Hi all, I noticed a very minor inconsistency in some ACL error messages. When you are try and alter a role, it just says "permission denied":
postgres=> ALTER ROLE bar NOCREATEDB; ERROR: permission denied postgres=> ALTER ROLE bar SET search_path TO 'foo'; ERROR: permission denied For almost all other ACL error, we include what the action was. For example: postgres=> CREATE ROLE r; ERROR: permission denied to create role postgres=> DROP ROLE postgres; ERROR: permission denied to drop role postgres=> CREATE DATABASE foo; ERROR: permission denied to create database It's not a huge deal, but it's easy enough to fix that I thought I'd generate a patch (attached). Let me know if people think that it's worth merging. - Joe Koshakow
From 3ab31bc755043973ce56ee620ad99b5789d12111 Mon Sep 17 00:00:00 2001 From: Joseph Koshakow <kosh...@gmail.com> Date: Fri, 24 Feb 2023 12:05:19 -0500 Subject: [PATCH] Add details to ALTER ROLE permission errors --- src/backend/commands/user.c | 4 ++-- src/test/regress/expected/create_role.out | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 3a92e930c0..2c7a4204a6 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -761,7 +761,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt) dvalidUntil || disreplication || dbypassRLS) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied"))); + errmsg("permission denied to alter role"))); /* an unprivileged user can change their own password */ if (dpassword && roleid != currentUserId) @@ -1008,7 +1008,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt) && roleid != GetUserId()) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied"))); + errmsg("permission denied to alter role"))); } ReleaseSysCache(roletuple); diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out index 9f431bd4f5..691cff86d2 100644 --- a/src/test/regress/expected/create_role.out +++ b/src/test/regress/expected/create_role.out @@ -98,7 +98,7 @@ ERROR: must have admin option on role "regress_role_normal" ALTER ROLE regress_role_normal RENAME TO regress_role_abnormal; ERROR: permission denied to rename role ALTER ROLE regress_role_normal NOINHERIT NOLOGIN CONNECTION LIMIT 7; -ERROR: permission denied +ERROR: permission denied to alter role -- ok, regress_tenant can create objects within the database SET SESSION AUTHORIZATION regress_tenant; CREATE TABLE tenant_table (i integer); -- 2.34.1