On Thu, 26 Sep 2002, Jim Mercer wrote:
> On Fri, Sep 27, 2002 at 11:15:35AM +1000, Gavin Sherry wrote:
> > On Thu, 26 Sep 2002, Jim Mercer wrote:
> > > > I would think so, and IMHO, that's where pgsql access control
> > > > belongs, with pgsql.
> >
> > I totally disagree. It is a language level restriction, not a database
> > level one, so why back it into Postgres? Just parse 'conninfo' when it is
> > pg_(p)connect() and check it against the configuration setting.
>
> which is effectively what my code does, except i was lazy, and i let the
> connection proceed, then check if PQdb() is in the auth list, and fail
Ahh yes. I meant to say this. No point being lazy when it comes to
security.
> maybe not _totally_ secure, but much moreso than nothing.
>
I was basically just suggesting that its effect needs to be
documented. "This needs to be used in conjunction with other forms of
security...."
Gavin