"Pavel Stehule" <[EMAIL PROTECTED]> writes:
> SQL/PSM default for SQL procedures are SECURITY DEFINER (like views),
but
> PostgreSQL default is SECURITY CALLLER. Is acceptable to define security
> flag in dependency to used language?
I'd vote no, even if Peter is wrong and you're right about what the spec
says. A PL gets to set the rules within its function body, not outside.
I prefare security invoker too. It's secure. This question is again here
over some years. Spec knows both, but doesn't speak clearly which is
default. From my view SECURITY DEFINER is more natural and consistent in SQL
framework (like views) and maybe a little bit simpler for some beginers. My
view isn't too important. I checked this topic again and I thing so default
depends on implementation now.
Next you'll be telling us that the standard requires that the CREATE
FUNCTION not use a dollar-quoted function body ... to which the answer
will be "too bad". I think the principle of least surprise dictates
that security properties shouldn't be inconsistent across PLs.
I am finding solution and concensus. Propably CREATE FUNCTION without
dollar-quoted function body is more elegant, but it means big enhancing of
main parser. It hasn't sence with external parser like plpgsql or plpgpsm,
and I don't wont to do it now. Our syntax simply allow more languages and I
really haven't problem with it.
last note:
SQL/PSM doesn't specify syntax for CREATE FUNCTION or CREATE PROCEDURE
statement. So it is possible be compatible with SQL/PSM with dollar-quoted
function body. With any IDEs this topic isnt too important.
Regards
Pavel Stehule
_________________________________________________________________
Citite se osamele? Poznejte nekoho vyjmecneho diky Match.com.
http://www.msn.cz/
---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at
http://www.postgresql.org/about/donate
