"$user" and SESSION_USER and CURRENT_USER

Поиск
Список
Период
Сортировка
От antonov@stdpr.ru
Тема "$user" and SESSION_USER and CURRENT_USER
Дата
Msg-id 159151fb45d490c8d31ea9707e9ba99d@stdpr.ru
обсуждение исходный текст
Ответы Re: "$user" and SESSION_USER and CURRENT_USER  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-docs
hi,

sorry for my message. I'm tiny confused about the next one. could you 
help me?:

here -- https://www.postgresql.org/docs/11/runtime-config-client.html

there is the text """If one of the list items is the special name $user, 
then the schema having the name returned by SESSION_USER is substituted, 
if there is such a schema and the user has USAGE permission for it. (If 
not, $user is ignored.)""".

but actualy "$user" substitutes CURRENT_USER-value (not 
SESSION_USER-value).

it's good because it would be a SECURITY VULNERABILITY if "$user" 
substituted SESSION_USER-value (in conjunction with security definer 
functions).

in case of CURRENT_USER-value we have no the vulnerable. which is good 
:-)

but is there error in documentation text (runtime-config-client.html) , 
isn't?

thank you in advance.


В списке pgsql-docs по дате отправления:

Предыдущее
От: PG Doc comments form
Дата:
Сообщение: Need clarification on how to extract or compare numeric valuesenclosed in jsonb
Следующее
От: Tom Lane
Дата:
Сообщение: Re: "$user" and SESSION_USER and CURRENT_USER