On Fri, Jul 5, 2013 at 9:45 AM, Noah Misch <noah@leadboat.com> wrote:
> REFRESH MATERIALIZED VIEW should temporarily switch the current user ID to the
> MV owner. REINDEX and VACUUM do so to let privileged users safely maintain
> objects owned by others, and REFRESH MATERIALIZED VIEW belongs in that class
> of commands.
I was trying to understand why this is safe for a while. REINDEX and
VACUUM make sense to me because they never contain side-effect as far
as I know, but MV can contain some volatile functions which could have
some unintended operation that shouldn't be invoked by no one but the
owner. For example, if the function creates a permanent table per
call and doesn't clean it up, but later some other maintenance
operation is supposed to clean it up, and the owner schedules REFRESH
and maintenance once a day. A non-owner user now can refresh it so
many times until the disk gets full. Or is that operation supposed to
be restricted by the security context you are adding?
--
Hitoshi Harada
