Helge Bahmann (bahmann(at)math(dot)tu-freiberg(dot)de) reports a bug with a severity of 2
The lower the number the more severe it is.
wrong permissions for triggers invoked by rewrite rules
Rewritten queries are normally executed with the permissions of the creator of the rewrite rule. However, triggers invoked by the rewritten query are not executed with the new permissions.
-- as user 'user1':
create table table1(id int);
create table table2(id int);
create function foo() returns opaque as 'begin
insert into table2 values(new.id);
end;' language 'plpgsql';
create trigger bar before insert on table2 for each row execute procedure foo();
create view view1 as select * from table1;
create rule view1_ins as on insert to view1 do instead insert into table1 values(new.id);
grant insert, select on view1 to user2;
-- as user 'user2':
insert into view1 values(1);
-- fails with: ERROR: table2: Permission denied.
No file was uploaded with this report
pgsql-bugs by date
|Next:||From: pgsql-bugs||Date: 2000-08-25 19:28:54|
|Subject: duplicated rows on update when client dies|
|Previous:||From: pgsql-bugs||Date: 2000-08-25 08:56:02|
|Subject: Invalid PG_PWD|