permissions given by other users, where <USER> can be
ALL. Obviously it would be subject to other checks which could make it
fail.
Of course 2 and 3 are mutually exclusive. Solution 1+2 is the simplest,
as it only involves documentation. Solution 1+3 would be enough to
avoid most surprises. Solution 1+3+4 would be ideal.
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
