| From: | "Christopher Maier" <maier(at)med(dot)unc(dot)edu> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Alvaro Herrera" <alvherre(at)commandprompt(dot)com>, aklaver(at)comcast(dot)net, pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Problem with delete trigger: how to allow only triggers to delete a row? |
| Date: | 2008-10-10 21:16:28 |
| Message-ID: | 854DA6EE-0C09-4410-89E0-0EFF3DBB3BB3@med.unc.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Oct 10, 2008, at 4:53 PM, Tom Lane wrote:
> Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
>> Looks like you should revoke DELETE privilege from plain users, and
>> have your delete trigger be a security definer function. There
>> would be
>> another security definer function to delete non-deduced rows which
>> users
>> can call directly.
>
> That seems overly complicated to use.
>
> If the triggers that are privileged to delete deduced rows run as a
> special user, couldn't the validation triggers look at CURRENT_USER
> to see whether to allow the delete of a deduced row or not?
>
> regards, tom lane
That sounds like the best approach, Tom. I've already implemented
Alvaro's suggestion, which works nicely. It should be a simple matter
to add in the current_user check. I'll give that a whirl and see how
it goes.
Thanks for all the great suggestions, everyone.
Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2008-10-10 22:10:27 | Re: Problem with delete trigger: how to allow only triggers to delete a row? |
| Previous Message | Adrian Klaver | 2008-10-10 20:57:28 | Re: Problem with delete trigger: how to allow only triggers to delete a row? |