Обсуждение: "$user" and SESSION_USER and CURRENT_USER
hi, sorry for my message. I'm tiny confused about the next one. could you help me?: here -- https://www.postgresql.org/docs/11/runtime-config-client.html there is the text """If one of the list items is the special name $user, then the schema having the name returned by SESSION_USER is substituted, if there is such a schema and the user has USAGE permission for it. (If not, $user is ignored.)""". but actualy "$user" substitutes CURRENT_USER-value (not SESSION_USER-value). it's good because it would be a SECURITY VULNERABILITY if "$user" substituted SESSION_USER-value (in conjunction with security definer functions). in case of CURRENT_USER-value we have no the vulnerable. which is good :-) but is there error in documentation text (runtime-config-client.html) , isn't? thank you in advance.
antonov@stdpr.ru writes: > here -- https://www.postgresql.org/docs/11/runtime-config-client.html > there is the text """If one of the list items is the special name $user, > then the schema having the name returned by SESSION_USER is substituted, > if there is such a schema and the user has USAGE permission for it. (If > not, $user is ignored.)""". > but actualy "$user" substitutes CURRENT_USER-value (not > SESSION_USER-value). Huh. Digging in the commit history, SESSION_USER was the original implementation (commit 838fe25a9 of 2002-04-01) but it was changed later that month (ccfaf9067 of 2002-04-29) when we added schema permissions checks. Evidently I forgot to update the docs to match :-( Will fix, thanks for noticing! regards, tom lane