>
>
> I wrote:
> > The 'grant select' on views is a IMHO urgent required
> > feature. I'll take a look on the code checking permissions
> > and the rewrite system.
>
> Interesting - first of all an unprivileged user cannot create
> any view "pg_rewrite: Permission denied". I think this is
> absolutely wrong.
>
> Anyway - if we add a flag to the rangetable entry that tells
> the executor in ExecCheckPerms() if this rte came from the
> rewriting due to a view or not, it can skip the permission
> check on that and the tests will pass.
>
> But then we'll run into a little security hole problem. If
> the permissions only rely on access to the view, the view
> owner (or public as long as ACL_WORLD_DEFAULT contains
> ACL_RD) can select throug the view. So we must check on view
> creation that the creator of the view has proper permissions
> to what the view selects. And in addition if not all objects
> the view selects are granted to public, we should
> automagically revoke public from the view so the creator must
> explicitly grant access to the view.
>
> Anything forgotten?
No, I think these are the valid issues.
--
Bruce Momjian
maillist@candle.pha.pa.us
