| From: | walther(at)technowledgy(dot)de |
|---|---|
| To: | Erik Wienhold <ewie(at)ewie(dot)name>, Dominique Devienne <ddevienne(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: DEFINER / INVOKER conundrum |
| Date: | 2023-04-04 05:55:25 |
| Message-ID: | f82f70fd-665f-6384-5e8a-987ab9e640d3@technowledgy.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Erik Wienhold:
> A single DEFINER function works if you capture current_user with a parameter
> and default value. Let's call it claimed_role. Use pg_has_role[0] to check
> that session_user has the privilege for claimed_role (in case the function is
> called with an explicit value), otherwise raise an exception.
>
> Connect as postgres:
>
> CREATE FUNCTION f(claimed_role text default current_user)
> RETURNS TABLE (claimed_role text, curr_user text, sess_user text)
> SECURITY DEFINER
> LANGUAGE sql
> $$ SELECT claimed_role, current_user, session_user $$;
For me, checking whether session_user has the privilege for claimed_role
is not enough, so I add a DOMAIN to the mix:
CREATE DOMAIN current_user_only AS NAME CHECK (VALUE = CURRENT_USER);
CREATE FUNCTION f(calling_user current_user_only DEFAULT CURRENT_USER)
...
SECURITY DEFINER;
This works, because the domain check is evaluated in the calling context.
Best,
Wolfgang
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Erik Wienhold | 2023-04-04 08:46:49 | Re: DEFINER / INVOKER conundrum |
| Previous Message | houzj.fnst@fujitsu.com | 2023-04-04 03:21:44 | RE: Support logical replication of DDLs |