"Bruce Momjian" <pgman@candle.pha.pa.us> wrote:
> Tom Lane wrote:
> > Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > > Someone asked me a question about view and function permissions. I
> > > assumed all object access done by a view would be based on the
> > > permissions on the view, and not the permissions of the objects.
> >
> > Table references are checked according to the owner of the view, but use
> > in a view does not change the execution context for function or operator
> > calls. This is how it's always been done.
> >
> > > Is this a bug?
> >
> > Changing it would be a major definitional change (and a pretty major
> > implementation change too). It might be better, but please don't
> > pre-judge the issue by labeling it a bug.
>
> Well, it sure sounds like a bug. What logic is there that table access
> use the view permissions, but not function access? Could we just use
> SECURITY DEFINER for function calls in views?
I already had this problem, look here:
http://groups.google.it/groups?q=postgres+security+definer+gaetano+mendola&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=b711hu%241g25%241%40news.hub.org&rnum=1
and I had no reply :-(
Regards
Gaetano Mendola
