From: | antonov(at)stdpr(dot)ru |
---|---|
To: | pgsql-docs(at)postgresql(dot)org |
Subject: | "$user" and SESSION_USER and CURRENT_USER |
Date: | 2018-12-20 15:38:26 |
Message-ID: | 159151fb45d490c8d31ea9707e9ba99d@stdpr.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
hi,
sorry for my message. I'm tiny confused about the next one. could you
help me?:
here -- https://www.postgresql.org/docs/11/runtime-config-client.html
there is the text """If one of the list items is the special name $user,
then the schema having the name returned by SESSION_USER is substituted,
if there is such a schema and the user has USAGE permission for it. (If
not, $user is ignored.)""".
but actualy "$user" substitutes CURRENT_USER-value (not
SESSION_USER-value).
it's good because it would be a SECURITY VULNERABILITY if "$user"
substituted SESSION_USER-value (in conjunction with security definer
functions).
in case of CURRENT_USER-value we have no the vulnerable. which is good
:-)
but is there error in documentation text (runtime-config-client.html) ,
isn't?
thank you in advance.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2018-12-20 18:42:32 | Re: "$user" and SESSION_USER and CURRENT_USER |
Previous Message | PG Doc comments form | 2018-12-19 19:52:57 | Need clarification on how to extract or compare numeric values enclosed in jsonb |