| From: | Álvaro Herrera <alvherre(at)kurilemu(dot)de> |
|---|---|
| To: | Dominique Devienne <ddevienne(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Guillaume Lelarge <guillaume(dot)lelarge(at)dalibo(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |
| Date: | 2025-07-31 16:18:37 |
| Message-ID: | 202507311618.t7vdkwzigntv@alvherre.pgsql |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2025-Jul-31, Dominique Devienne wrote:
> But also, it's weird DELETE allows you to delete all rows.
> Yet prevents you from deleting just one, i.e. a subset.
But you don't know what you deleted, so you cannot exfiltrate useful
info by repeatedly deleting with varying WHERE values. I suspect that
you aren't able to use DELETE RETURNING either, unless you have SELECT
privs.
> I get it, a WHERE needs to read, so needs SELECT.
Right.
--
Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
"El destino baraja y nosotros jugamos" (A. Schopenhauer)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christoph Moench-Tegeder | 2025-08-01 18:35:26 | Re: Failing to allocate memory when I think it shouldn't |
| Previous Message | Dominique Devienne | 2025-07-31 15:59:42 | Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function |