| From: | Chris Travers <chris(at)travelamericas(dot)com> |
|---|---|
| To: | pgsql-sql(at)postgresql(dot)org |
| Subject: | SECURITY DEFINER changes CURRENT_USER? |
| Date: | 2003-07-20 05:07:34 |
| Message-ID: | 3F1A2396.4050907@travelamericas.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Hi all;
I found an unexpected behavior while trying to write a function to allow
users to change their own passwords. The function is as follows:
CREATE OR REPLACE FUNCTION change_password(VARCHAR)
RETURNS BOOL AS '
DECLARE
username VARCHAR;
CMD VARCHAR;
password ALIAS FOR $1;
BEGIN
SELECT INTO username CURRENT_USER;
CMD := ''ALTER USER '' || username || '' WITH PASSWORD '';
CMD := CMD || '''''''' || password || '''''''';
EXECUTE CMD;
RETURN TRUE;
end;
' LANGUAGE 'plpgsql' VOLATILE SECURITY DEFINER
I would expect this to change the password of the user currently logged
in but instead it changes MY password. Evidently when a function is
called which is set to SECURITY DEFINER, it changes the context of the
current user. The CURRENT_USER then returns the name of the definer
rather than the invoker of the function.
So this being said-- are there any workarounds that don't allow anyone
to change anyone else's password?
Best Wishes,
Chris Travers
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2003-07-20 06:11:34 | Re: min() and NaN |
| Previous Message | Tom Lane | 2003-07-20 04:54:26 | Re: Why do the two queries below return different results? |