Home > mailing lists

Re: Should we get rid of custom_variable_classes altogether? - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Should we get rid of custom_variable_classes altogether?
Date	October 3, 2011 14:42:02
Msg-id	15021.1317652908@sss.pgh.pa.us Whole thread Raw
In response to	Re: Should we get rid of custom_variable_classes altogether? (Andrew Dunstan <andrew@dunslane.net>)
Responses	Re: Should we get rid of custom_variable_classes altogether? (David Fetter <david@fetter.org>)
List	pgsql-hackers

Tree view

Andrew Dunstan <andrew@dunslane.net> writes:
> On 10/03/2011 10:17 AM, Tom Lane wrote:
>> Right.  Getting rid of custom_variable_classes should actually make
>> those use-cases easier, since it will eliminate a required setup step.

> So are we going to sanction using this as a poor man's session variable 
> mechanism?

People already are doing that, sanctioned or not.

> If so maybe we should at least warn that anything set will be accessible 
> by all roles, so security definer functions for example should be wary 
> of trusting such values.

Since it's not documented anywhere, I'm not sure where we'd put such
a warning.  I think anyone bright enough to think of such a hack should
be able to see the potential downsides, anyway.
        regards, tom lane

pgsql-hackers by date:

From: Andrew Dunstan
Date: 03 October 2011, 14:41:19
Subject: Re: SPI_processed is not set for COPY statement

From: Dimitri Fontaine
Date: 03 October 2011, 14:55:24
Subject: Re: [v9.2] DROP statement reworks

Re: Should we get rid of custom_variable_classes altogether? - Mailing list pgsql-hackers

Previous

Next