"BYPASSRLS", "BYPASSRLS")));
}
- /* To add members to a role, you need ADMIN OPTION. */
+ /* To add or drop members, you need ADMIN OPTION. */
if (drolemembers && !is_admin_of_role(currentUserId, roleid))
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied to alter role"),
- errdetail("Only roles with the %s option on role \"%s\" may add members.",
+ errdetail("Only roles with the %s option on role \"%s\" may add or drop members.",
"ADMIN", rolename)));
/* Convert validuntil to internal form */
CREATE GROUP regress_priv_group2 WITH ADMIN regress_priv_user1 USER regress_priv_user2;
ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;
+SET SESSION AUTHORIZATION regress_priv_user3;
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2; -- fail
+ERROR: permission denied to alter role
+DETAIL: Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2; -- fail
+ERROR: permission denied to alter role
+DETAIL: Only roles with the ADMIN option on role "regress_priv_group2" may add or drop members.
SET SESSION AUTHORIZATION regress_priv_user1;
ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;
NOTICE: role "regress_priv_user2" has already been granted membership in role "regress_priv_group2" by role "regress_priv_user1"
ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
GRANT regress_priv_group2 TO regress_priv_user2 GRANTED BY regress_priv_user1;
+SET SESSION AUTHORIZATION regress_priv_user3;
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2; -- fail
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2; -- fail
SET SESSION AUTHORIZATION regress_priv_user1;
ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;
ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2; -- duplicate
projects / users / c2main / postgres.git / commitdiff