Skip site navigation (1) Skip section navigation (2)

Re: Reimplementing permission checks for rules

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Reimplementing permission checks for rules
Date: 2000-09-27 14:41:38
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Tom Lane writes:
>> What I'm thinking about doing is eliminating the "skipAcl" RTE field
>> and instead adding an Oid field named something like "checkAclAs".
>> The semantics of this field would be "if zero, check access permissions
>> for this table using the current effective userID; but if not zero,
>> check access permissions as if you are this userID".  Then the rule
>> rewriter would do no access permission checks of its own, but would
>> set this field appropriately in RTEs that it adds to queries.  All the
>> actual permissions checking would happen in one place in the executor.

> I like it.

OK.  BTW, what is the status of the changeover you proposed re using
OIDs instead of int4 userids as the unique identifiers for users?
In other words, should my field be type Oid or type int4?

			regards, tom lane

In response to


pgsql-hackers by date

Next:From: Tom LaneDate: 2000-09-27 14:53:43
Subject: Re: Installation layout is still hazardous for shared prefixes
Previous:From: Papp GyozoDate: 2000-09-27 11:20:05
Subject: Re: Dynamic application data refreshing

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group