Marc Munro <marc@bloodnok.com> writes:
> For this, we need to be able to have functions which run with the
> permissions of the rule owner rather than the caller (please see my
> response, in plsql-general, to depesz@depesz.pl, Re: IDEA: "suid"
> function).
I believe "suid" functions are a more practical solution than expecting
the rule mechanism to handle this for you. I don't want to put access
checking/id switching overhead into the basic expression evaluation
engine; but it's hard to see how we could make functions-invoked-in-rules
be treated specially without that. The problem is that expressions
coming out of the rewriter might be arbitrary combinations of clauses
that appeared in the rule and clauses that appeared in the user's
original query.
"Suid" functions have been on the TODO list for awhile. Peter E. has
been making noises recently suggesting that he's actually planning to
make them happen for 7.3.
regards, tom lane