On Wed, Jun 04, 2025 at 06:10:38PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I think we have to keep the non-SECURITY-DEFINER designation to keep the
> > text accurate,
I don't see it that way, because there's currently no experiment the user can
perform to distinguish between the following alternatives:
1. We switch to the user that fired the trigger, then call the SECURITY
DEFINER function. As always, the first step of executing a SECURITY
DEFINER function is to switch to its owner.
2. We know it's a SECURITY DEFINER function, so we don't switch. We just call
the SECURITY DEFINER function. As always, the first step of executing a
SECURITY DEFINER function is to switch to its owner.
The actual implementation is (1), for what it's worth. The src/backend part
of the commit didn't special-case SECURITY DEFINER.
> but you are right it is part of the function, not the
> > trigger:
>
> > Execute deferred constraint triggers attached to
> > non-SECURITY-DEFINER functions as the role that was active at
> > the time the trigger was fired
>
> > Previously such triggers were run as the role that was active at
> > commit/execution time.
> It's still inaccurate -- to my mind, a "deferred" trigger is one that
> runs later than the end of the triggering statement. I think you
> should use "after trigger". Also, "fired" is a fairly confusing
> choice of word here; I think most people would take that as meaning
> the act of running the trigger. How about
>
> Execute AFTER triggers as the role that was active at the
> moment the trigger event was queued
>
> Previously such triggers were run as the role that is active
> when it is time to execute the trigger (e.g., at COMMIT).
I like that.
