On Thu, May 24, 2012 at 01:03:18PM +0200, Magnus Hagander wrote:
> On Fri, May 18, 2012 at 5:08 PM, Chander Ganesan <[email protected]> wrote:
> > Hi All,
> >
> > I just realized that anyone can listen for notifications (using listen) so
> > long as they know the "channel" name. This means that a user could receive
> > and view the payload for another user.
> >
> > Perhaps it would be good to note this in the documentation (i.e., there
> > should be no expectation of privacy/security when using listen/notify, so
> > any user that can connect to a database could issue and receive
> > notifications for any channel.)
>
> Might be worth a note, yes. The lack of a note really should tell you
> that it's a broadcast, but it wouldn't hurt to have an extra one.
>
> Want to prepare a patch?
Attached documentation patch applied.
--
Bruce Momjian <[email protected]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
diff --git a/doc/src/sgml/ref/notify.sgml b/doc/src/sgml/ref/notify.sgml
new file mode 100644
index 4480706..a9405fd
*** a/doc/src/sgml/ref/notify.sgml
--- b/doc/src/sgml/ref/notify.sgml
*************** NOTIFY <replaceable class="PARAMETER">ch
*** 33,39 ****
with an optional <quote>payload</> string to each client application that
has previously executed
<command>LISTEN <replaceable class="parameter">channel</></command>
! for the specified channel name in the current database.
</para>
<para>
--- 33,40 ----
with an optional <quote>payload</> string to each client application that
has previously executed
<command>LISTEN <replaceable class="parameter">channel</></command>
! for the specified channel name in the current database.
! Notifications are visible to all users.
</para>
<para>
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
