According to release notes of 8.3.18 (yeah, old docs)
a trigger runs with the the table owner permission.
This is the only document I found about this matter:
http://www.postgresql.org/docs/8.3/static/release-8-3-18.html
Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he
owns. This is only of significance for trigger functions marked
SECURITY DEFINER, since otherwise trigger functions run as the table
owner anyway. (CVE-2012-0866)
But, while I'd need this to be true, I can't confirm this is the case.
Did I misinterpret the note above ?
--strk;
http://strk.keybit.net