| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | t(dot)b(dot)rijpma(at)student(dot)tudelft(dot)nl |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: REVOKE on ALTER USER, DROP USER |
| Date: | 2007-07-08 16:22:58 |
| Message-ID: | 752.1183911778@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Tjibbe <tjibbe(at)hotmail(dot)com> writes:
> Hello, Is het possible tot REVOKE the ALTER USER command? In such a way tha=
> t users cannot change their password and username? And also cannot delete t=
> hemeself with DROP USER?
Ordinary users (those without superuser or createrole privilege) can't
do any of that except change their own password ... and I don't see a
particularly good argument for preventing them from doing that.
> Now I solve the problem in PHP, to filter de SQL query string behore sendin=
> g to postgresql as follows:
If you're allowing untrusted sources to provide chunks of SQL to be
executed directly, you've got problems far worse than this one.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tjibbe | 2007-07-08 19:36:34 | Re: REVOKE on ALTER USER, DROP USER |
| Previous Message | Tjibbe | 2007-07-08 08:52:37 | REVOKE on ALTER USER, DROP USER |