| From: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | jwieck(at)debis(dot)com |
| Cc: | jwieck(at)debis(dot)com, darcy(at)druid(dot)net, pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: [HACKERS] Table permissions problem |
| Date: | 1998-08-13 15:26:06 |
| Message-ID: | 199808131526.LAA17987@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > Would that solve the problem? Maybe not because you would have to rip
> > apart the plan, wouldn't you?
> >
> > --
> > Bruce Momjian | 830 Blythe Avenue
>
> I checked it. It's all already there. The rewrite handler
> checks for all the range table entries he adds to the query,
> if the rule owner has the appropriate permissions
> (read/write). And it sets the skipAcl field for these rte's
> so the executor later will ignore them.
>
> The only thing missing is that CREATE VIEW and CREATE RULE
> require write access to pg_rewrite (create view does a create
> table and create rule internally). But we cannot grant write
> access on pg_rewrite to looser users. So I think a global
> variable, turning off the whole ACL system temporary, would
> do.
I understand. We don't have APPEND rights separate from MODIFY rights.
Actually, I think they are defined in the system, but not used. We have
a similar problem with pg_database. People who can create databases can
remove other database entries from pg_database.
--
Bruce Momjian | 830 Blythe Avenue
maillist(at)candle(dot)pha(dot)pa(dot)us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 1998-08-13 15:26:47 | Re: [HACKERS] HELP all women were raped during the May riots in Jakarta |
| Previous Message | Jan Wieck | 1998-08-13 15:21:26 | Re: [HACKERS] tuple return from function |