Hello Hackers!
So, currently the only way to see if a function is security definer or not is to directly query pg_proc. This is both
irritating,and I think perhaps dangerous since security definer functions can be so powerful. I thought that
rectifyingthat would make an excellent first patch, and I was bored today here in Prague since pgconf.eu is now
over...sohere it is. :)
This patch adds a column to the output of \df titled "Security" with values of "definer" or "invoker" based on the
booleansecdef column from pg_proc. I've also included a small doc patch to match. This patch is against master from
git.Comments welcome!
I just realized I didn't address regression tests, so I guess this is not actually complete yet. I should have time for
thatnext week after I get back to the states.
I would also like to start discussion about perhaps adding a couple more things to \df+, specifically function
executionpermissions (which are also exposed nowhere outside the catalog to my knowledge), and maybe search_path since
that'srelated to secdef. Thoughts?
This was actually kind of anti-climactic, since it only took about 5 minutes to make the change and get it working.
Didn'treally feel the way I expected it to ;)
--
Jon T Erdman
Postgresql Zealot
