Re: PG 18 release notes draft committed

On Wed, Jun 04, 2025 at 06:10:38PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I think we have to keep the non-SECURITY-DEFINER designation to keep the
> > text accurate,

I don't see it that way, because there's currently no experiment the user can
perform to distinguish between the following alternatives:

1. We switch to the user that fired the trigger, then call the SECURITY
   DEFINER function.  As always, the first step of executing a SECURITY
   DEFINER function is to switch to its owner.

2. We know it's a SECURITY DEFINER function, so we don't switch.  We just call
   the SECURITY DEFINER function.  As always, the first step of executing a
   SECURITY DEFINER function is to switch to its owner.

The actual implementation is (1), for what it's worth.  The src/backend part
of the commit didn't special-case SECURITY DEFINER.

> but you are right it is part of the function, not the
> > trigger:
> 
> >     Execute deferred constraint triggers attached to
> >     non-SECURITY-DEFINER functions as the role that was active at
> >     the time the trigger was fired
> 
> >     Previously such triggers were run as the role that was active at
> >     commit/execution time.

> It's still inaccurate -- to my mind, a "deferred" trigger is one that
> runs later than the end of the triggering statement.  I think you
> should use "after trigger".  Also, "fired" is a fairly confusing
> choice of word here; I think most people would take that as meaning
> the act of running the trigger.  How about
> 
>     Execute AFTER triggers as the role that was active at the
>     moment the trigger event was queued
> 
>      Previously such triggers were run as the role that is active
>     when it is time to execute the trigger (e.g., at COMMIT).

I like that.