Doc: fix missing explanation of default object privileges.

The GRANT reference page, which lists the default privileges for new
objects, failed to mention that USAGE is granted by default for data
types and domains.  As a lesser sin, it also did not specify anything
about the initial privileges for sequences, FDWs, foreign servers,
or large objects.  Fix that, and add a comment to acldefault() in the
probably vain hope of getting people to maintain this list in future.

Noted by Laurenz Albe, though I editorialized on the wording a bit.
Back-patch to all supported branches, since they all have this behavior.

Discussion: https://postgr.es/m/1507620895[email protected]

diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index fc3552bc1de6f1fe78a7e157ed9236764924938b..77770fa77357563531a3de0bd2195ee53ee2f40b 100644 (file)
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -149,12 +149,22 @@ GRANT role_name [, ...] TO 
   
    PostgreSQL grants default privileges on some types of objects to
    PUBLIC.  No privileges are granted to
-   PUBLIC by default on tables,
-   columns, schemas or tablespaces. For other types, the default privileges
+   PUBLIC by default on
+   tables,
+   table columns,
+   sequences,
+   foreign data wrappers,
+   foreign servers,
+   large objects,
+   schemas,
+   or tablespaces.
+   For other types of objects, the default privileges
    granted to PUBLIC are as follows:
-   CONNECT and CREATE TEMP TABLE for
-   databases; EXECUTE privilege for functions; and
-   USAGE privilege for languages.
+   CONNECT and TEMPORARY (create
+   temporary tables) privileges for databases;
+   EXECUTE privilege for functions; and
+   USAGE privilege for languages and data types
+   (including domains).
    The object owner can, of course, REVOKE
    both default and  expressly granted privileges. (For maximum
    security, issue the REVOKE in the same transaction that

diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 23b66b3e72191f9d4a8ddb3096d38664f01d3bae..630cd1a5e3015ac2550c93fa6c3fdb8f5210efab 100644 (file)
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -722,7 +722,9 @@ hash_aclitem(PG_FUNCTION_ARGS)
  * acldefault()  --- create an ACL describing default access permissions
  *
  * Change this routine if you want to alter the default access policy for
- * newly-created objects (or any object with a NULL acl entry).
+ * newly-created objects (or any object with a NULL acl entry).  When
+ * you make a change here, don't forget to update the GRANT man page,
+ * which explains all the default permissions.
  *
  * Note that these are the hard-wired "defaults" that are used in the
  * absence of any pg_default_acl entry.