Hello! I'm developing a web application that needs to display data from a postgres backend.
The most convenient way for the app to get the data is by expressing the request in SQL. I'm thinking about the following architecture [ App/Client ] -----> query in SQL ---> [Web server] ---> same SQL query --> [PG database] *********** I would simply use the roles/permssion system inside Postgres to determine what users can do and cannot do. Clients have to authenticate as one of the roles (not superusers) defined in the database. ************ Given this are there any security other issues about letting client applications execute arbitrary SQL commands on the backend database? Thanks.
