2011/8/21 Dimitri Fontaine <dimitri@2ndquadrant.fr>:
> Kohei KaiGai <kaigai@kaigai.gr.jp> writes:
>> However, it allows users to create a new schema with his ownership,
>> even if current user does not have permission to create a new schema.
> [...]
>> It seems to me that we should inject permission checks here like as
>> CreateSchemaCommand() doing.
>
> It seems to me the code has been written this way before we relaxed the
> superuser only check in CREATE EXTENSION. I'm not enough into security
> to convince myself there's harm to protect against here, but I would
> agree there's a sound logic into refusing to create the schema if the
> current role isn't granted that operation.
>
> Please note, though, that you're effectively forbidding the role to
> create the extension. As it's not relocatable, the role will not be
> able to install it into another schema. Which could be exactly what you
> wanted to achieve.
>
The current implementation set the current user as owner of the new schema.
The default permission check of schema allows owner to create several kinds
of underlying objects.
In the result, we may consider a scenario that a user without permissions to
create new objects possibly get a schema created by CREATE EXTENSION
that allows him to create new objects (such as table, function, ...).
I don't think it is a desirable behavior. :-(
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>