> > With pg_rewrite, the problem is harder because we don't have a 'is able
> > to create views' permission that we can give permission to certain
> > people.
>
> Every database/table/view has an owner associated with them, no?
> Can a check not be put in that checks the owner of the database/table/view
> against who is trying to delete it, with pg_superuser having "override"
> privileges? Obviously, the security level of the database itself comes
> into play, but we have most (if not all?) of those in place and settable
> by the administrator...
I think the simple answer is no. We don't look at the DATA in the table
to determine if the person can delete a particular row, and that is what
we would require. The way the 'drop database' does it is to check the
owner of the database, then issue the deletes only if they match or if
it is the superuser. However, there is not restriction on the user
accessing pg_database directly. We would need some kind of access
checking filter inside the executor that would look at each row about to
be modified, and determine if it is legal.
--
Bruce Momjian
maillist@candle.pha.pa.us