Gaetano Mendola wrote:
> Hi all,
> I'm having some problem with permissions on views, I spoke with Josh on IRC
> about it and I'm reposting it:
>
>
> I found a not simmetrical behavior about permission on views and functions.
> Let me explain:
>
> If I use the view/table T inside the view V, is enough give the select
> permission on view V remove the select permission on the view/table used
> and all is working as expected.
>
> If I use the view/table T inside the funcion F is enough declare F with
> the "Secuity definer" attribute and of course give the execution
> permission,
> the select permission on the view/table used and all is working as expected
>
> In these two cases above all is working fine, the following case have some
> problems:
>
> If the view V use a function F.
>
> In this last case is not enough have the select permisson on V but I have
> to give also the Execution permission on F!!!
>
> This fact are driving us to put
> 1) Select permission on V
> 2) Exceute permission + Security Definer attr on F.
>
> this last point give to the user the possibility to execute F with any
> aribitrary value, instead of only the values present on the view ( already
> filtered ).
Maybe this could be solved by a Security Definer flag for tables/views?
Regards,
Andreas