Kohei KaiGai <kaigai@kaigai.gr.jp> writes:
> However, it allows users to create a new schema with his ownership,
> even if current user does not have permission to create a new schema.
[...]
> It seems to me that we should inject permission checks here like as
> CreateSchemaCommand() doing.
It seems to me the code has been written this way before we relaxed the
superuser only check in CREATE EXTENSION. I'm not enough into security
to convince myself there's harm to protect against here, but I would
agree there's a sound logic into refusing to create the schema if the
current role isn't granted that operation.
Please note, though, that you're effectively forbidding the role to
create the extension. As it's not relocatable, the role will not be
able to install it into another schema. Which could be exactly what you
wanted to achieve.
Regards,
--
Dimitri Fontaine
http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
