> On Mar 25, 2024, at 07:20, Daniel Gustafsson <dan...@yesql.se> wrote:
>
>> On 25 Mar 2024, at 15:09, Tom Lane <t...@sss.pgh.pa.us> wrote:
>
>> My initial reaction is that we should warn only when the command
>> is a complete no-op, that is none of the mentioned privileges
>> matched.
>
> That's my gut reaction too,
I think that's fine. The all-singing-all-dancing solution would be to warn if
the role retains any of the mentioned privileges for some other reason, as in:
WARNING: role "lowpriv" still has EXECUTE permission on "f()" via a
grant to role "PUBLIC" by role "owner"
... but I suspect the implementation complexity there isn't trivial.
