Re: search_path vs extensions

On Fri, May 29, 2009 at 7:53 PM, Greg Stark <stark(at)enterprisedb(dot)com> wrote:
> On Fri, May 29, 2009 at 11:18 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>>
>> Good point.  But maybe there's some way of getting some kind of
>> behavior that is closer to lexical scoping/early binding?  Because the
>> way it works right now has lousy security implications, beyond being
>> difficult for search_path management.  Assign a search path to a
>> schema, that applies to views and functions defined therein?
>> *brainstorming*
>
> Well we already set search_path locally in SECURITY DEFINER functions.
> Normal functions run with the credentials of the caller so that's not
> an issue.

Maybe not for security, but certainly it is for correctness.

> But if a SECURITY DEFINER function calls another function that other
> function will inherit the credentials of the caller so it must inherit
> the search path of the caller as well. So that has to be dynamically
> scoped.
>
> I'm beginning to understand why Oracle programmers are accustomed to
> setting SECURITY DEFINER everywhere. I think Oracle also knows to
> treat such code as lexically scoped and can bind references when
> loading such code.

Uh... if I'm understanding you correctly, then I'm really hoping we
engineer a better solution for PostgreSQL.

...Robert