See the SECURITY DEFINER option for CREATE FUNCTION. This way you
don't have to give them create table privileges, but they can still
create a table through your function. You'll need to use EXECUTE to
create a table in pl/pgsql.
On May 27, 2007, at 4:50 PM, CAJ CAJ wrote:
> Had a question on best approach with some security issues around on
> the fly table creation by a user.
>
> I want to users to create dynamic tables from the application. This
> means that the user logged in should have create table privileges
> at the database level. Assuming this is a security risk for
> allowing all users to have table creation privileges. is it
> possible to create some sort of trigger to allow the user to create
> table when ready and once it's done revoke it automatically?
>
> What is the best approach conceptual wise and security wise when
> dealing with these situations? The less the user can do on the
> database the better it is?
John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL