On Sat, Dec 03, 2011 at 01:26:22AM +0100, Andres Freund wrote: > On Saturday, December 03, 2011 01:09:48 AM Alvaro Herrera wrote: > > Excerpts from Andres Freund's message of vie dic 02 19:09:47 -0300 2011: > > > Hi all, > > > > > > There is also the point about how permission checks on the actual > > > commands (in comparison of modifying command triggers) and such are > > > handled: > > > > > > BEFORE and INSTEAD will currently be called independently of the fact > > > whether the user is actually allowed to do said action (which is > > > inconsistent with data triggers) and indepentent of whether the object > > > they concern exists. > > > > > > I wonder if anybody considers that a problem? > > > > Hmm, we currently even have a patch (or is it already committed?) to > > avoid locking objects before we know the user has permission on the > > object. Getting to the point of calling the trigger would surely be > > even worse. > Well, calling the trigger won't allow them to lock the object. It doesn't > even > confirm the existance of the table. > didn't I see a discussion in passing about the possibility of using these command triggers to implement some aspects of se-pgsql? In that case, you'd need the above behavior.
Ross -- Ross Reedstrom, Ph.D. reeds...@rice.edu Systems Engineer & Admin, Research Scientist phone: 713-348-6166 Connexions http://cnx.org fax: 713-348-3665 Rice University MS-375, Houston, TX 77005 GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0 BEDE -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
