Re: permissions question - Mailing list pgsql-general

From Tom Lane
Subject Re: permissions question
Date
Msg-id 29500.998058795@sss.pgh.pa.us
Whole thread Raw
In response to permissions question  ("Roman Havrylyak" <roma@ukr.net>)
List pgsql-general
"Roman Havrylyak" <roma@ukr.net> writes:
> Suppose we have table A and table B. When action is performed on table A
> (for example INSERT), some action (for example UPDATE) through the trigger
> is done on table B.

> If user had permission on both tables (GRANT INSERT on table A and GRANT
> UPDATE on table B)- everything is good. But in that way user can get access
> to table B directly.

> If I need to limit user's access to table B only through the trigger from
> table A, how to do this?

Right now I don't think you can.  There's been talk of making triggers
run "setuid" to the trigger's creating user, which would solve the
problem, but it's not implemented yet.

If you can express the additional action as a RULE instead of a trigger,
try that.  Rules do act this way: their queries are permission-checked
according to the rule owner, not the rule invoker.

            regards, tom lane

pgsql-general by date:

Previous
From: "Colin 't Hart"
Date:
Subject: Re: Sparc seems very slow
Next
From: "Jeff Eckermann"
Date:
Subject: Re: slow update but have an index