From 953cf49e166a1a64e1eaf2b091b84e02848b8c75 Mon Sep 17 00:00:00 2001 From: Nathan Bossart Date: Mon, 15 Apr 2024 14:03:24 -0500 Subject: [PATCH] doc: Note exceptions for SET ROLE's effect on privilege checks. The documentation for SET ROLE states that superusers who switch to a non-superuser role lose their superuser privileges. While this is true for most commands, there are exceptions such as SET ROLE and SET SESSION AUTHORIZATION, which continue to use the current session user and the authenticated user, respectively. Furthermore, the description of this command already describes its effect, so it is arguably unnecessary to include this special case. This commit removes the note about the superuser case and adds a sentence about the aforementioned exceptions to the description. Co-authored-by: Yurii Rashkovskii Reviewed-by: Shubham Khanna, Robert Haas, Michael Paquier Discussion: https://postgr.es/m/CA%2BRLCQysHtME0znk2KUMJN343ksboSRQSU-hCnOjesX6VK300Q%40mail.gmail.com --- doc/src/sgml/ref/set_role.sgml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml index 083e6dc6ea9..9557bb77aba 100644 --- a/doc/src/sgml/ref/set_role.sgml +++ b/doc/src/sgml/ref/set_role.sgml @@ -37,7 +37,10 @@ RESET ROLE written as either an identifier or a string literal. After SET ROLE, permissions checking for SQL commands is carried out as though the named role were the one that had logged - in originally. + in originally. Note that SET ROLE and + SET SESSION AUTHORIZATION are exceptions; permissions + checks for those continue to use the current session user and the initial + session user (the authenticated user), respectively. @@ -88,11 +91,6 @@ RESET ROLE exercised either with or without SET ROLE. - - Note that when a superuser chooses to SET ROLE to a - non-superuser role, they lose their superuser privileges. - - SET ROLE has effects comparable to SET SESSION AUTHORIZATION, but the privilege