The attached patch adds permission check at the scenario that I explained bellow.
Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here because the extowner is obviously same with the current user in this code path. I hope this patch being also back ported to v9.1 tree, not only v9.2 development. Thanks, 2011/8/21 Dimitri Fontaine <dimi...@2ndquadrant.fr>: > Kohei KaiGai <kai...@kaigai.gr.jp> writes: >> The current implementation set the current user as owner of the new schema. >> The default permission check of schema allows owner to create several kinds >> of underlying objects. >> >> In the result, we may consider a scenario that a user without permissions to >> create new objects possibly get a schema created by CREATE EXTENSION >> that allows him to create new objects (such as table, function, ...). >> >> I don't think it is a desirable behavior. :-( > > Agreed, > -- > Dimitri Fontaine > http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support > -- KaiGai Kohei <kai...@kaigai.gr.jp>
pgsql-create-extension-permission-checks.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers