| From: | "Gaetano Mendola" <gmendola(at)mbigroup(dot)it> |
|---|---|
| To: | <pgsql-hackers(at)postgresql(dot)org> |
| Cc: | "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Subject: | Re: Problem with function permission test in a view |
| Date: | 2003-09-11 22:28:21 |
| Message-ID: | 003101c378b4$09ec3fb0$0f02c9d9@mm.eutelsat.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us> wrote:
> Tom Lane wrote:
> > Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > > Someone asked me a question about view and function permissions. I
> > > assumed all object access done by a view would be based on the
> > > permissions on the view, and not the permissions of the objects.
> >
> > Table references are checked according to the owner of the view, but use
> > in a view does not change the execution context for function or operator
> > calls. This is how it's always been done.
> >
> > > Is this a bug?
> >
> > Changing it would be a major definitional change (and a pretty major
> > implementation change too). It might be better, but please don't
> > pre-judge the issue by labeling it a bug.
>
> Well, it sure sounds like a bug. What logic is there that table access
> use the view permissions, but not function access? Could we just use
> SECURITY DEFINER for function calls in views?
I already had this problem, look here:
and I had no reply :-(
Regards
Gaetano Mendola
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2003-09-11 22:33:58 | Re: massive quotes? |
| Previous Message | Tom Lane | 2003-09-11 22:25:32 | Re: Another small bug (pg_autovacuum) |