Josh Berkus <josh@agliodbs.com> writes:
>> BTW, what about lastval()?
> Overal, it's hard to get too concerned about this, since a user can't
> really get anything out of lastval() if he doesn't have permissions on the
> sequence he's trying to query, in order to run currval.
Well, no, consider my example to Marko: there could be a SECURITY
DEFINER function that has the privilege to run nextval(). After
that, if lastval() isn't privilege-checked then code that doesn't
have any privilege at all on the sequence could get at the value.
However, looking at the source code I see that lastval() does in fact
insist on SELECT rights on the sequence the value is coming from.
So I guess we can just leave that as-is.
regards, tom lane
