document deviation from standard on REVOKE ROLE

On Fri, Oct 30, 2020 at 02:03:48PM -0400, John Naylor wrote:

This is the other doc fix as suggested in 
/messages/by-id/20201027220555.GS4951@momjian.us

There is already a compatibility section, so put there.
-- 
John Naylor
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company 

diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml
index 35ff87a4f5..c8d5be92db 100644
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -298,6 +298,12 @@ REVOKE admins FROM joe;
is required according to the standard, but <productname>PostgreSQL</productname>
assumes <literal>RESTRICT</literal> by default.
</para>
+
+   <para>
+    In the SQL standard, <command>REVOKE</command> only revokes the privilege
+    as granted by the invoking role. In <productname>PostgreSQL</productname>,
+    this will also revoke privileges granted by other roles.
+   </para>
</refsect1>

<refsect1>

John, should this 2020 patch still be applied?

--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.

Bruce Momjian <bruce@momjian.us> writes:

On Fri, Oct 30, 2020 at 02:03:48PM -0400, John Naylor wrote:

+    In the SQL standard, <command>REVOKE</command> only revokes the privilege
+    as granted by the invoking role. In <productname>PostgreSQL</productname>,
+    this will also revoke privileges granted by other roles.

John, should this 2020 patch still be applied?

[ raised eyebrow... ] I do not think that was ever true as written,
and it's demonstrably not true now.

regression=# create user alice;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# create table subject (id int);
CREATE TABLE
regression=# grant select on table subject to alice with grant option;
GRANT
regression=# grant select on table subject to bob with grant option;
GRANT
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> grant select on table subject to public;
GRANT
regression=> \c - bob
You are now connected to database "regression" as user "bob".
regression=> grant select on table subject to public;
GRANT
regression=> \dp subject
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------+-------+---------------------------+-------------------+----------
public | subject | table | postgres=arwdDxt/postgres+| |
| | | alice=r*/postgres +| |
| | | bob=r*/postgres +| |
| | | =r/alice +| |
| | | =r/bob | |
(1 row)

regression=> revoke select on table subject from public;
REVOKE
regression=> \dp subject
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+---------+-------+---------------------------+-------------------+----------
public | subject | table | postgres=arwdDxt/postgres+| |
| | | alice=r*/postgres +| |
| | | bob=r*/postgres +| |
| | | =r/alice | |
(1 row)

Maybe there's some related point that needs to be made,
but not that one.

regards, tom lane

On Wed, Nov 1, 2023 at 07:49:25PM -0400, Tom Lane wrote:

Bruce Momjian <bruce@momjian.us> writes:

On Fri, Oct 30, 2020 at 02:03:48PM -0400, John Naylor wrote:

+    In the SQL standard, <command>REVOKE</command> only revokes the privilege
+    as granted by the invoking role. In <productname>PostgreSQL</productname>,
+    this will also revoke privileges granted by other roles.

John, should this 2020 patch still be applied?

[ raised eyebrow... ] I do not think that was ever true as written,
and it's demonstrably not true now.

..

Maybe there's some related point that needs to be made,
but not that one.

Cool, thanks, closed!

--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.