Chris Farmiloe <chrisfarms@gmail.com> writes:
> I find the current LISTEN / NOTIFY rather limited in the context of
> databases with multiple roles. As it stands it is not possible to restrict
> the use of LISTEN or NOTIFY to specific roles, and therefore notifications
> (and their payloads) cannot really be trusted as coming from any particular
> source.
TBH, nobody has complained about this in the fifteen-plus years that
LISTEN has been around. I'm dubious about adding privilege-checking
overhead for everybody to satisfy a complaint from one person.
> I'd like to propose a new ASYNC database privilege that would control
> whether a role can use LISTEN, NOTIFY and UNLISTEN statements and the
> associated pg_notify function.
... and if I did think that there were an issue here, I doubt I'd think
that a privilege as coarse-grained as that would fix it. Surely you'd
want per-channel privileges if you were feeling paranoid about this,
not to mention separate read and write privileges. But the demand for
that just isn't out there.
regards, tom lane
