On Thu, 14 Oct 2021 at 09:11, Robert Haas <robertmh...@gmail.com> wrote:
> > According to https://www.postgresql.org/docs/current/sql-createview.html > it always works like that: "Access to tables referenced in the view is > determined by permissions of the view owner. In some cases, this can > be used to provide secure but restricted access to the underlying > tables." > > Hmm, unless that rule is only being applied for *tables* and not for > *functions*? I guess that could be true, but if so, it sure seems > inconsistent. > Yes, I think this has come up before. It seems obvious to me that a view should execute entirely in the context of its owner. I should be able to use functions to define view columns without requiring that access to those functions be handed out to users of the view. I feel this might relate to the discussion of triggers, which I claim should execute in the context of the table owner (or maybe the trigger owner, if that were a separate concept). There are lots of triggers one might want to write that cannot be written because they execute in the context of the user of the table; my recollection is that it is harder to find examples of non-malware triggers that depend on executing in the context of the user of the table.
