Robert Haas <robertmhaas@gmail.com> writes:
> ... If we do decide to change the
> behavior, we'd better carefully document that if you want to make
> someone a superuser without giving them replication privileges (or
> revoke their superuser status without revoking replication
> privileges), you need to specify both ALTER TABLE options.
You'd also have to be careful about processing-order dependencies;
consider
ALTER USER joe NOREPLICATION SUPERUSER;
which would do the wrong thing with a naive implementation.
> All in all I'm somewhat inclined to think we should just patch the
> docs. 9.1 hasn't been out for very long, so maybe expectations aren't
> too settled yet, but changing security-critical behavior in back
> branches doesn't seem like a wonderful idea; and I think I mildly
> prefer the current semantics to the proposed ones.
+1
regards, tom lane