Re: Revoke Connect Privilege from Database not working

public inbox for pgsql-sql@postgresql.org  
help / color / mirror / Atom feed

From: Nathan Bossart <nathandbossart@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: David G. Johnston <david.g.johnston@gmail.com>
Cc: Ing. Marijo Kristo <marijo.kristo@icloud.com>
Cc: PostgreSQL Bug List <pgsql-bugs@lists.postgresql.org>
Subject: Re: Revoke Connect Privilege from Database not working
Date: Wed, 21 Jan 2026 09:28:53 -0600
Message-ID: <aXDwtbXCu42Fdmrn@nathan> (raw)
In-Reply-To: <1933586.1768950341@sss.pgh.pa.us>
References: <CAKFQuwa7m2smqqpgPetw=i8Aj-xqg9Zjc5Z2aX3AUwNh96WnXw@mail.gmail.com>
	<d9bf666c-4d11-4196-99a8-b71d01d9ad40@me.com>
	<CAKFQuwbB-ZKtN_p_y5sWa2MrTuy5=pRNPWSj1Ud4HHvTuhb54w@mail.gmail.com>
	<3467676.1744041977@sss.pgh.pa.us>
	<CAKFQuwbpC5w6sUq8gZQATrviZUT4bYpxW+=2uH6sWWMg7fWjzg@mail.gmail.com>
	<aRYLkTpazxKhnS_w@nathan>
	<1933586.1768950341@sss.pgh.pa.us>

On Tue, Jan 20, 2026 at 06:05:41PM -0500, Tom Lane wrote:
> Motivated by the discussion at [1], I'd started on the same idea,
> but arrived at a rather different refactorization.  I think this
> way is nicer (less duplicated logic).  Either way, we need to
> address the docs and probably add more regression tests.

Yeah, I think doing most of the work in select_best_grantor() is obviously
better.  I recall wondering whether we should check for INHERIT or SET
privilege (or both) on the grantor role, and IIRC I settled on INHERIT
because select_best_grantor() searches through roles we have INHERIT on.

Would you like to handle docs/tests/committing, or shall I?

-- 
nathan

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-sql@postgresql.org
  Cc: nathandbossart@gmail.com, tgl@sss.pgh.pa.us, david.g.johnston@gmail.com, marijo.kristo@icloud.com, pgsql-bugs@lists.postgresql.org
  Subject: Re: Revoke Connect Privilege from Database not working
  In-Reply-To: <aXDwtbXCu42Fdmrn@nathan>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox