Robert Watson (robert@fledge.watson.org) reports a bug with a severity of 2
The lower the number the more severe it is.
Short Description
Any user able to connect to a database can create tables/etc
Long Description
There is no access control mechanism by which users can be allowed
to connect to a database, but not create tables. Ideally, only the
DBA would be able to create new tables, or some ACL would exist
on the database to limit which users could create tables. As it
stands, this is a severe limitation for sites that wish to allow
mutually suspicious users to host different databases on the same
backend.
One solution might be to add an ACL to the database itself
enumerating various rights for various principals, including:
connect (can connect to the database at all)
create (can create tables, views, et al)
delete (can delete tables, views, et al)
You could imagine other rights being necessary or useful also.
This type of feature would make PostgreSQL far more useful in
ISP/ASP environments.
Sample Code
No file was uploaded with this report
