On 15 November 2011 20:23, Peter Eisentraut <pete...@gmx.net> wrote: > Here is the patch to implement type privileges that I alluded to > earlier. To recall, this is mainly so that owners can prevent others > from using their types because that would in some cases prevent owners > from changing the types. That would effectively be a denial of service. > > These are the interfaces that this patch implements: > > - GRANT USAGE ON DOMAIN > - GRANT USAGE ON TYPE > - default privileges for types > - analogous REVOKEs > - display privileges in psql \dT+ > - privilege checks in various DDL commands (CREATE FUNCTION, CREATE > TABLE, etc.) > - various information schema views adjusted > - has_type_privilege function family > > The basics here are mainly informed by the SQL standard. One thing from > there I did not implement is checking for permission of a type used in > CAST (foo AS type). This would be doable but relatively complicated, > and in practice someone how is not supposed to be able to use the type > wouldn't be able to create the cast or the underlying cast function > anyway for lack of access to the type. > > As elsewhere in the system, the usage of TYPE and DOMAIN is partially > overlapping and partially not. You can use GRANT ON TYPE on a domain > but not GRANT ON DOMAIN on a type (compare CREATE/DROP). We only > support one common set of default privileges for types and domains. I > feel that's enough, but it could be adjusted. > > Open items: > > - GRANT TO ALL TYPES -- haven't gotten to that yet, but could be added > > A reviewer should of course particularly check if there are any holes in > the privilege protection that this patch purports to afford.
Want to try again but with the patch attached? ;) -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers