On Wed, Oct 30, 2002 at 08:27:37 -0600,
Bruno Wolff III <bruno@wolff.to> wrote:
> Do default expressions execute with access of the user doing the insert
> or the owner of the table?
> What I was thinking was that the owner of a table may want to allow people
> to do inserts into a table and update a sequence through a default expression,
> but not let people change the sequence directly.
> A quick look under create table (in the 7.3b3 docs) didn't turn up any
> information and I don't remember running accross anything covering this
> previously.
OK, I went and tested this and I found that default expressions (at least
nextval) are executed with the permissions of the user doing the insert
and not the owner of the table.
I would like to suggest this be changed for two reasons:
It may not be obvious to the end user that inserting a row into a table
may result in other things being done with their access. I.e. you can
use a default expression as a trojan and by getting someone to do an insert
into a table you created can be used to do bad things.
I think that the table owner may want to let be insert rows into a table
with a serial column, but not want to also let people reset the sequence
number to arbitrary values.
This would be similar to rules working with the access of the rule owner.
While I am not sure about triggers, it certainly is possible to get
a similar effect be having the referenced function run with the security
of the definer.
