Thread: A question on triggers
I have two tables "inputs" and "outputs" and they hold items and quantities that are coming and going from a warehouse. I have defined also another table "stock" that will hold the inventory of that warehouse. I have defined triggers on INSERT, UPDATE and DELETE on "inputs" and "outputs" tables that update acordingly the "stock" table! What's my problem? Is there any chance to restrict the direct updates of any user to the "stock" table? So that the information in the "stock" table should be updated ONLY by those triggers? Thanks in advance, Constantin Teodorescu FLEX Consulting Braila, ROMANIA
Constantin Teodorescu wrote: > > I have two tables "inputs" and "outputs" and they hold items and > quantities that are coming and going from a warehouse. > > I have defined also another table "stock" that will hold the inventory > of that warehouse. > > I have defined triggers on INSERT, UPDATE and DELETE on "inputs" and > "outputs" tables that update acordingly the "stock" table! > > What's my problem? > > Is there any chance to restrict the direct updates of any user to the > "stock" table? > So that the information in the "stock" table should be updated ONLY by > those triggers? Just for kicks, here's a hack. Add a column named 'passwd' to the stock table (with a bogus default value), then create an UPDATE trigger on stock requiring the UPDATE to include a valid 'passwd' column value that's only known (hard-coded) to your 'inputs' and 'outputs' triggers. Would that work? Cheers, Ed Loehr
Ed Loehr wrote: > > Constantin Teodorescu wrote: > > > > I have two tables "inputs" and "outputs" and they hold items and > > quantities that are coming and going from a warehouse. > > > > I have defined also another table "stock" that will hold the inventory > > of that warehouse. > > > > I have defined triggers on INSERT, UPDATE and DELETE on "inputs" and > > "outputs" tables that update acordingly the "stock" table! > > > > What's my problem? > > > > Is there any chance to restrict the direct updates of any user to the > > "stock" table? > > So that the information in the "stock" table should be updated ONLY by > > those triggers? > > Just for kicks, here's a hack. Add a column named 'passwd' to the > stock table (with a bogus default value), then create an UPDATE > trigger on stock requiring the UPDATE to include a valid 'passwd' > column value that's only known (hard-coded) to your 'inputs' and > 'outputs' triggers. Would that work? I think it will work! It's really a good idea! But wouldn't be nice if PostgreSQL could offer a more elegant solution? Constantin Teodorescu FLEX Consulting Braila, ROMANIA
>>>> Is there any chance to restrict the direct updates of any user to the >>>> "stock" table? >>>> So that the information in the "stock" table should be updated ONLY by >>>> those triggers? > But wouldn't be nice if PostgreSQL could offer a more elegant solution? Can't you do it with the normal GRANT/REVOKE access-control mechanism? I'm pretty sure that for rules (views), the access rights for queries issued within the rule are checked based on the owner of the rule, not the user who invoked the rule. Triggers ought to work the same way, though I haven't tried it. So you could make the trigger function and the protected table owned by the same user, and then not grant write permission on that table to anyone else. regards, tom lane
Tom Lane wrote: > > >>>> Is there any chance to restrict the direct updates of any user to the > >>>> "stock" table? > >>>> So that the information in the "stock" table should be updated ONLY by > >>>> those triggers? > > > But wouldn't be nice if PostgreSQL could offer a more elegant solution? > > Can't you do it with the normal GRANT/REVOKE access-control mechanism? No. It didn't worked, that was my first idea! > I'm pretty sure that for rules (views), the access rights for queries > issued within the rule are checked based on the owner of the rule, not > the user who invoked the rule. Triggers ought to work the same way, > though I haven't tried it. So you could make the trigger function and > the protected table owned by the same user, and then not grant write > permission on that table to anyone else. It seems it didn't work! Constantin Teodorescu
> -----Original Message----- > From: owner-pgsql-interfaces@postgreSQL.org > [mailto:owner-pgsql-interfaces@postgreSQL.org]On Behalf Of > Constantin Teodorescu > > Tom Lane wrote: > > > > > But wouldn't be nice if PostgreSQL could offer a more elegant > solution? > > > > Can't you do it with the normal GRANT/REVOKE access-control mechanism? > > No. It didn't worked, that was my first idea! > > > I'm pretty sure that for rules (views), the access rights for queries > > issued within the rule are checked based on the owner of the rule, not > > the user who invoked the rule. Triggers ought to work the same way, > > though I haven't tried it. So you could make the trigger function and > > the protected table owned by the same user, and then not grant write > > permission on that table to anyone else. > > It seems it didn't work! > Hmm,it seems to work for views(rules) but it doesn't work for functions. It should work for stored procedures,shouldn't it ? Regards. Hiroshi Inoue Inoue@tpf.co.jp