Re: Should we get rid of custom_variable_classes altogether?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Should we get rid of custom_variable_classes altogether?
Date: 2011-10-03 14:41:48
Message-ID: 15021.1317652908@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> On 10/03/2011 10:17 AM, Tom Lane wrote:
>> Right. Getting rid of custom_variable_classes should actually make
>> those use-cases easier, since it will eliminate a required setup step.

> So are we going to sanction using this as a poor man's session variable
> mechanism?

People already are doing that, sanctioned or not.

> If so maybe we should at least warn that anything set will be accessible
> by all roles, so security definer functions for example should be wary
> of trusting such values.

Since it's not documented anywhere, I'm not sure where we'd put such
a warning. I think anyone bright enough to think of such a hack should
be able to see the potential downsides, anyway.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Dimitri Fontaine 2011-10-03 14:54:36 Re: [v9.2] DROP statement reworks
Previous Message Andrew Dunstan 2011-10-03 14:41:11 Re: SPI_processed is not set for COPY statement