Make UPDATE and DELETE privileges distinct. Add REFERENCES and TRIGGER

privileges. INSERT and COPY FROM now require INSERT (only). Add privileges regression test.
2025-12-24 06:01:07 +03:00 · 2001-05-27 09:59:30 +00:00
parent 52350c7ad9
commit 96147a6d1c
26 changed files with 725 additions and 827 deletions
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -1,379 +1,96 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.13 2000/12/25 23:15:26 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.14 2001/05/27 09:59:28 petere Exp $
 Postgres documentation
 -->

 <refentry id="SQL-REVOKE">
 <refmeta>
-  <refentrytitle id="SQL-REVOKE-TITLE">
-   REVOKE
-  </refentrytitle>
+  <refentrytitle>REVOKE</refentrytitle>
  <refmiscinfo>SQL - Language Statements</refmiscinfo>
 </refmeta>
+
 <refnamediv>
-  <refname>
-   REVOKE
-  </refname>
-  <refpurpose>
-   Revokes access privilege from a user, a group or all users.
-  </refpurpose>
+  <refname>REVOKE</refname>
+  <refpurpose>Revokes access privilege from a user, a group, or all users.</refpurpose>
 </refnamediv>
+
 <refsynopsisdiv>
-  <refsynopsisdivinfo>
-   <date>1999-07-20</date>
-  </refsynopsisdivinfo>
-  <synopsis>
-REVOKE <replaceable class="PARAMETER">privilege</replaceable> [, ...]
-    ON <replaceable class="PARAMETER">object</replaceable> [, ...]
-    FROM { PUBLIC | GROUP <replaceable class="PARAMETER">groupname</replaceable> | <replaceable class="PARAMETER">username</replaceable> }
-  </synopsis>
-
-  <refsect2 id="R2-SQL-REVOKE-1">
-   <refsect2info>
-    <date>1998-09-24</date>
-   </refsect2info>
-   <title>
-    Inputs
-   </title>
-   <para>
-
-    <variablelist>
-     <varlistentry>
-      <term><replaceable class="PARAMETER">privilege</replaceable></term>
-      <listitem>
-       <para>
-	The possible privileges are:
-
-	<variablelist>
-	 <varlistentry>
-	  <term>SELECT</term>
-	  <listitem>
-	   <para>
-	    Privilege to access all of the columns of a specific
-	    table/view.
-	   </para>
-	  </listitem>
-	 </varlistentry>
-
-	 <varlistentry>
-	  <term>INSERT</term>
-	  <listitem>
-	   <para>
-	    Privilege to insert data into all columns of a
-	    specific table.
-	   </para>
-	  </listitem>
-	 </varlistentry>
-
-	 <varlistentry>
-	  <term>UPDATE</term>
-	  <listitem>
-	   <para>
-	    Privilege to update all columns of a specific
-	    table.
-	   </para>
-	  </listitem>
-	 </varlistentry>
-
-	 <varlistentry>
-	  <term>DELETE</term>
-	  <listitem>
-	   <para>
-	    Privilege to delete rows from a specific table.
-	   </para>
-	  </listitem>
-	 </varlistentry>
-
-	 <varlistentry>
-	  <term>RULE</term>
-	  <listitem>
-	   <para>
-	    Privilege to define rules on table/view.
-	    (See 
-	    <xref linkend="sql-createrule" endterm="sql-createrule-title">).
-	   </para>
-	  </listitem>
-	 </varlistentry>
-
-	 <varlistentry>
-	  <term>ALL</term>
-	  <listitem>
-	   <para>
-	    Rescind all privileges.
-	   </para>
-	  </listitem>
-	 </varlistentry>
-	</variablelist>
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><replaceable class="PARAMETER">object</replaceable></term>
-      <listitem>
-       <para>
-	The name of an object from which to revoke access.
-
-	The possible objects are:
-	<itemizedlist spacing="compact" mark="bullet">
-	 <listitem>
-	  <para>
-	   table 
-	  </para>
-	 </listitem>
-
-	 <listitem>
-	  <para>
-	   view 
-	  </para>
-	 </listitem>
-
-	 <listitem>
-	  <para>
-	   sequence
-	  </para>
-	 </listitem>
-
-	</itemizedlist>
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><replaceable class="PARAMETER">group</replaceable></term>
-      <listitem>
-       <para>
-	The name of a group from whom to revoke privileges.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><replaceable class="PARAMETER">username</replaceable></term>
-      <listitem>
-       <para>
-	The name of a user from whom revoke privileges. Use the PUBLIC keyword
-	to specify all users.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term>PUBLIC</term>
-      <listitem>
-       <para>
-	Rescind the specified privilege(s) for all users.
-       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </para>
-  </refsect2>
-
-  <refsect2 id="R2-SQL-REVOKE-2">
-   <refsect2info>
-    <date>1998-09-24</date>
-   </refsect2info>
-   <title>
-    Outputs
-   </title>
-   <para>
-
-    <variablelist>
-     <varlistentry>
-      <term><computeroutput>
-CHANGE
-       </computeroutput></term>
-      <listitem>
-       <para>
-	Message returned if successfully.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><computeroutput>
-ERROR
-       </computeroutput></term>
-      <listitem>
-       <para>
-	Message returned if object is not available or impossible
-	to revoke privileges from a group or users.
-       </para>
-      </listitem>
-     </varlistentry>		  
-    </variablelist>
-   </para>
-  </refsect2>
+<synopsis>
+REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
+    ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC }
+</synopsis>
 </refsynopsisdiv>

