statement ok
CREATE DATABASE d;
GRANT CREATE ON DATABASE d TO testuser

# By default, testuser should have ALL privileges on a schema it creates.
user testuser

statement ok
USE d;

# The public schema is special and has hard-coded privileges for the public role.
# When https://github.com/cockroachdb/cockroach/issues/70266 is resolved,
# the public role will no longer have CREATE privilege.
query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA public
----
database_name  schema_name  grantee  privilege_type  is_grantable
d              public       admin    ALL             true
d              public       public   CREATE          false
d              public       public   USAGE           false
d              public       root     ALL             true

statement ok
CREATE SCHEMA testuser_s;

query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA testuser_s;
----
database_name  schema_name  grantee   privilege_type  is_grantable
d              testuser_s   admin     ALL             true
d              testuser_s   root      ALL             true
d              testuser_s   testuser  ALL             true

statement ok
ALTER DEFAULT PRIVILEGES REVOKE ALL ON SCHEMAS FROM testuser;

statement ok
CREATE SCHEMA testuser_s2;

# Note that CREATE is still present for testuser due to our current inheritance
# behavior.
# TODO(richardjcai): Remove this when we remove our current inheritance logic.
query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA testuser_s2
----
database_name  schema_name  grantee   privilege_type  is_grantable
d              testuser_s2  admin     ALL             true
d              testuser_s2  root      ALL             true
d              testuser_s2  testuser  ALL             true

user root

statement ok
USE test;

statement ok
CREATE USER testuser2

statement ok
ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO testuser, testuser2

statement ok
CREATE SCHEMA s

query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s
----
database_name  schema_name  grantee    privilege_type  is_grantable
test           s            admin      ALL             true
test           s            root       ALL             true
test           s            testuser   ALL             false
test           s            testuser2  ALL             false

statement ok
ALTER DEFAULT PRIVILEGES REVOKE USAGE ON SCHEMAS FROM testuser, testuser2

statement ok
CREATE SCHEMA s2

query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s2
----
database_name  schema_name  grantee    privilege_type  is_grantable
test           s2           admin      ALL             true
test           s2           root       ALL             true
test           s2           testuser   CREATE          false
test           s2           testuser2  CREATE          false

statement ok
ALTER DEFAULT PRIVILEGES REVOKE ALL ON SCHEMAS FROM testuser, testuser2

statement ok
CREATE SCHEMA s3

query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s3
----
database_name  schema_name  grantee  privilege_type  is_grantable
test           s3           admin    ALL             true
test           s3           root     ALL             true

statement ok
GRANT CREATE ON DATABASE d TO testuser

user testuser
statement ok
USE d

statement ok
ALTER DEFAULT PRIVILEGES FOR ROLE testuser REVOKE ALL ON SCHEMAS FROM testuser, testuser2

statement ok
CREATE SCHEMA s4

# testuser still has CREATE due to "inheriting" it from the parent database.
query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s4
----
database_name  schema_name  grantee   privilege_type  is_grantable
d              s4           admin     ALL             true
d              s4           root      ALL             true
d              s4           testuser  ALL             true

user root
statement ok
USE d

statement ok
ALTER DEFAULT PRIVILEGES FOR ROLE testuser REVOKE ALL ON SCHEMAS FROM testuser, testuser2

user testuser
statement ok
USE d

statement ok
CREATE SCHEMA s5

# testuser still has CREATE due to "inheriting" it from the parent database.
query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s5
----
database_name  schema_name  grantee   privilege_type  is_grantable
d              s5           admin     ALL             true
d              s5           root      ALL             true
d              s5           testuser  ALL             true

statement ok
ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO testuser, testuser2

user root

statement ok
CREATE SCHEMA s_72322

# When root creates the table, testuser and testuser2 should not get privileges.
query TTTTB colnames,rowsort
SHOW GRANTS ON SCHEMA s_72322
----
database_name  schema_name  grantee  privilege_type  is_grantable
d              s_72322      admin    ALL             true
d              s_72322      root     ALL             true
