Am 31.12.2012 um 22:18 schrieb Adrian Klaver:
> On 12/31/2012 09:02 AM, Philipp Kraus wrote:
>>
>> Am 31.12.2012 um 15:54 schrieb Adrian Klaver:
>>
>>> On 12/31/2012 05:41 AM, Philipp Kraus wrote:
>>>>
>>>> Am 31.12.2012 um 02:11 schrieb Adrian Klaver:
>>>>
>>>
>>>>>
>>>>> Actually as of 9.0 that is not strictly true:
>>>>> http://www.postgresql.org/docs/9.2/interactive/sql-alterdefaultprivileges.html
>>>>
>>>> I have create a view for access a table and rules for modifiy the
>>>> based table. The table has got a trigger.
>>>> If I run an update on the view, I get an error "permission denied"
>>>> for the trigger call. My user modifies
>>>> only the "view", so do the user also get access to the trigger
>>>> (execution right)? IMHO the trigger is run
>>>> by postgres self, so the user don't need a right on the trigger.
>>>
>>> Was the error for the trigger or the function the trigger called?
>>
>> ERROR: permission denied for schema usermanagement
>>
>> usermanagement ist ein schema and the base table calls a function within
>> this schema, this
>> checks if the user is super user with
>>
>> select current_setting('is_superuser') = 'on' into l_issuper;
>
> So the issue was that the user calling the function did not have access to the schema usermanagement. It is also
possiblethe user did not have EXECUTE privileges on the function either. From your subsequent post I see you discovered
SECURITYDEFINER. This is works as you found out. Just be aware that if the user that defined the function is a super
userthe function has their privileges and all that implies.
At the moment I create a test database with 2 users, one of these users is a super user, but later IMHO it can be a
securityissue. The working user can not see or modify the function. Do you have got a tip for a good secure solution.
My first idea is, that I create all database structure with an user, which is later not a super user, so I remove the
superuser role.
Thanks
Phil