- <refsect1 id="R1-SQL-REVOKE-1">
-  <refsect1info>
-   <date>1998-09-24</date>
-  </refsect1info>
-  <title>
-   Description
-  </title>
+ <refsect1 id="SQL-REVOKE-description">
+  <title>Description</title>
+
  <para>
-   <command>REVOKE</command> allows creator of an object to revoke permissions granted
-   before, from all users (via PUBLIC) or a certain user or group.
+   <command>REVOKE</command> allows the creator of an object to revoke
+   permissions granted before, from a users or a group of users.  The
+   key word <literal>PUBLIC</literal> means to revoke this privilege
+   from all users.
  </para>

-  <refsect2 id="R2-SQL-REVOKE-3">
-   <refsect2info>
-    <date>1998-09-24</date>
-   </refsect2info>
-   <title>
-    Notes
-   </title>
-   <para>
-    Refer to psql \z command for further information about permissions 
-    on existing objects:
-
-    <programlisting>
-Database    = lusitania
-+------------------+---------------------------------------------+
-|  Relation        |        Grant/Revoke Permissions             |
-+------------------+---------------------------------------------+
-| mytable          | {"=rw","miriam=arwR","group todos=rw"}      |
-+------------------+---------------------------------------------+
-Legend:
-     uname=arwR -- privileges granted to a user
-     group gname=arwR -- privileges granted to a GROUP
-     =arwR -- privileges granted to PUBLIC
-		  
-     r -- SELECT
-     w -- UPDATE/DELETE
-     a -- INSERT
-     R -- RULE
-     arwR -- ALL
-    </programlisting>
-   </para>
-   <tip>
-    <para>
-     Currently, to create a GROUP you have to insert 
-     data manually into table pg_group as:
-
-     <programlisting>
-INSERT INTO pg_group VALUES ('todos');
-CREATE USER miriam IN GROUP todos;
-     </programlisting>
-    </para>
-   </tip>
-
-  </refsect2>
+  <para>
+   See the description of the <xref linkend="sql-grant"> command for
+   the meaning of the privilege types.
+  </para>
 </refsect1>

