On Wed, Jun 26, 2024 at 2:42 PM David G. Johnston
<david.g.johnston@gmail.com> wrote:
> On Wednesday, June 26, 2024, Dominique Devienne <ddevienne@gmail.com> wrote:
>> Only session_user
>> is representative of the caller, and reliable (modulo SUPERUSER and
>> SET AUTHORIZATION, but that's a different story and kinda normal)
>
> Why can you not use session_user then?
Hi. As I already wrote above, the current_role matters in our security model.
The LOGIN user (i.e. session_user) is used only for authentication to
the DB and to connect.
All other security concerns are on other app-maintained (NOLOGIN)
roles, used for authorization. --DD