| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | "Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com> |
| Cc: | "'Trevor Talbot'" <quension(at)gmail(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Kris Jurka <books(at)ejurka(dot)com>, Merlin Moncure <mmoncure(at)gmail(dot)com>, "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com>, Bill Moran <wmoran(at)collaborativefusion(dot)com>, pgsql-performance(at)postgresql(dot)org |
| Subject: | Re: viewing source code |
| Date: | 2007-12-20 18:29:52 |
| Message-ID: | 20071220182952.GB10849@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-performance |
Roberts, Jon escribió:
> So your suggestion is first to come up with a query that dynamically checks
> permissions and create a view for it. Secondly, change pgAdmin to reference
> this view in place of pg_proc. Actually, it should be extended to all
> objects in the database, not just pg_proc. If you don't have this
> dictionary role, you shouldn't be able to look at any of the objects in the
> database unless you own the object or have been granted rights to the
> object.
Right.
Another thing that just occured to me was to rename pg_proc to something
else, and create the restricted view using the pg_proc name. This
sounds dangerous in terms of internals, but actually the system catalogs
are invoked by OID not name, so maybe it will still work.
You do need to make sure that superusers continue to see all functions
though ... (the view test should really be "does the current user have
access to this function".)
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Trevor Talbot | 2007-12-20 18:47:53 | Re: viewing source code |
| Previous Message | Merlin Moncure | 2007-12-20 18:03:54 | Re: viewing source code |