| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: grant with hierarchy option |
| Date: | 2009-11-11 21:14:33 |
| Message-ID: | 1257974073.22025.24.camel@vanquo.pezone.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On fre, 2009-10-30 at 00:49 -0400, Tom Lane wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > There is a gap in the permission scheme for inheritance setups. Say you
> > have this:
>
> > CREATE TABLE persons (...);
> > CREATE TABLE employees (...) INHERITS (persons);
>
> > GRANT SELECT ON persons TO foo;
>
> > Then user foo can extract who the employees are using
>
> > SELECT * FROM persons EXCEPT SELECT * FROM ONLY persons;
>
> And this is a problem why exactly? It's entirely likely that
> employee-ness can be determined just from what is visible in
> the persons view, anyway. Not to mention tableoid.
Yeah, tableoid is a deal-breaker. But perhaps using ONLY should at
least require SELECT privilege, because it effectively allows you to
select a subset of the table's rows.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jaime Casanova | 2009-11-11 21:21:20 | Re: next CommitFest |
| Previous Message | Stefan Kaltenbrunner | 2009-11-11 21:09:42 | Re: next CommitFest |