I'm developing a web application that needs to display data from a postgres backend.
The most convenient way for the app to get the data is by expressing the request in SQL.
I'm thinking about the following architecture
[ App/Client ] -----> query in SQL ---> [Web server] ---> same SQL query --> [PG database]
***********
I would simply use the roles/permssion system inside Postgres to determine what users can do and cannot do. Clients have to authenticate as one of the roles (not superusers) defined in the database. ************
Given this are there any security other issues about letting client applications execute arbitrary SQL commands on the backend database?