Home > mailing lists

Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function - Mailing list pgsql-general

From	Álvaro Herrera
Subject	Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function
Date	July 31 19:18:37
Msg-id	202507311618.t7vdkwzigntv@alvherre.pgsql Whole thread Raw
In response to	Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function (Dominique Devienne <ddevienne@gmail.com>)
List	pgsql-general

Tree view

On 2025-Jul-31, Dominique Devienne wrote:

> But also, it's weird DELETE allows you to delete all rows.
> Yet prevents you from deleting just one, i.e. a subset.

But you don't know what you deleted, so you cannot exfiltrate useful
info by repeatedly deleting with varying WHERE values.  I suspect that
you aren't able to use DELETE RETURNING either, unless you have SELECT
privs.

> I get it, a WHERE needs to read, so needs SELECT.

Right.

-- 
Álvaro Herrera         PostgreSQL Developer  —  https://www.EnterpriseDB.com/
"El destino baraja y nosotros jugamos" (A. Schopenhauer)

pgsql-general by date:

From: Dominique Devienne
Date: 31 July, 18:59:42
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function

From: Christoph Moench-Tegeder
Date: 01 August, 21:35:26
Subject: Re: Failing to allocate memory when I think it shouldn't

Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql) function - Mailing list pgsql-general

Previous

Next