Hi all, I'm having some problem with permissions on views, I spoke with Josh on IRC about it and I'm reposting it:
I found a not simmetrical behavior about permission on views and functions. Let me explain:
If I use the view/table T inside the view V, is enough give the select permission on view V remove the select permission on the view/table used and all is working as expected.
If I use the view/table T inside the funcion F is enough declare F with
the "Secuity definer" attribute and of course give the execution permission,
the select permission on the view/table used and all is working as expected
In these two cases above all is working fine, the following case have some problems:
If the view V use a function F.
In this last case is not enough have the select permisson on V but I have to give also the Execution permission on F!!!
This fact are driving us to put 1) Select permission on V 2) Exceute permission + Security Definer attr on F.
this last point give to the user the possibility to execute F with any aribitrary value, instead of only the values present on the view ( already filtered ).
Maybe this could be solved by a Security Definer flag for tables/views?
Regards, Andreas
---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faqs/FAQ.html
