| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Peter Geoghegan <peter(dot)geoghegan86(at)gmail(dot)com> |
| Cc: | PGSQL Mailing List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Persistent identifiers for Postgres users |
| Date: | 2010-02-18 22:22:33 |
| Message-ID: | 20100218222233.GH6317@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Peter Geoghegan escribió:
> Hello,
>
> I maintain an app where database users correspond to actual users,
> with privileges granted or denied to each. At the moment, records that
> each user creates are identified as such by a text column that has a
> default value of session_user(). I don't need to tell you that this is
> suboptimal, because db users (as far as I'm aware) lack persistent
> identifiers - names may change, users may be dropped, etc. Also, there
> is no way that I am aware of to fake row level privileges by adding a
> ...AND id NOT IN (SELECT forbidden_department FROM user_priveleges
> WHERE user_id = current_user_id() ) to relevant queries . Actually,
> that approach is probably preferable to actual row level privileges,
> as it allows me to deny access based on a domain-level concept,
> departments.
You could use OIDs as identifiers for roles instead of names, but of
course you don't have any way to know that one of them is dropped.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Bailey | 2010-02-18 22:52:46 | Re: GROUP BY column alias? |
| Previous Message | Eric B. Ridge | 2010-02-18 21:56:56 | Re: GROUP BY column alias? |