On tis, 2012-07-10 at 15:28 -0700, Joe Conway wrote:
> So I think this boils down to what we think the output of the various
> has_*_privilege() functions *should* tell you:
>
> 1) privileges possessed even though they may not
> be usable
> -or-
> 2) privileges possessed and usable
>
> Personally I'm interested in answering the latter question -- what are
> all the things role X can do and see.
>
> But historically (and perhaps correctly) these functions have always
> done the former -- so maybe all we need are some words of warning in
> the documentation of these functions?
The second question is much more difficult to answer than the first.
You could have sepgsql in the way, for example.
The functions very clearly check whether a privilege is being held, and
elsewhere it is documented what you can do with these privileges. A
particular action might very well require multiple privileges.
