| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Dominique Devienne <ddevienne(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Yet more ROLE changes in v18 beta1??? |
| Date: | 2025-06-05 00:52:01 |
| Message-ID: | 793a7752e64b95d267f73e1e4ee6c12c620da5dd.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, 2025-06-04 at 18:42 +0200, Dominique Devienne wrote:
> On Wed, Jun 4, 2025 at 5:34 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Dominique Devienne <ddevienne(at)gmail(dot)com> writes:
> > > In any case, if anyone else knows about changes in this area, I'm interested.
> >
> > Digging through the commit log didn't find much, but conceivably
> >
> > https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=01463e1cc
> > Ensure that AFTER triggers run as the instigating user.
>
> Thanks Tom. We don't drop ROLEs in trigger (yet, we'll get there).
> So that particular commit is probably not the reason.
> Thanks a bunch for looking into it. --DD
That change is not about dropping roles, but:
- before, if you had a deferred constraint trigger that was triggered while
you temporarily assumed a different role (e.g., the DML statement is executed
in a SECURITY DEFINER function), the trigger was executed as the current user
at commit time
- from v18 on, the trigger gets executed as the user that ran the DML statement
I would be somewhat surprised if you hit this rather exotic case that went
unnoticed for many years, but it is possible.
Do you have deferred constraint triggers?
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2025-06-05 01:01:34 | Re: LOCALE C.UTF-8 on EDB Windows v17 server |
| Previous Message | Adrian Klaver | 2025-06-05 00:30:42 | Re: Yet more ROLE changes in v18 beta1??? |