Hannu Krosing <hannu@tm.ee> writes:
> It seems to be a broken view not security risk in 7.2.1
The implementation of temp tables has changed completely in CVS tip,
so experiments with 7.2 aren't very relevant. In CVS tip I believe
you *could* read the contents of someone else's temp table, assuming
you had permissions to read the view. However, you'd not be guaranteed
to get up-to-date information, since the guy who actually owns the temp
table would be using his local-buffer manager for access to it; there
might be many pages that you'd see stale information from because the
only up-to-date copy is in local memory of the owning backend.
I see some potential for confusion here, but not really any
crash-the-database scenarios. I also do not see a security risk:
you did grant the other guy read permission on your view, after all.
regards, tom lane