Hi, > Could you please advise or give some hint on what is the correct (and > secure) way to implement this? > > Currently I use the owner of the extension as owner when creating > such a table inside the function, but maybe there are some pitfalls > in this kind of solution?
If the goal is to protect the user from an _accidental_ access to the tables, placing them into a separate schema _my_extension_private or something will be enough. Otherwise consider using corresponding access control abilities of PostgreSQL and creating functions with SECURITY DEFINER [1]. Be mindful that your functions will become a target for privilege escalation, so you should be extra careful with the implementation. [1]: https://www.postgresql.org/docs/current/sql-createfunction.html -- Best regards, Aleksander Alekseev
