* Robert Haas (robertmh...@gmail.com) wrote: > Another idea I had was... would it be safe to trust functions defined > by the same user who owns the view? If he's granted access to the > view and the function to some other user, presumably he doesn't mind > them being used together? Or is that too optimistic?
This was more-or-less what I'd been kind of kicking around in my head. Forget about functions that are defined in the view itself. Any other functions, etc, which are attached to the view by the calling user would be suspect, etc. Perhaps with the exception of some built-ins that we've marked as "safe" in some way. My first thought was to track the "run this as X" information on every RTE (more-or-less, relations, function calls, etc) and then at least be able to, hopefully, *detect* situations that might be a problem- eg: running a function which has "run as Q" against a relation that was accessed as "run as R" when a filter "run as R" happens later. This is all far too hand-wavey, I'm sure, but at least if we could detect it then we might be able to find a way to deal with it. Also, perhaps I'm not being paranoid enough, but all this concern over error cases really doesn't really worry me that much. The amount of data one could acquire that way is pretty limited. It'd be great if we could deal with that case too, but maybe we could worry about the bigger issue (at least, as I see it) first. Just my 2c. Thanks, Stephen
signature.asc
Description: Digital signature