I am documenting this behavior in the CREATE VIEW manual page, diff
attached.
---------------------------------------------------------------------------
Gaetano Mendola wrote:
> "Bruce Momjian" <[EMAIL PROTECTED]> wrote:
> > Tom Lane wrote:
> > > Bruce Momjian <[EMAIL PROTECTED]> writes:
> > > > Someone asked me a question about view and function permissions. I
> > > > assumed all object access done by a view would be based on the
> > > > permissions on the view, and not the permissions of the objects.
> > >
> > > Table references are checked according to the owner of the view, but use
> > > in a view does not change the execution context for function or operator
> > > calls. This is how it's always been done.
> > >
> > > > Is this a bug?
> > >
> > > Changing it would be a major definitional change (and a pretty major
> > > implementation change too). It might be better, but please don't
> > > pre-judge the issue by labeling it a bug.
> >
> > Well, it sure sounds like a bug. What logic is there that table access
> > use the view permissions, but not function access? Could we just use
> > SECURITY DEFINER for function calls in views?
>
> I already had this problem, look here:
>
> http://groups.google.it/groups?q=postgres+security+definer+gaetano+mendola&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=b711hu%241g25%241%40news.hub.org&rnum=1
>
> and I had no reply :-(
>
> Regards
> Gaetano Mendola
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
>
--
Bruce Momjian | http://candle.pha.pa.us
[EMAIL PROTECTED] | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/ref/create_view.sgml
===================================================================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/ref/create_view.sgml,v
retrieving revision 1.24
diff -c -c -r1.24 create_view.sgml
*** doc/src/sgml/ref/create_view.sgml 12 Sep 2003 00:12:47 -0000 1.24
--- doc/src/sgml/ref/create_view.sgml 26 Sep 2003 23:53:34 -0000
***************
*** 118,123 ****
--- 118,129 ----
CREATE VIEW vista AS SELECT text 'Hello World' AS hello;
</programlisting>
</para>
+
+ <para>
+ While access to tables in the view is controlled entirely by permissions
+ on the view, functions called by the view are checked independently.
+ </para>
+
</refsect1>
<refsect1>
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
