Excerpts from A.M.'s message of mié abr 06 19:08:35 -0300 2011:
> That's really strange considering that the new role may not normally
> have permission to switch to the original role. How would you handle
> the case where the security definer role is not the super user?
As I said to Jeff, it's up to the creator of the wrapper function to
ensure that things are safe. Perhaps this new operation should only be
superuser-callable, for example.
> How would you prevent general SQL attacks when manually popping the
> authentication stack is allowed?
The popping and pushing operations would be restricted. You can only
pop a single frame, and pushing it back before returning is mandatory.
--
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support