pub fn stale_grant_revocations(
current: &[ObjectGrant],
desired: &BTreeSet<(String, String)>,
protected: &BTreeSet<(String, String)>,
target: &GrantTargetSpecification<Raw>,
) -> Vec<RevokePrivilegesStatement<Raw>>Expand description
Compute REVOKE statements for grants that exist in current but not in
desired and not in protected (3-way set difference).
Grantee names are lowercased and privilege types uppercased before comparison so that catalog casing differences don’t cause spurious revocations.
protected contains grants that should never be revoked (e.g., grants
originating from ALTER DEFAULT PRIVILEGES).