Обсуждение: "$user" and SESSION_USER and CURRENT_USER

hi,

sorry for my message. I'm tiny confused about the next one. could you 
help me?:

here -- https://www.postgresql.org/docs/11/runtime-config-client.html

there is the text """If one of the list items is the special name $user, 
then the schema having the name returned by SESSION_USER is substituted, 
if there is such a schema and the user has USAGE permission for it. (If 
not, $user is ignored.)""".

but actualy "$user" substitutes CURRENT_USER-value (not 
SESSION_USER-value).

it's good because it would be a SECURITY VULNERABILITY if "$user" 
substituted SESSION_USER-value (in conjunction with security definer 
functions).

in case of CURRENT_USER-value we have no the vulnerable. which is good 
:-)

but is there error in documentation text (runtime-config-client.html) , 
isn't?

thank you in advance.

antonov@stdpr.ru writes:
> here -- https://www.postgresql.org/docs/11/runtime-config-client.html

> there is the text """If one of the list items is the special name $user, 
> then the schema having the name returned by SESSION_USER is substituted, 
> if there is such a schema and the user has USAGE permission for it. (If 
> not, $user is ignored.)""".

> but actualy "$user" substitutes CURRENT_USER-value (not 
> SESSION_USER-value).

Huh.  Digging in the commit history, SESSION_USER was the original
implementation (commit 838fe25a9 of 2002-04-01) but it was changed later
that month (ccfaf9067 of 2002-04-29) when we added schema permissions
checks.  Evidently I forgot to update the docs to match :-(

Will fix, thanks for noticing!

            regards, tom lane