Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Well, it sure sounds like a bug. What logic is there that table access
> use the view permissions, but not function access? Could we just use
> SECURITY DEFINER for function calls in views?
You're confusing two distinct questions, I think. One is how we decide
whether it's allowed to call the function (ie, whose USAGE right do we
check). The other is whose ID does the function run under. If the
function is SECURITY DEFINER then the second question is determined by
the function itself, but otherwise it's not; and in any case SECURITY
DEFINER doesn't speak to the first question.
A case can be made that the answer to both questions should be "the view
owner", rather than "the view user" as it is now, but I am not sure that
this is an open-and-shut issue. Both the user and the owner can affect
whether such a function gets called and what arguments it gets called
with (maybe not so much in a view rule, but definitely in ON INSERT and
other action rules). It seems possible that we'd just be switching from
one set of security issues to another.
regards, tom lane
