On Tue, Oct 5, 2010 at 10:56 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Personally I think this is a dead end that we shouldn't be wasting
> any more time on.
But you haven't proposed a reasonable alternative.
As far as I can see, there are only two ways to go here.
Option #1: Remove all mention from the documentation of using views
for security purposes. Don't allow views to have explicit permissions
attached to them; they are merely shorthand for a SELECT, for which
you either do or do not have privileges.
Option #2: Define a standard for what constitutes acceptable
information leakage and what does not. Then write the code to try to
meet that standard.
The status quo, whereby we advise people to security their data by
doing something that doesn't actually work, is, to use the
non-technical term, dumb. We need to decide what we're going to do
about it, not whether we're going to do anything about it.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company