From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
Cc: | Adam Witney <awitney(at)sghms(dot)ac(dot)uk>, val(at)webtribe(dot)net, pgsql-general <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: DML Restriction unless through a function |
Date: | 2004-06-30 16:00:44 |
Message-ID: | 9630.1088611244@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
>> Out of interest, what are the issues?
> You should be able to find a more accurate description in the archives, but
> my memory is that when you run a security definer function in a view
> (this shouldn't apply if it is used as a default for a column in the view) it
> runs with the authority of the view creator ran than the function creator.
That doesn't sound right to me at all. A SECURITY DEFINER function is
self contained --- if we ever failed to execute it as the owning user,
that would be a bug, and I'd be pleased to see an example.
I do recall that if you have a function that is *not* SECURITY DEFINER,
and you use it in a view, it will be invoked as the current user, not as
the view creator which is what some people expect. It's fairly easy to
get around this using SECURITY DEFINER, so it's unlikely that we'll
change it ...
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Maldonado | 2004-06-30 16:08:57 | Re: query failing with out of memory error message. |
Previous Message | Richard Huxton | 2004-06-30 15:56:58 | Re: substring syntax with regexp |