Thread: limiting access to (through) views

limiting access to (through) views

From
"Glenn MacGregor"
Date:
Hi All,
 
I need to limit access to certain rows of a table.  It was suggested to do this via a view, but it seems to me that I need the current username that is logged in to do this.  Also I need to get info from another table inorder to make this work.  Can I have multiple selects in a single view using the output of one in another?
 
Example:
 
    table1:
        col1,col2,col3
 
    table1 Data:
        test,here,max
        test1,here1,me
        test2,here2,one
        test3,here3,max
        test4,here4,one
        test5,here5,two
 
    table2:
        username,key
 
    table2 Data:
        user1,max
        user2,one
        user3,two
        user4,me
 
So I have these two tables, I authenticate and gain access to the db.  How do I know who I am in a query?  I need to query table2 for the key of the username I am.  Then I need to query table1 for rows that col3 matches the key I got from the previous query.
 
Is this possable with a view?
 
    Thanks
 
            Glenn

Re: limiting access to (through) views

From
Stephan Szabo
Date:
On Wed, 16 Jan 2002, Glenn MacGregor wrote:

> Hi All,
>
> I need to limit access to certain rows of a table.  It was suggested
> to do this via a view, but it seems to me that I need the current
> username that is logged in to do this.  Also I need to get info from
> another table inorder to make this work.  Can I have multiple selects
> in a single view using the output of one in another?
>
> Example:
>
>     table1:
>         col1,col2,col3
>
>     table1 Data:
>         test,here,max
>         test1,here1,me
>         test2,here2,one
>         test3,here3,max
>         test4,here4,one
>         test5,here5,two
>
>     table2:
>         username,key
>
>     table2 Data:
>         user1,max
>         user2,one
>         user3,two
>         user4,me
>
> So I have these two tables, I authenticate and gain access to the db.
> How do I know who I am in a query?  I need to query table2 for the key
> of the username I am.  Then I need to query table1 for rows that col3
> matches the key I got from the previous query.
>
> Is this possable with a view?

CURRENT_USER should give the current user name.
Hmm for the above maybe...

select table1.* fromtable1, table2 where table1.col3=table2.key and table2.username=CURRENT_USER;



Re: limiting access to (through) views

From
"Glenn MacGregor"
Date:
Thanks,

Now is it possible to do the following:

select table1.* from
table1, table2 where
table1.col3=table2.key and
table2.username like 'CURRENT_USER%'

This is returning nothing when I know it should be returning something, so I
think that since the CURRENT_USER is in the ' it is not executing the
function.  Is there a way to make that execute using the like with the regex
matching (%)?
   Thanks

----- Original Message -----
From: "Stephan Szabo" <sszabo@megazone23.bigpanda.com>
To: "Glenn MacGregor" <gtm@oracom.com>
Cc: <pgsql-sql@postgresql.org>
Sent: Wednesday, January 16, 2002 10:17 AM
Subject: Re: [SQL] limiting access to (through) views


> On Wed, 16 Jan 2002, Glenn MacGregor wrote:
>
> > Hi All,
> >
> > I need to limit access to certain rows of a table.  It was suggested
> > to do this via a view, but it seems to me that I need the current
> > username that is logged in to do this.  Also I need to get info from
> > another table inorder to make this work.  Can I have multiple selects
> > in a single view using the output of one in another?
> >
> > Example:
> >
> >     table1:
> >         col1,col2,col3
> >
> >     table1 Data:
> >         test,here,max
> >         test1,here1,me
> >         test2,here2,one
> >         test3,here3,max
> >         test4,here4,one
> >         test5,here5,two
> >
> >     table2:
> >         username,key
> >
> >     table2 Data:
> >         user1,max
> >         user2,one
> >         user3,two
> >         user4,me
> >
> > So I have these two tables, I authenticate and gain access to the db.
> > How do I know who I am in a query?  I need to query table2 for the key
> > of the username I am.  Then I need to query table1 for rows that col3
> > matches the key I got from the previous query.
> >
> > Is this possable with a view?
>
> CURRENT_USER should give the current user name.
> Hmm for the above maybe...
>
> select table1.* from
>  table1, table2 where
>   table1.col3=table2.key and
>   table2.username=CURRENT_USER;
>
>



Re: limiting access to (through) views

From
Bruno Wolff III
Date:
On Wed, Jan 16, 2002 at 09:47:21AM -0500, Glenn MacGregor <gtm@oracom.com> wrote:
> Hi All,
> 
> I need to limit access to certain rows of a table.  It was suggested to do this via a view, but it seems to me that I
needthe current username that is logged in to do this.  Also I need to get info from another table inorder to make this
work. Can I have multiple selects in a single view using the output of one in another?
 

You would want to use session_user or current_user. For now these are both
the same, but eventually they may not be.


Re: limiting access to (through) views

From
Stephan Szabo
Date:
On Wed, 16 Jan 2002, Glenn MacGregor wrote:

> Thanks,
>
> Now is it possible to do the following:
>
> select table1.* from
> table1, table2 where
> table1.col3=table2.key and
> table2.username like 'CURRENT_USER%'
>
> This is returning nothing when I know it should be returning something, so I
> think that since the CURRENT_USER is in the ' it is not executing the
> function.  Is there a way to make that execute using the like with the regex
> matching (%)?

Do you really want a like search or are you trying to get around it not
matching something?
table2.username like CURRENT_USER || '%' would probably work.



Re: limiting access to (through) views

From
"Glenn MacGregor"
Date:
Stephan,

Thanks again.
The CURRENT_USER function returns just the username, my table actually has
username@server.
   Glenn

----- Original Message -----
From: "Stephan Szabo" <sszabo@megazone23.bigpanda.com>
To: "Glenn MacGregor" <gtm@oracom.com>
Cc: <pgsql-sql@postgresql.org>
Sent: Wednesday, January 16, 2002 10:44 AM
Subject: Re: [SQL] limiting access to (through) views


>
> On Wed, 16 Jan 2002, Glenn MacGregor wrote:
>
> > Thanks,
> >
> > Now is it possible to do the following:
> >
> > select table1.* from
> > table1, table2 where
> > table1.col3=table2.key and
> > table2.username like 'CURRENT_USER%'
> >
> > This is returning nothing when I know it should be returning something,
so I
> > think that since the CURRENT_USER is in the ' it is not executing the
> > function.  Is there a way to make that execute using the like with the
regex
> > matching (%)?
>
> Do you really want a like search or are you trying to get around it not
> matching something?
> table2.username like CURRENT_USER || '%' would probably work.
>
>