- <refsect1 id="R1-SQL-REVOKE-2">
-  <title>
-   Usage
-  </title>
+ <refsect1 id="SQL-REVOKE-notes">
+  <title>Notes</title>
+
+  <para>
+   Use <xref linkend="app-psql">'s <command>\z</command> command to
+   display the privileges granted on existing objects.  See also <xref
+   linkend="sql-grant"> for information about the format.
+  </para>
+ </refsect1>
+
+ <refsect1 id="SQL-REVOKE-examples">
+  <title>Examples</title>
+
  <para>
   Revoke insert privilege from all users on table
   <literal>films</literal>:

-   <programlisting>
+<programlisting>
 REVOKE INSERT ON films FROM PUBLIC;
-  </programlisting>
+</programlisting>
  </para>

  <para>
   Revoke all privileges from user <literal>manuel</literal> on view <literal>kinds</literal>:

-   <programlisting>  
-REVOKE ALL ON kinds FROM manuel;
-   </programlisting>
+<programlisting>  
+REVOKE ALL PRIVILEGES ON kinds FROM manuel;
+</programlisting>
  </para>
 </refsect1>

- <refsect1 id="R1-SQL-REVOKE-3">
-  <title>
-   Compatibility
-  </title>
+ <refsect1 id="SQL-REVOKE-compatibility">
+  <title>Compatibility</title>

-  <refsect2 id="R2-SQL-REVOKE-4">
-   <refsect2info>
-    <date>1998-09-01</date>
-   </refsect2info>
-   <title>
-    SQL92
-   </title>
+  <refsect2>
+   <title>SQL92</title>

   <para>
-    The SQL92 syntax for <command>REVOKE</command>
-    has additional capabilities for rescinding
-    privileges, including those on individual columns in tables:
+    The compatibility notes of the <xref linkend="sql-grant"> command
+    apply analogously to <command>REVOKE</command>.  The syntax summary is:

-    <variablelist>
-     <varlistentry>
-      <term>
-       <synopsis>
-REVOKE { SELECT | DELETE | USAGE | ALL PRIVILEGES } [, ...]
-    ON <replaceable class="parameter">object</replaceable>
-    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
-REVOKE { INSERT | UPDATE | REFERENCES } [, ...] [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
-    ON <replaceable class="parameter">object</replaceable>
-    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
-       </synopsis>
-      </term>
-      <listitem>
-       <para>
-	Refer to
-	<xref linkend="sql-grant" endterm="sql-grant-title">
-	for details on individual fields.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term>
-       <synopsis>
-REVOKE GRANT OPTION FOR <replaceable class="parameter">privilege</replaceable> [, ...]
-    ON <replaceable class="parameter">object</replaceable>
-    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
-       </synopsis>
-      </term>
-      <listitem>
-       <para>
-	Rescinds authority for a user to grant the specified privilege
-	to others.
-	Refer to
-	<xref linkend="sql-grant" endterm="sql-grant-title">
-	for details on individual fields.
-       </para>
-      </listitem>
-     </varlistentry>
-    </variablelist>
-   </para>
-
-   <para>
-    The possible objects are:
-    <simplelist>
-     <member>
-      [ TABLE ] table/view
-     </member>
-     <member>
-      CHARACTER SET character-set
-     </member>
-     <member>
-      COLLATION collation
-     </member>
-     <member>
-      TRANSLATION translation
-     </member>
-     <member>
-      DOMAIN domain
-     </member>
-    </simplelist>
+<synopsis>
+REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
+    ON <replaceable class="parameter">object</replaceable> [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
+    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
+    { RESTRICT | CASCADE }
+</synopsis>
   </para>

   <para> 
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3 then user1 can revoke
    this privilege in cascade using the CASCADE keyword.
-   </para>
-
-   <para>
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3, then if user1 tries to revoke
    this privilege it fails if he specify the RESTRICT
@@ -381,6 +98,15 @@ REVOKE GRANT OPTION FOR <replaceable class="parameter">privilege</replaceable> [
   </para>
  </refsect2>
 </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simpara>
+   <xref linkend="sql-grant">
+  </simpara>
+ </refsect1>
+
 </refentry>

 <!-- Keep this comment at the end of the file