Try to be a little bit clearer about the implications of GRANT TO PUBLIC

and REVOKE FROM PUBLIC: the latter is not the same as 'revoke from all
users', but the ref page blurred the difference.

diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index fab1c758d0060ad9f21c1dec6935783748f17c98..a4ff54b5794dd814f3e1daf57127b203e8c83739 100644 (file)
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
 
 
@@ -27,18 +27,30 @@ GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,..
 
   
    The GRANT command gives specific permissions on
-   an object (table, view, sequence) to a user or a group of users.
-   The special key word PUBLIC indicates that the
+   an object (table, view, sequence) to one or more users or groups of users.
+   These permissions are added to those already granted, if any.
+  
+
+  
+   The key word PUBLIC indicates that the
    privileges are to be granted to all users, including those that may
-   be created later.
+   be created later.  PUBLIC may be thought of as an
+   implicitly defined group that always includes all users.
+   Note that any particular user will have the sum
+   of privileges granted directly to him, privileges granted to any group he
+   is presently a member of, and privileges granted to
+   PUBLIC.
   
 
   
    Users other than the creator do not have any access privileges
-   unless the creator grants permissions, after the object is created.
+   to an object unless the creator grants permissions.
    There is no need to grant privileges to the creator of an object,
    as the creator automatically holds all privileges, and can also
-   drop the object.
+   drop the object.  (The creator could, however, choose to revoke
+   some of his own privileges for safety.  Note that the ability to
+   grant and revoke privileges is inherent in the creator and cannot
+   be lost.)
   
 
   

diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml
index afa75d851eea00046250dea58f12ff6aa4544e5e..7c00c36115bc5f6f25b662c90ee53f0c57234e5e 100644 (file)
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -1,5 +1,5 @@
 
 
@@ -27,9 +27,19 @@ REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,.
 
   
    REVOKE allows the creator of an object to revoke
-   permissions granted before, from a users or a group of users.  The
-   key word PUBLIC means to revoke this privilege
-   from all users.
+   previously granted permissions from one or more users or groups of users.
+   The key word PUBLIC refers to the implicitly defined
+   group of all users.
+  
+
+  
+   Note that any particular user will have the sum
+   of privileges granted directly to him, privileges granted to any group he
+   is presently a member of, and privileges granted to
+   PUBLIC.  Thus, for example, revoking SELECT privilege
+   from PUBLIC does not necessarily mean that all users
+   have lost SELECT privilege on the object: those who have it granted
+   directly or via a group will still have it.
   
 
   
@@ -52,7 +62,7 @@ REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,.
   Examples
 
   
-   Revoke insert privilege from all users on table
+   Revoke insert privilege for the public on table
    films:
 
 
@@ -93,7 +103,7 @@ REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
     this privilege in cascade using the CASCADE keyword.
     If user1 gives a privilege WITH GRANT OPTION to user2,
     and user2 gives it to user3, then if user1 tries to revoke
-    this privilege it fails if he specify the RESTRICT
+    this privilege it fails if he specifies the RESTRICT
     keyword.