fix: emit REVOKE statements before DROP statements#243
Merged
tianzhou merged 1 commit intopgplex:mainfrom Jan 15, 2026
Merged
Conversation
When dropping objects (functions, tables, etc.) that have explicit privileges granted, REVOKE statements must execute before DROP statements. Previously, REVOKEs were emitted after DROPs, causing failures because the object no longer exists. Reorder generateDropSQL() to emit privilege revocations first, then object drops.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a critical bug in the DDL generation where REVOKE statements were being emitted after DROP statements, causing REVOKE operations to fail because the objects they reference no longer existed. The fix reorders the generateDropSQL() function to emit all privilege revocations before any object drops.
Changes:
- Reordered privilege revocation calls to execute before object drops in
generateDropSQL() - Extended drop_function test case to include a function with GRANT EXECUTE privilege to verify the fix
- Updated test expectations to reflect the new ordering
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| internal/diff/diff.go | Moved all privilege revocation calls (lines 1517-1520) to the beginning of generateDropSQL(), before any object drops |
| testdata/diff/create_function/drop_function/old.sql | Added test setup with api_role and GRANT EXECUTE on process_order function |
| testdata/diff/create_function/drop_function/plan.txt | Updated expected output to show REVOKE statement before DROP statements |
| testdata/diff/create_function/drop_function/plan.sql | Updated expected SQL to show REVOKE before DROP |
| testdata/diff/create_function/drop_function/plan.json | Updated expected JSON plan with new privilege drop step |
| testdata/diff/create_function/drop_function/diff.sql | Updated expected diff output with REVOKE before DROP |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alecthomas
pushed a commit
to alecthomas/pgschema
that referenced
this pull request
Jan 26, 2026
When dropping objects (functions, tables, etc.) that have explicit privileges granted, REVOKE statements must execute before DROP statements. Previously, REVOKEs were emitted after DROPs, causing failures because the object no longer exists. Reorder generateDropSQL() to emit privilege revocations first, then object drops.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Problem
When dropping objects (functions, tables, etc.) that have explicit privileges granted, pgschema generated:
The REVOKE fails with "function does not exist" because the object was already dropped.
Fix
Reorder
generateDropSQL()ininternal/diff/diff.goto emit privilege revocations before object drops.Test plan
create_function/drop_functiontest to include a function with GRANT EXECUTEprivilege/tests pass (10 tests)create_function/tests pass (5 tests)