From: | "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> |
---|---|
To: | "Merlin Moncure" <merlin(dot)moncure(at)rcsonline(dot)com> |
Cc: | <pgadmin-hackers(at)postgresql(dot)org>, <pgadmin-hackers(at)postgresql(dot)org> |
Subject: | Re: prevent users from seeing pl/pgsql code in pgadmin |
Date: | 2005-03-16 22:42:50 |
Message-ID: | E7F85A1B5FF8D44C8A1AF6885BC9A0E472BBE3@ratbert.vale-housing.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-hackers |
> -----Original Message-----
> From: Merlin Moncure [mailto:merlin(dot)moncure(at)rcsonline(dot)com]
> Sent: 16 March 2005 17:20
> To: Dave Page
> Cc: pgadmin-hackers(at)postgresql(dot)org; pgadmin-hackers(at)postgresql(dot)org
> Subject: RE: [pgadmin-hackers] prevent users from seeing
> pl/pgsql code in pgadmin
>
>
> What about this: do think pgAdmin should prevent rendering
> the sql code
> for various database schema objects (but especially functions) if the
> pgAdmin user does not have appropriate access to that object?
>
> For example, if user does not have the 'execute' permission,
> disable sql
> render of the function object. I think this is pretty
> reasonable from a
> security standpoint until such time that the server gets this
> capability.
To be honest I'm not keen to expend time and add to the complexity of
the code to add obscurity (I can't in good conscience call it security)
that is so easily bypassed. This seems kinda like adding an entry
control system to a door next to a large open window.
Regards, Dave.
From | Date | Subject | |
---|---|---|---|
Next Message | Florian G. Pflug | 2005-03-17 12:44:43 | Re: [PATCH] Various OSX fixes & .app bundle building |
Previous Message | Dave Page | 2005-03-16 22:36:06 | Re: [PATCH] Various OSX fixes & .app bundle building |