* Christopher Kings-Lynne (chriskl@familyhealth.com.au) wrote:
> >It bothers me a great deal that I can't control very easily what a given
> >user can see when they connect over ODBC or via phppgadmin in terms of
> >schemas, tables and columns. I fixed this in application code in
> >phppgadmin but that's clearly insufficient since it doesn't do anything
> >for the other access methods.
>
> Modifiying phpPgAdmin is useless - people can query the catalogs manually.
It's not entirely *useless*; it's just not a proper fix for the security
issue, I'll grant you that. Personally I found the hack that I did pretty
useful since most of my users aren't likely to go sniffing through the
catalog and it was a temporary workaround for the complaints until
there's a proper fix.
> Hackers - we get an email about information hiding in shared
> postgresql/phppgadmin installations at least once a fortnight :)
I agree with this- it needs to be dealt with and fixed already, once and
for all.
Thanks,
Stephen
