Stephen Frost <sfrost@snowman.net> writes:
> * Bruno Wolff III (bruno@wolff.to) wrote:
>> Creating objects in particular schemas or databases is not something that
>> all roles may be able to do.
> Yeah, I'm not entirely sure what I think about this issue.
We have a precedent, which is that RENAME checks for create rights.
If you want to lean on the argument that this is just a shortcut for
dropping the object and then recreating it somewhere else, then you
need (a) the right to drop the object --- which is inherent in being
the old owner, and (b) the right to create the new object, which means
that (b1) you can become the role you wish to have owning the object,
and (b2) *as that role* you would have the rights needed to create the
object.
Stephen's original analysis covers (a) and (b1) but not (b2). With (b2)
I'd agree that it's just a useful shortcut.
I don't see a need to treat SECURITY DEFINER functions as
superuser-only. We've had that facility since 7.3 or so and no one
has complained that it's too dangerous.
regards, tom lane