From: Tom Lane Date: Mon, 19 Nov 2001 19:03:56 +0000 (+0000) Subject: Try to be a little bit clearer about the implications of GRANT TO PUBLIC X-Git-Tag: REL9_0_0~19033 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=ec62ba93614f85aebcd9823857897a8dc4b10d18;p=pg-rex%2Fsyncrep.git Try to be a little bit clearer about the implications of GRANT TO PUBLIC and REVOKE FROM PUBLIC: the latter is not the same as 'revoke from all users', but the ref page blurred the difference. --- diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml index fab1c758d0..a4ff54b579 100644 --- a/doc/src/sgml/ref/grant.sgml +++ b/doc/src/sgml/ref/grant.sgml @@ -1,5 +1,5 @@ @@ -27,18 +27,30 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,.. The GRANT command gives specific permissions on - an object (table, view, sequence) to a user or a group of users. - The special key word PUBLIC indicates that the + an object (table, view, sequence) to one or more users or groups of users. + These permissions are added to those already granted, if any. + + + + The key word PUBLIC indicates that the privileges are to be granted to all users, including those that may - be created later. + be created later. PUBLIC may be thought of as an + implicitly defined group that always includes all users. + Note that any particular user will have the sum + of privileges granted directly to him, privileges granted to any group he + is presently a member of, and privileges granted to + PUBLIC. Users other than the creator do not have any access privileges - unless the creator grants permissions, after the object is created. + to an object unless the creator grants permissions. There is no need to grant privileges to the creator of an object, as the creator automatically holds all privileges, and can also - drop the object. + drop the object. (The creator could, however, choose to revoke + some of his own privileges for safety. Note that the ability to + grant and revoke privileges is inherent in the creator and cannot + be lost.) diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml index afa75d851e..7c00c36115 100644 --- a/doc/src/sgml/ref/revoke.sgml +++ b/doc/src/sgml/ref/revoke.sgml @@ -1,5 +1,5 @@ @@ -27,9 +27,19 @@ REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,. REVOKE allows the creator of an object to revoke - permissions granted before, from a users or a group of users. The - key word PUBLIC means to revoke this privilege - from all users. + previously granted permissions from one or more users or groups of users. + The key word PUBLIC refers to the implicitly defined + group of all users. + + + + Note that any particular user will have the sum + of privileges granted directly to him, privileges granted to any group he + is presently a member of, and privileges granted to + PUBLIC. Thus, for example, revoking SELECT privilege + from PUBLIC does not necessarily mean that all users + have lost SELECT privilege on the object: those who have it granted + directly or via a group will still have it. @@ -52,7 +62,7 @@ REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,. Examples - Revoke insert privilege from all users on table + Revoke insert privilege for the public on table films: @@ -93,7 +103,7 @@ REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES } this privilege in cascade using the CASCADE keyword. If user1 gives a privilege WITH GRANT OPTION to user2, and user2 gives it to user3, then if user1 tries to revoke - this privilege it fails if he specify the RESTRICT + this privilege it fails if he specifies the RESTRICT keyword.