Skip site navigation (1) Skip section navigation (2)

Re: DML Restriction unless through a function

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: Adam Witney <awitney(at)sghms(dot)ac(dot)uk>, val(at)webtribe(dot)net,pgsql-general <pgsql-general(at)postgresql(dot)org>
Subject: Re: DML Restriction unless through a function
Date: 2004-06-30 16:00:44
Message-ID: 9630.1088611244@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-general
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
>> Out of interest, what are the issues?

> You should be able to find a more accurate description in the archives, but
> my memory is that when you run a security definer function in a view
> (this shouldn't apply if it is used as a default for a column in the view) it
> runs with the authority of the view creator ran than the function creator.

That doesn't sound right to me at all.  A SECURITY DEFINER function is
self contained --- if we ever failed to execute it as the owning user,
that would be a bug, and I'd be pleased to see an example.

I do recall that if you have a function that is *not* SECURITY DEFINER,
and you use it in a view, it will be invoked as the current user, not as
the view creator which is what some people expect.  It's fairly easy to
get around this using SECURITY DEFINER, so it's unlikely that we'll
change it ...

			regards, tom lane

In response to

Responses

pgsql-general by date

Next:From: Joe MaldonadoDate: 2004-06-30 16:08:57
Subject: Re: query failing with out of memory error message.
Previous:From: Richard HuxtonDate: 2004-06-30 15:56:58
Subject: Re: substring syntax with regexp

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group