Am 31.12.2012 um 22:18 schrieb Adrian Klaver: > On 12/31/2012 09:02 AM, Philipp Kraus wrote: >> >> Am 31.12.2012 um 15:54 schrieb Adrian Klaver: >> >>> On 12/31/2012 05:41 AM, Philipp Kraus wrote: >>>> >>>> Am 31.12.2012 um 02:11 schrieb Adrian Klaver: >>>> >>> >>>>> >>>>> Actually as of 9.0 that is not strictly true: >>>>> http://www.postgresql.org/docs/9.2/interactive/sql-alterdefaultprivileges.html >>>> >>>> I have create a view for access a table and rules for modifiy the >>>> based table. The table has got a trigger. >>>> If I run an update on the view, I get an error "permission denied" >>>> for the trigger call. My user modifies >>>> only the "view", so do the user also get access to the trigger >>>> (execution right)? IMHO the trigger is run >>>> by postgres self, so the user don't need a right on the trigger. >>> >>> Was the error for the trigger or the function the trigger called? >> >> ERROR: permission denied for schema usermanagement >> >> usermanagement ist ein schema and the base table calls a function within >> this schema, this >> checks if the user is super user with >> >> select current_setting('is_superuser') = 'on' into l_issuper; > > So the issue was that the user calling the function did not have access to > the schema usermanagement. It is also possible the user did not have EXECUTE > privileges on the function either. From your subsequent post I see you > discovered SECURITY DEFINER. This is works as you found out. Just be aware > that if the user that defined the function is a super user the function has > their privileges and all that implies.
At the moment I create a test database with 2 users, one of these users is a super user, but later IMHO it can be a security issue. The working user can not see or modify the function. Do you have got a tip for a good secure solution. My first idea is, that I create all database structure with an user, which is later not a super user, so I remove the super user role. Thanks Phil -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
