See the SECURITY DEFINER option for CREATE FUNCTION. This way you
don't have to give them create table privileges, but they can still
create a table through your function. You'll need to use EXECUTE to
create a table in pl/pgsql.
On May 27, 2007, at 4:50 PM, CAJ CAJ wrote:
Had a question on best approach with some security issues around on
the fly table creation by a user.
I want to users to create dynamic tables from the application. This
means that the user logged in should have create table privileges
at the database level. Assuming this is a security risk for
allowing all users to have table creation privileges. is it
possible to create some sort of trigger to allow the user to create
table when ready and once it's done revoke it automatically?
What is the best approach conceptual wise and security wise when
dealing with these situations? The less the user can do on the
database the better it is?
John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
