"Roberts, Jon" <[EMAIL PROTECTED]> writes: > <soapbox> > Executing a function should never require privileges on the underlying > objects referenced in it. The function should always run with the rights of > the owner of the function, not the user executing it. > </soapbox>
You might want to climb off that soapbox for long enough to read the various security-related threads that have been in this mailing list over the past year or so. Security-definer functions are seriously at risk from trojan-horse exploits; particularly in an extensible system such as Postgres. Certainly there are cases where you want a function to change privilege levels as sketched above. But I'd argue that there are a huge number of cases where a function is just providing convenient shorthand for something the caller could do for himself --- and when that's the case, making it have more/different privileges from the caller is simply taking a risk for no reward. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org