On 2021-Jul-26, Tom Lane wrote: > What if we allow event triggers owned by non-superusers, but only fire > them on commands performed by the trigger's owner? This sidesteps all > the issues of who has which privileges and whether Alice is malicious > towards Bob or vice versa, because there is no change of privilege > domain. Admittedly, it fails to cover some use-cases, but I think it > would still handle a lot of interesting cases. The impression I have > is that a lot of applications do everything under just one or a few > roles.
This is similar but not quite an idea I had: have event triggers owned by non-superusers run for all non-superusers, but not for superusers. It is still the case that all non-superusers have to trust everyone with the event-trigger-create permission, but that's probably the database owner so most of the time you have to trust them already. -- Álvaro Herrera Valdivia, Chile — https://www.EnterpriseDB.com/ "Saca el libro que tu religión considere como el indicado para encontrar la oración que traiga paz a tu alma. Luego rebootea el computador y ve si funciona" (Carlos Duclós)