Improve GRANT documentation to point out that UPDATE and DELETE typically

require SELECT privilege as well, since you normally need to read existing
column values within such commands.  This behavior is according to spec,
but we'd never documented it before.  Per gripe from Volkan Yazici.

diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 7b1295f9eb62d9a73231fd4cafc36f10d4910217..14013c50ad2833ff7bfe94737beb9143fc2a4c1e 100644 (file)
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
 
 
@@ -135,10 +135,15 @@ GRANT role [, ...] TO 
      SELECT
      
       
-       Allows  from any column of the
-       specified table, view, or sequence.  Also allows the use of
-        TO.  For sequences, this
-       privilege also allows the use of the currval function.
+       Allows  from
+       any column of the specified table, view, or sequence.
+       Also allows the use of
+        TO.
+       This privilege is also needed to reference existing column values in
+        or
+       .
+       For sequences, this privilege also allows the use of the
+       currval function.
       
      
     
@@ -147,8 +152,9 @@ GRANT role [, ...] TO 
      INSERT
      
       
-       Allows  of a new row into the
-       specified table.  Also allows  FROM.
+       Allows  of a new
+       row into the specified table.
+       Also allows  FROM.
       
      
     
@@ -158,10 +164,15 @@ GRANT role [, ...] TO 
      
       
        Allows  of any
-       column of the specified table.  SELECT ... FOR UPDATE
+       column of the specified table.
+       (In practice, any nontrivial UPDATE command will require
+       SELECT privilege as well, since it must reference table
+       columns to determine which rows to update, and/or to compute new
+       values for columns.)
+       SELECT ... FOR UPDATE
        and SELECT ... FOR SHARE
-       also require this privilege (besides the
-       SELECT privilege).  For sequences, this
+       also require this privilege, in addition to the
+       SELECT privilege.  For sequences, this
        privilege allows the use of the nextval and
        setval functions.
       
@@ -172,8 +183,11 @@ GRANT role [, ...] TO 
      DELETE
      
       
-       Allows  of a row from the
-       specified table.
+       Allows  of a row
+       from the specified table.
+       (In practice, any nontrivial DELETE command will require
+       SELECT privilege as well, since it must reference table
+       columns to determine which rows to delete.)
       
      
     
@@ -235,7 +249,7 @@ GRANT role [, ...] TO 
      TEMP
      
       
-       Allows temporary tables to be created while using the database.
+       Allows temporary tables to be created while using the specified database.