>
> Tables INS (x int) and SEL (y int) are owned by dbadm, for another
> user SELECT granted on SEL, INSERT - on INS.
>
> Should another user be able to do
>
> insert into ins select y from sel where x = y;
My guess is that the other user doesn't have SELECT permissions on
INS.y, so this should fail, no?
>
> or not ?
> Currently, PG allows this. Backend tries to check
> (in execMain.c:ExecCheckPerms()) is READ access to
> table being changed granted to user or not, but this check
> seems to be quite stupid:
>
> qvars = pull_varnos(parseTree->qual);
> tvars = pull_varnos((Node *) parseTree->targetList);
> if (intMember(resultRelation, qvars) ||
> intMember(resultRelation, tvars))
>
> : pull_varnos is very simple and just skips expressions in
> qual & target list.
>
> We have to either get rid of this check or change it.
>
> What do you think ?
> How "big boys" handle this ?
>
> Vadim
>
>
--
Bruce Momjian | 830 Blythe Avenue
maillist@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)