Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set?
I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are connecting through the same single user. There is a model of the user organization inside (position hierarchy), each person (virtual user) assigned a position, positions have privileges assigned.
If I want to access a function (like do this or that with data), I use a stored function and pass the id# of the user plus all the necessary things. First, I check if the person is authorized to carry out the operation. if so, the operation is performed.
There are users, who are administrators. Thus, they are allowed to do anything.
My problem is the following: I can do a check for whether the person requesting the operation is logged in (that means no dirty hacks with my name if I am not logged in). But then anybody can find out the id# of an administrator and use that to identify himself when asked for.
I thought about using electronic signatures or something similar. That would mean sending the key of the users around when calling the stored functions.
does the DB log contain the function calls with the parameters of the function too? If not, then by using an SSL connection I could prevent crackers from accessing the data.
Please feel free to comment, object, etc.
Thanks
Zoltan