"Roman Havrylyak" <roma@ukr.net> writes:
> Suppose we have table A and table B. When action is performed on table A
> (for example INSERT), some action (for example UPDATE) through the trigger
> is done on table B.
> If user had permission on both tables (GRANT INSERT on table A and GRANT
> UPDATE on table B)- everything is good. But in that way user can get access
> to table B directly.
> If I need to limit user's access to table B only through the trigger from
> table A, how to do this?
Right now I don't think you can. There's been talk of making triggers
run "setuid" to the trigger's creating user, which would solve the
problem, but it's not implemented yet.
If you can express the additional action as a RULE instead of a trigger,
try that. Rules do act this way: their queries are permission-checked
according to the rule owner, not the rule invoker.
regards, tom lane