From 264b00fca7f0fb2bbe0635e6bfea3a73de71133d Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Wed, 11 Oct 2017 16:56:23 -0400
Subject: Doc: fix missing explanation of default object privileges.

The GRANT reference page, which lists the default privileges for new
objects, failed to mention that USAGE is granted by default for data
types and domains.  As a lesser sin, it also did not specify anything
about the initial privileges for sequences, FDWs, foreign servers,
or large objects.  Fix that, and add a comment to acldefault() in the
probably vain hope of getting people to maintain this list in future.

Noted by Laurenz Albe, though I editorialized on the wording a bit.
Back-patch to all supported branches, since they all have this behavior.

Discussion: https://postgr.es/m/1507620895.4152.1.camel@cybertec.at
---
 doc/src/sgml/ref/grant.sgml | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'doc/src')
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index f2b25e546c3..0e517c5bb61 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -149,12 +149,22 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
   <para>
    PostgreSQL grants default privileges on some types of objects to
    <literal>PUBLIC</literal>.  No privileges are granted to
-   <literal>PUBLIC</literal> by default on tables,
-   columns, schemas or tablespaces. For other types, the default privileges
+   <literal>PUBLIC</literal> by default on
+   tables,
+   table columns,
+   sequences,
+   foreign data wrappers,
+   foreign servers,
+   large objects,
+   schemas,
+   or tablespaces.
+   For other types of objects, the default privileges
    granted to <literal>PUBLIC</literal> are as follows:
-   <literal>CONNECT</literal> and <literal>CREATE TEMP TABLE</literal> for
-   databases; <literal>EXECUTE</literal> privilege for functions; and
-   <literal>USAGE</literal> privilege for languages.
+   <literal>CONNECT</literal> and <literal>TEMPORARY</literal> (create
+   temporary tables) privileges for databases;
+   <literal>EXECUTE</literal> privilege for functions; and
+   <literal>USAGE</literal> privilege for languages and data types
+   (including domains).
    The object owner can, of course, <command>REVOKE</command>
    both default and  expressly granted privileges. (For maximum
    security, issue the <command>REVOKE</> in the same transaction that
-- 
cgit v1.2.3

