KaiGai Kohei <kaigai@ak.jp.nec.com> writes:
> * Row-Update/Delete trigger mechanism allows user defined triggers
> to refer the older tuple updated/deleted.
> * The ACL_TRIGGER privilege allows normal users to set up triggers
> on the relation allowed.
> It means someone with ACL_TRIGGER can set up a trigger which write
> out the given older tuple into somewhere.
> In logically, it also means users with ACL_TRIGGER and either of
> ACL_UPDATE or ACL_DELETE are allowed to read the table without
> ACL_SELECT permission.
Granting TRIGGER privilege already implies an exceedingly high trust
level, since a trigger can do arbitrary damage to your data. I don't
find this concern interesting, and your solution wouldn't work anyway
(AFAICS it would check the permissions of the user doing the UPDATE,
not those of the user who created the trigger).
regards, tom lane