On Wed, Jun 24, 2009 at 9:52 AM, Tom Lane<t...@sss.pgh.pa.us> wrote: > "Albe Laurenz" <laurenz.a...@wien.gv.at> writes: >> Robert Haas wrote: >>> I don't think this is true. You can use SET SESSION AUTHORIZATION, >>> right? > >> You are right, I overlooked that. >> It is restricted to superusers though. > > That sort of thing is only workable if you have trustworthy client code > that controls what queries the users can issue. If someone can send raw > SQL commands then he just needs to do RESET SESSION AUTHORIZATION to > become superuser.
Good point, although since the OP said it was a webapp, they probably have control over that. ...Robert -- Sent via pgsql-performance mailing list (pgsql-performance@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance