From e965e6344cfaff0708a032721b56f61eea777bc5 Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Fri, 5 Apr 2013 08:51:31 -0400
Subject: sepgsql: Enforce db_schema:search permission.

KaiGai Kohei, with comment and doc wordsmithing by me
---
 doc/src/sgml/sepgsql.sgml | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'doc/src')

diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml
index da0915bff3a..0a2ee86a111 100644
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@@ -397,6 +397,16 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
     checked in this version.
    </para>
 
+   <para>
+    In order to access any schema object, <literal>db_schema:search</>
+    permission is required on the containing schema.  When an object is
+    referenced without schema qualification, schemas on which this
+    permission is not present will not be searched (just as if the user did
+    not have <literal>USAGE</> privilege on the schema).  If an explicit schema
+    qualification is present, an error will occur if the user does not have
+    the requisite permission on the named schema.
+   </para>
+
    <para>
     The client must be allowed to access all referenced tables and
     columns, even if they originated from views which were then expanded,
-- 
cgit v1.2.3