Re: Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

> > ISTM the name-based variants will primarily be used for user-entered
> > names, and in that case the user can reasonably expect that a name
> > will be interpreted the same way as if he'd written it out in a query.
>
> That would be correct if the user were actually entering the name in the
> same way, i.e., unquoted or double-quoted.
>
> > The nextval approach is ugly, I'll grant you, but it's also functional.
>
> But it's incompatible with the SQL conventions.
>

Is the concern that the name-based variants of the function should be called
like:

select has_table_privilege(current_user, pg_class, 'insert');
or
select has_table_privilege(current_user, "My Quoted Relname", 'insert');

instead of

select has_table_privilege(current_user, 'pg_class', 'insert');
or
select has_table_privilege(current_user, '"My Quoted Relname"',
'insert');

?

If so, what would be involved in fixing it?

From an end user's perspective, I wouldn't mind the latter syntax, although
the former is clearly more intuitive. But I'd rather have the second form
than nothing (just MHO).

-- Joe