| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | josh(at)agliodbs(dot)com |
| Cc: | Gaetano Mendola <mendola(at)bigfoot(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: problem permission on view |
| Date: | 2004-09-16 22:57:21 |
| Message-ID: | 13421.1095375441@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Josh Berkus <josh(at)agliodbs(dot)com> writes:
> As said, I discussed this with Gaetano on IRC, and am not sure why things are
> set up the way they are. If a user has permission on a view, shouldn't
> that include permission on any functions executed by the view? If not, why
> not?
See prior discussions. The two stumbling blocks I can recall are:
1. Not breaking the ability of functions called by views to tell who the
real user is --- see the filtering in the pg_statistic view for a handy
real-world example. This constrains the possible design solutions.
2. Given the flexibility of the rule rewrite system, it's not unlikely
that a user could find a way to execute any function invoked by a rule
on data of his choosing. This is a bad idea if the function should not
ordinarily be his to call.
(Enlarging on point 2: there are no views. There are only rules, and
any proposed solution has to be cast in terms of what happens with
arbitrary rules.)
I'm not saying we'll never do this, but I am saying that the topic has
been visited before and no one's come up with an acceptable design.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2004-09-16 22:57:39 | Re: problem permission on view |
| Previous Message | Gavin Sherry | 2004-09-16 22:48:05 | Re: subtransaction assert failure |