The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/9.6/sql-createfunction.html
Description:
In the documentation
https://www.postgresql.org/account/comments/new/9.6/sql-createfunction.html/
(and in the same document for earlier versions) the following text is
present:
[EXTERNAL] SECURITY INVOKER
[EXTERNAL] SECURITY DEFINER
SECURITY INVOKER indicates that the function is to be executed with the
privileges of the user that calls it. That is the default. SECURITY DEFINER
specifies that the function is to be executed with the privileges of the
user that created it.
My comment is about the sentence: "SECURITY DEFINER specifies that the
function is to be executed with the privileges of the user that created
it.". In my opinion this is not quite correct as this implies that when a
function is created the privileges of that user are stored somewhere. This
is not the case. Would it make more sense to change the sentence to:
"SECURITY DEFINER specifies that the function is to be executed with the
privileges of the owner how ownes it."?