Thread: Trigger with current user
Hello.
We use PostgreSQL 7.1.2 on Debian GNU/Linux as our Intranet database. I
am currently working on a small mailing-lists management application. I
would like to enforce table access permissions depending on the current
username :
- if the current user is declared as one of the lists maintainers
("SELECT maintainer FROM sys_mailing_lists;"), he(she) will be able to
SELECT, INSERT, UPDATE & DELETE rows in the 'sys_mailing_members' table,
- if not he(she) will only be able to do SELECT's on
'sys_mailing_members'.
So, I thought using triggers. However, I am missing some elements :
- how can I get back the currently connected username ?
- when using a "BEFORE" trigger, how can I cancel the
INSERT/UPDATE/DELETE actions to be performed if the user connected does
not match the access permissions ?
Thanks.
Nicolas.
From: "Nicolas Kowalski" <Nicolas.Kowalski@imag.fr>
> - if the current user is declared as one of the lists maintainers
> ("SELECT maintainer FROM sys_mailing_lists;"), he(she) will be able to
> SELECT, INSERT, UPDATE & DELETE rows in the 'sys_mailing_members' table,
>
> - if not he(she) will only be able to do SELECT's on
> 'sys_mailing_members'.
>
>
> So, I thought using triggers. However, I am missing some elements :
Not quite the right approach (see below)
> - how can I get back the currently connected username ?
There is a magic value: select CURRENT_USER;
> - when using a "BEFORE" trigger, how can I cancel the
> INSERT/UPDATE/DELETE actions to be performed if the user connected does
> not match the access permissions ?
In your case I would look into the GRANT and REVOKE commands (in the SQL
reference). You can set up two user-groups and do something like:
GRANT ALL ON sys_mailing_members TO GROUP listadmins;
GRANT SELECT ON sys_mailing_members TO GROUP justusers;
You'll need to set up groups with CREATE GROUP and ALTER GROUP (see
"Database Users and Permissions" chapter of the docs)
You will need to resort to rules and triggers if you want more complex
controls (e.g. managers can change their team-member's diary but only
weekdays or similar)
HTH
- Richard Huxton
Nicolas Kowalski <Nicolas.Kowalski@imag.fr> writes:
> - if the current user is declared as one of the lists maintainers
> ("SELECT maintainer FROM sys_mailing_lists;"), he(she) will be able to
> SELECT, INSERT, UPDATE & DELETE rows in the 'sys_mailing_members' table,
> - if not he(she) will only be able to do SELECT's on
> 'sys_mailing_members'.
Why do you need to build this from spare parts? Use GRANT. Possibly
create a GROUP to list the maintainers (makes life easier if the same
set of users should have similar permissions on multiple tables).
regards, tom lane
Nicolas Kowalski wrote:
>
> Hello.
>
> We use PostgreSQL 7.1.2 on Debian GNU/Linux as our Intranet database. I
> am currently working on a small mailing-lists management application. I
> would like to enforce table access permissions depending on the current
> username :
>
> - if the current user is declared as one of the lists maintainers
> ("SELECT maintainer FROM sys_mailing_lists;"), he(she) will be able to
> SELECT, INSERT, UPDATE & DELETE rows in the 'sys_mailing_members' table,
>
> - if not he(she) will only be able to do SELECT's on
> 'sys_mailing_members'.
>
> So, I thought using triggers. However, I am missing some elements :
>
> - how can I get back the currently connected username ?
>
> - when using a "BEFORE" trigger, how can I cancel the
> INSERT/UPDATE/DELETE actions to be performed if the user connected does
> not match the access permissions ?
>
Maybe you could use the PostgreSQL user system instead of triggers and
create PostgreSQL users. For every user you can GRANT or REVOKE rights
on tables and sequences. Everything is in detail at
http://www.postgresql.bit.nl/users-lounge/docs/7.1/admin/user-manag.html
HTH,
Nils
--
Alles van waarde is weerloos
Lucebert