Re: Per-database and per-user GUC settings

Tom Lane writes:

> One issue you didn't mention is what security level these options are
> assumed to have by GUC.  That plays into what permissions are needed to
> issue the SET/ALTER commands.

Right.  My design was, the SET/ALTER commands are allowed to be executed
by the user for his own pg_shadow record, the database owner for his
pg_database record, and superusers for everything.  (Hmm, good we're not
doing the group thing.  Would have gotten tricky here.)

Normal users can only add USERSET settings.  Other settings provoke a
NOTICE at runtime (if they happen to sneak in somehow) and will otherwise
be ignored.

Superusers can also add SUSET records to their per-user settings.  I'm
currently unsure about whether to allow superusers to add SUSET settings
to the per-database settings, because it would mean that the database
session would behave differently depending on what user invokes it.  And
since it's not widely known what settings have what permission, I'm afraid
it could be confusing.  On the other hand, superusers should know what
they're doing.

-- 
Peter Eisentraut   peter_e@gmx.net