Remove ALTER DEFAULT PRIVILEGES' requirement of schema CREATE permissions.

Per discussion, this restriction isn't needed for any real security reason,
and it seems to confuse people more often than it helps them.  It could
also result in some database states being unrestorable.  So just drop it.

Back-patch to 9.0, where ALTER DEFAULT PRIVILEGES was introduced.

diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index f7b52ef9d1ac2429f19d88e5015a1384e5bfd5f4..f67cfc7116d904117c5dbf68fdb32f9aef38be80 100644 (file)
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -111,8 +111,8 @@ REVOKE [ GRANT OPTION FOR ]
     <term><replaceable>schema_name</replaceable></term>
     <listitem>
      <para>
-      The name of an existing schema.  Each <replaceable>target_role</>
-      must have <literal>CREATE</> privileges for each specified schema.
+      The name of an existing schema.  If specified, the default privileges
+      are altered for objects later created in that schema.
       If <literal>IN SCHEMA</> is omitted, the global default privileges
       are altered.
      </para>

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index df32731b874fc36414dc889d3403d7d5f1aca690..cf5e5f03a6b079d2a61581390ee31bf3b8d96494 100644 (file)
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -992,27 +992,26 @@ SetDefaultACLsInSchemas(InternalDefaultACL *iacls, List *nspnames)
        }
        else
        {
-               /* Look up the schema OIDs and do permissions checks */
+               /* Look up the schema OIDs and set permissions for each one */
                ListCell   *nspcell;
 
                foreach(nspcell, nspnames)
                {
                        char       *nspname = strVal(lfirst(nspcell));
-                       AclResult       aclresult;
 
-                       /*
-                        * Note that we must do the permissions check against the target
-                        * role not the calling user.  We require CREATE privileges, since
-                        * without CREATE you won't be able to do anything using the
-                        * default privs anyway.
-                        */
                        iacls->nspid = get_namespace_oid(nspname, false);
 
-                       aclresult = pg_namespace_aclcheck(iacls->nspid, iacls->roleid,
-                                                                                         ACL_CREATE);
-                       if (aclresult != ACLCHECK_OK)
-                               aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
-                                                          nspname);
+                       /*
+                        * We used to insist that the target role have CREATE privileges
+                        * on the schema, since without that it wouldn't be able to create
+                        * an object for which these default privileges would apply.
+                        * However, this check proved to be more confusing than helpful,
+                        * and it also caused certain database states to not be
+                        * dumpable/restorable, since revoking CREATE doesn't cause
+                        * default privileges for the schema to go away.  So now, we just
+                        * allow the ALTER; if the user lacks CREATE he'll find out when
+                        * he tries to create an object.
+                        */
 
                        SetDefaultACL(iacls);
                }