For foreign keys, check REFERENCES privilege only on the referenced table.

We were requiring that the user have REFERENCES permission on both the referenced and referencing tables --- but this doesn't seem to have any support in the SQL standard, which says only that you need REFERENCES permission on the referenced table. And ALTER TABLE ADD FOREIGN KEY has already checked that you own the referencing table, so the check could only fail if a table owner has revoked his own REFERENCES permission. Moreover, the symmetric interpretation of this permission is unintuitive and confusing, as per complaint from Paul Jungwirth. So let's drop the referencing-side check. In passing, do a bit of wordsmithing on the GRANT reference page so that all the privilege types are described in similar fashion. Discussion: https://postgr.es/m/8940.1490906755@sss.pgh.pa.us
2025-08-22 21:53:06 +03:00 · 2017-03-31 18:11:25 -04:00
parent 8f18a880a5
commit 64d4da511c
3 changed files with 20 additions and 15 deletions
--- a/doc/src/sgml/ref/create_table.sgml
+++ b/doc/src/sgml/ref/create_table.sgml
@@ -750,9 +750,11 @@ CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXI
      class="parameter">refcolumn</replaceable> list is omitted, the
      primary key of the <replaceable class="parameter">reftable</replaceable>
      is used.  The referenced columns must be the columns of a non-deferrable
-      unique or primary key constraint in the referenced table.  Note that
-      foreign key constraints cannot be defined between temporary tables and
-      permanent tables.
+      unique or primary key constraint in the referenced table.  The user
+      must have <literal>REFERENCES</> permission on the referenced table
+      (either the whole table, or the specific referenced columns).
+      Note that foreign key constraints cannot be defined between temporary
+      tables and permanent tables.
     </para>

     <para>