Thread: GRANT ROLE and triggers

GRANT ROLE and triggers

From
"Claudio Rossi"
Date:
Hello,
I'm trying to write a trigger function which uses GRANT ROLE statement. Scenario is: I have a group role (let's call it
A)which has not superuser privileges and I want to grant A membership to current user after an insert on a particular
table,then revoke it after a delete on it; I write trigger function as superuser then I normally login as unprivileged
user.The problem I just found out is that GRANT ROLE check privileges against current user even if inside a trigger
function,so unprivileged users are not allowed to alter A and to be added as members; after some searching, I
discovereda discussion on this forum which states trigger functions privileges are NOT actually checked against trigger
owner.Is this correct or did I misunderstand it? Is there a way to do what I'm trying to accomplish? Keep in mind I
cannotjust create A (the group role) and statically granting membership to users, I need to grant and revoke
dinamicallyto current users, so I can't just CREATE ROLE grouprole ROLE user1, etc... but I need to use GRANT (or ALTER
ROLE,but there's the same problem with privileges), but GRANT is forbidden to use as I said above. Thanks for answers. 

Regards,
Claudio Rossi


------------------------------------------------------
Leggi GRATIS le tue mail con il telefonino i-mode™ di Wind
http://i-mode.wind.it/



Re: GRANT ROLE and triggers

From
Richard Huxton
Date:
Claudio Rossi wrote:
> Hello, I'm trying to write a trigger function which uses GRANT ROLE
> statement. Scenario is: I have a group role (let's call it A) which
> has not superuser privileges and I want to grant A membership to
> current user after an insert on a particular table, then revoke it
> after a delete on it; I write trigger function as superuser then I
> normally login as unprivileged user. 

I think you want to define your function as SECURITY DEFINER, then it'll 
do what you want.

This isn't a hackers question by the way, the hackers list is for 
developing PostgreSQL itself. This question is better suited to the 
general / sql / admin lists perhaps.

--   Richard Huxton  Archonet Ltd